https://linen.dev logo
#general
Title
# general
k

Kevin Wang

11/14/2023, 10:25 PM
There is binary file named
gosu
in the wiremock docker image. Does anyone know what it is used for? It seems to introduce a lot security vulnerability issues.
o

Oleg Nenashev

11/15/2023, 5:54 AM
Hello. It is a wrapper for managing users and permissions in POSIX systems https://github.com/tianon/gosu
If you suspect any security issue introduced by it, see the reporting process here: https://github.com/wiremock/.github/blob/main/SECURITY.md
k

Kevin Wang

11/15/2023, 1:55 PM
@Oleg Nenashev thanks for your explanation. do you know if that
gosu
relates to any functionality of WireMock? or it's only matters building the docker image, I saw the WireMock Dockerfile is using it.
o

Oleg Nenashev

11/15/2023, 1:59 PM
It configures the permissions inside the image during the build , that's it
k

Kevin Wang

11/15/2023, 4:11 PM
Got it. btw, I notice there are two docker images for wiremock
wiremock/wiremock
and
holomekc/wiremock-gui
, they seem to come from different organization. Are they all official image from WireMock?
o

Oleg Nenashev

11/15/2023, 4:12 PM
Only wiremock/wiremock is official
k

Kevin Wang

11/15/2023, 4:13 PM
Why is wiremock helm chart operator using the
holomekc/wiremock-gui
image?
o

Oleg Nenashev

11/15/2023, 4:15 PM
Because the new version is yet to be released. We haven't yet released the official version of the Helm chart, only moved the repo. See the pull requests
k

Kevin Wang

11/15/2023, 4:18 PM
I see. Does Wiremock have a plan to support GUI like what the project
holomekc/wiremock-gui
does?
o

Oleg Nenashev

11/15/2023, 4:21 PM
The plan always depends on contributions
k

Kevin Wang

11/15/2023, 4:43 PM
That's true. Thanks for the answers
o

Oleg Nenashev

11/15/2023, 4:45 PM
There are multiple open source implementations of the user interface, but none of them is official at the moment. You can find the links in GitHub.com/WireMock/ecosystem
👍 1
k

Kevin Wang

11/15/2023, 6:33 PM
got it. thanks
👍 1
m

Makakmayum Amir Sidik

11/28/2023, 7:44 AM
Hi @Oleg Nenashev, regarding this vulnerabilities, can we upgrade the gosu package from the current 1.14 to 1.17 as this fixes our vulnerabilities for now? I have already prepared a PR for the same. Thanks
o

Oleg Nenashev

11/28/2023, 8:56 AM
Yes, I think so. A PR would be appreciated
m

Makakmayum Amir Sidik

11/28/2023, 9:14 AM
Hi @Oleg Nenashev, thank you for the reply. Can you please approve this PR which is raised for the above mentioned issue. Thank you https://github.com/wiremock/wiremock-docker/pull/97
👍 1
o

Oleg Nenashev

11/28/2023, 2:44 PM
Please note that none of these vulnerabilities are really related to
gosu
All CVEs point to Golang/Go . I do not mind updating, but so far I do not consider it a security issue
I mean, gosu does not have full golang bundled
m

Makakmayum Amir Sidik

11/29/2023, 3:59 PM
Still the gosu package uses go language and the vulnerabilities we saw at the moment are all pointing to gosu package. And for the moment we can upgrade the package version.
o

Oleg Nenashev

11/29/2023, 5:27 PM
Yep, I hope to release it tonight if the bigger test suite passes