[
https://issues.apache.org/jira/browse/FLINK-37881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gabor Somogyi reassigned FLINK-37881:
-------------------------------------
Assignee: Achim Willems
> Drop gosu in favour of Dockerfile's USER
> ----------------------------------------
>
> Key: FLINK-37881
> URL: https://issues.apache.org/jira/browse/FLINK-37881
> Project: Flink
> Issue Type: Improvement
> Components: flink-docker
> Affects Versions: 2.1.0
> Reporter: Avi Sanwal
> Assignee: Achim Willems
> Priority: Minor
> Labels: pull-request-available
>
> This is a minor improvement from security standpoint on flink's docker image.
> If you see the dockerfile of flink's docker image, we are adding gosu:
> https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/Dockerfile#L27-L44
> This is later used to switch to the user flink in the entrypoint script:
> https://github.com/apache/flink-docker/blob/6e226503dbb228467905c70ccfb6f33f4c676872/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh#L37.
> Gosu itself is tagged by popular scanners as being vulnerable due to outdated
> golang usage (though gosu itself is not).
> Instead of using gosu/su-exec, it may be preferrable to switch to flink user
> using {{USER flink}} or something similar in Dockerfile. This way we could
> avoid depending on gosu, and present a cleaner scan result.
> While this does not really solve any vulnerabilties in the system, it can
> help satisfy auditors against false positive reports provided by heuristical
> scanners.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
