Skip to content

Replace gosu with setpriv to eliminate Go stdlib CVEs and upgrade base deps to avoid further vulns #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tomakehurst merged 3 commits into from
Mar 11, 2026
Merged

Replace gosu with setpriv to eliminate Go stdlib CVEs and upgrade base deps to avoid further vulns #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8484f92
Replace gosu with setpriv to eliminate Go stdlib CVEs
tomakehurst Mar 11, 2026
24c0569
Upgrade Alpine packages to fix high-severity CVEs in container image
tomakehurst Mar 11, 2026
c100031
Start scanning the just-produced image in CI, not the one in the repo
tomakehurst Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions .github/workflows/ci-4.x-beta.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,11 @@ jobs:
working-directory: test/integration-tests
run: mvn -B -ntp package verify --file pom.xml -DargLine="-Dit.wiremock-image=${{ matrix.versions.TAGS[0] }}"

container-image-scan:
uses: ./.github/workflows/container-image-scan.yml
needs: docker-build
with:
image_version: latest
secrets: inherit
- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ matrix.versions.TAGS[0] }}
command: test
args: --file=${{ matrix.versions.CONTEXT }}/Dockerfile --severity-threshold=high --fail-on=upgradable --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --policy-path=${{ matrix.versions.CONTEXT }}/.snyk
14 changes: 8 additions & 6 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,11 @@ jobs:
working-directory: test/integration-tests
run: mvn -B -ntp package verify --file pom.xml -DargLine="-Dit.wiremock-image=${{ matrix.versions.TAGS[0] }}"

container-image-scan:
uses: ./.github/workflows/container-image-scan.yml
needs: docker-build
with:
image_version: latest
secrets: inherit
- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ matrix.versions.TAGS[0] }}
command: test
args: --file=${{ matrix.versions.CONTEXT }}/Dockerfile --severity-threshold=high --fail-on=upgradable --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --policy-path=${{ matrix.versions.CONTEXT }}/.snyk
36 changes: 0 additions & 36 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,45 +5,9 @@ LABEL maintainer="Rodolphe CHAIGNEAU <rodolphe.chaigneau@gmail.com>"

ARG WIREMOCK_VERSION=4.0.0-beta.29
ENV WIREMOCK_VERSION=$WIREMOCK_VERSION
ENV GOSU_VERSION=1.19

WORKDIR /home/wiremock

# grab gosu for easy step-down from root
RUN set -eux; \
# save list of currently installed packages for later so we can clean up
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates wget; \
if ! command -v gpg; then \
apt-get install -y --no-install-recommends gnupg2 dirmngr; \
elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
# "This package provides support for HKPS keyservers." (GnuPG 1.x only)
apt-get install -y --no-install-recommends gnupg-curl; \
fi; \
rm -rf /var/lib/apt/lists/*; \
\
dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
\
# verify the signature
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
command -v gpgconf && gpgconf --kill all || :; \
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
\
# clean up fetch dependencies
apt-mark auto '.*' > /dev/null; \
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
\
chmod +x /usr/local/bin/gosu; \
# verify that the binary works
gosu --version; \
gosu nobody true

# grab wiremock standalone jar
RUN mkdir -p /var/wiremock/lib/ \
&& curl https://repo1.maven.org/maven2/org/wiremock/wiremock-standalone/$WIREMOCK_VERSION/wiremock-standalone-$WIREMOCK_VERSION.jar \
Expand Down
6 changes: 2 additions & 4 deletions alpine/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ ENV WIREMOCK_VERSION=$WIREMOCK_VERSION

WORKDIR /home/wiremock

RUN apk add --update openssl
RUN apk update && apk upgrade

# grab su-exec for easy step-down from root
# and bash
RUN apk add --no-cache 'su-exec>=0.2' bash
RUN apk add --no-cache openssl bash

# grab wiremock standalone jar
RUN mkdir -p /var/wiremock/lib/ \
Expand Down
2 changes: 1 addition & 1 deletion docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ fi
if [ "$uid" != "" ]; then
# Change the ownership of /home/wiremock to $uid
chown -R $uid:$uid /home/wiremock
set -- gosu $uid:$uid "$@"
set -- setpriv --reuid=$uid --regid=$uid --init-groups "$@"
fi

exec "$@" $WIREMOCK_OPTIONS
Loading