Merge pull request #144 from wiremock/replace-gosu-with-setpriv

tomakehurst · web-flow · commit abb84f362790 · 2026-03-11T13:16:55.000Z
Replace gosu with setpriv to eliminate Go stdlib CVEs and upgrade base deps to avoid further vulns
diff --git a/.github/workflows/ci-4.x-beta.yml b/.github/workflows/ci-4.x-beta.yml
@@ -72,9 +72,11 @@ jobs:
         working-directory: test/integration-tests
         run: mvn -B -ntp package verify --file pom.xml -DargLine="-Dit.wiremock-image=${{ matrix.versions.TAGS[0] }}"
 
-  container-image-scan:
-    uses: ./.github/workflows/container-image-scan.yml
-    needs: docker-build
-    with:
-      image_version: latest
-    secrets: inherit
+      - name: Run Snyk to check Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ matrix.versions.TAGS[0] }}
+          command: test
+          args: --file=${{ matrix.versions.CONTEXT }}/Dockerfile --severity-threshold=high --fail-on=upgradable --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --policy-path=${{ matrix.versions.CONTEXT }}/.snyk
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -72,9 +72,11 @@ jobs:
         working-directory: test/integration-tests
         run: mvn -B -ntp package verify --file pom.xml -DargLine="-Dit.wiremock-image=${{ matrix.versions.TAGS[0] }}"
 
-  container-image-scan:
-    uses: ./.github/workflows/container-image-scan.yml
-    needs: docker-build
-    with:
-      image_version: latest
-    secrets: inherit
+      - name: Run Snyk to check Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ matrix.versions.TAGS[0] }}
+          command: test
+          args: --file=${{ matrix.versions.CONTEXT }}/Dockerfile --severity-threshold=high --fail-on=upgradable --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --policy-path=${{ matrix.versions.CONTEXT }}/.snyk
diff --git a/Dockerfile b/Dockerfile
@@ -5,45 +5,9 @@ LABEL maintainer="Rodolphe CHAIGNEAU <rodolphe.chaigneau@gmail.com>"
 
 ARG WIREMOCK_VERSION=4.0.0-beta.29
 ENV WIREMOCK_VERSION=$WIREMOCK_VERSION
-ENV GOSU_VERSION=1.19
 
 WORKDIR /home/wiremock
 
-# grab gosu for easy step-down from root
-RUN set -eux; \
-  # save list of currently installed packages for later so we can clean up
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends ca-certificates wget; \
-	if ! command -v gpg; then \
-		apt-get install -y --no-install-recommends gnupg2 dirmngr; \
-	elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
-  # "This package provides support for HKPS keyservers." (GnuPG 1.x only)
-		apt-get install -y --no-install-recommends gnupg-curl; \
-	fi; \
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	\
-  # verify the signature
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	command -v gpgconf && gpgconf --kill all || :; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	\
-  # clean up fetch dependencies
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	\
-	chmod +x /usr/local/bin/gosu; \
-  # verify that the binary works
-	gosu --version; \
-	gosu nobody true
-
 # grab wiremock standalone jar
 RUN mkdir -p /var/wiremock/lib/ \
   && curl https://repo1.maven.org/maven2/org/wiremock/wiremock-standalone/$WIREMOCK_VERSION/wiremock-standalone-$WIREMOCK_VERSION.jar \
diff --git a/alpine/Dockerfile b/alpine/Dockerfile
@@ -8,11 +8,9 @@ ENV WIREMOCK_VERSION=$WIREMOCK_VERSION
 
 WORKDIR /home/wiremock
 
-RUN apk add --update openssl
+RUN apk update && apk upgrade
 
-# grab su-exec for easy step-down from root
-# and bash
-RUN apk add --no-cache 'su-exec>=0.2' bash
+RUN apk add --no-cache openssl bash
 
 # grab wiremock standalone jar
 RUN mkdir -p /var/wiremock/lib/ \
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -11,7 +11,7 @@ fi
 if [ "$uid" != "" ]; then
   # Change the ownership of /home/wiremock to $uid
   chown -R $uid:$uid /home/wiremock
-  set -- gosu $uid:$uid "$@"
+  set -- setpriv --reuid=$uid --regid=$uid --init-groups "$@"
 fi
 
 exec "$@" $WIREMOCK_OPTIONS
