avi-sanwal opened a new pull request, #225: URL: https://github.com/apache/flink-docker/pull/225
This is a minor improvement from security standpoint on flink's docker image. In the dockerfile of flink's docker image, we are adding gosu: https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/Dockerfile#L27-L44 This is later used to switch to the user flink in the entrypoint script: https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh#L37. Gosu itself is tagged by popular scanners as being vulnerable due to outdated golang usage (though gosu itself is not). Instead of using gosu/su-exec, it may be preferrable to switch to flink user using USER flink or something similar in Dockerfile. This way we could avoid depending on gosu, and present a cleaner scan result. While this does not really solve any vulnerabilties in the system, it can help satisfy auditors against false positive reports provided by heuristical scanners. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
