https://linen.dev logo
Join Slack
Powered by
There is binary file named `gosu` in the wiremock ...
# general
k
There is binary file named 
gosu
in the wiremock docker image. Does anyone know what it is used for? It seems to introduce a lot security vulnerability issues.
o
Hello. It is a wrapper for managing users and permissions in POSIX systems https://github.com/tianon/gosu
If you suspect any security issue introduced by it, see the reporting process here: https://github.com/wiremock/.github/blob/main/SECURITY.md
k
@Oleg Nenashev thanks for your explanation. do you know if that 
gosu
relates to any functionality of WireMock? or it's only matters building the docker image, I saw the WireMock Dockerfile is using it.
o
It configures the permissions inside the image during the build , that's it
k
Got it. btw, I notice there are two docker images for wiremock 
wiremock/wiremock
and 
holomekc/wiremock-gui
, they seem to come from different organization. Are they all official image from WireMock?
o
Only wiremock/wiremock is official
k
Why is wiremock helm chart operator using the 
holomekc/wiremock-gui
image?
o
Because the new version is yet to be released. We haven't yet released the official version of the Helm chart, only moved the repo. See the pull requests
k
I see. Does Wiremock have a plan to support GUI like what the project 
holomekc/wiremock-gui
does?
o
The plan always depends on contributions
k
That's true. Thanks for the answers
o
There are multiple open source implementations of the user interface, but none of them is official at the moment. You can find the links in GitHub.com/WireMock/ecosystem
👍 1
k
got it. thanks
👍 1
m
Hi @Oleg Nenashev, regarding this vulnerabilities, can we upgrade the gosu package from the current 1.14 to 1.17 as this fixes our vulnerabilities for now? I have already prepared a PR for the same. Thanks
o
Yes, I think so. A PR would be appreciated
m
Hi @Oleg Nenashev, thank you for the reply. Can you please approve this PR which is raised for the above mentioned issue. Thank you https://github.com/wiremock/wiremock-docker/pull/97
👍 1
o
Please note that none of these vulnerabilities are really related to 
gosu
All CVEs point to Golang/Go . I do not mind updating, but so far I do not consider it a security issue
I mean, gosu does not have full golang bundled
m
Still the gosu package uses go language and the vulnerabilities we saw at the moment are all pointing to gosu package. And for the moment we can upgrade the package version.
o
Yep, I hope to release it tonight if the bigger test suite passes
m
Thank you. Please do let me know if it does pass
Hi @Oleg Nenashev, can I please get a review on this PR so we can merge it. Thanks
o
Yeah, sorry for the delay. I will do my best to catch up on all stuck PRs across the repositories this afternoon
m
Thank you. The PR checks are failing(docker-build) has failed. Please have a look.
o
3 Views
Open in Slack
PreviousNext
Powered by