[
https://issues.apache.org/jira/browse/FLINK-37881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18039141#comment-18039141
]
Gabor Somogyi commented on FLINK-37881:
---------------------------------------
[{{9d9b8ce}}|https://github.com/apache/flink-docker/commit/9d9b8ce5f1ded49ebb1c6ab3891275f855110a72]
on dev-master
> Drop gosu in favour of Dockerfile's USER
> ----------------------------------------
>
> Key: FLINK-37881
> URL: https://issues.apache.org/jira/browse/FLINK-37881
> Project: Flink
> Issue Type: Improvement
> Components: flink-docker
> Affects Versions: 2.1.0
> Reporter: Avi Sanwal
> Priority: Minor
> Labels: pull-request-available
>
> This is a minor improvement from security standpoint on flink's docker image.
> If you see the dockerfile of flink's docker image, we are adding gosu:
> https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/Dockerfile#L27-L44
> This is later used to switch to the user flink in the entrypoint script:
> https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh#L37.
> Gosu itself is tagged by popular scanners as being vulnerable due to outdated
> golang usage (though gosu itself is not).
> Instead of using gosu/su-exec, it may be preferrable to switch to flink user
> using {{USER flink}} or something similar in Dockerfile. This way we could
> avoid depending on gosu, and present a cleaner scan result.
> While this does not really solve any vulnerabilties in the system, it can
> help satisfy auditors against false positive reports provided by heuristical
> scanners.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
