From 58c7bd831a6f8620e440bab83e17d277301c525a Mon Sep 17 00:00:00 2001 From: Maurice Date: Mon, 15 Jun 2026 10:38:01 +0200 Subject: [PATCH] build(docker): rebuild gosu with a current Go toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Debian's apt gosu ships an old Go stdlib that the image CVE scan flags (1 critical + several high, all in golang/stdlib). Build gosu from source with a current Go toolchain and copy the static binary in instead; the runtime behaviour is unchanged — gosu still drops root to node at startup. --- Dockerfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5d4c2031..70afd237 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,10 @@ +# ── Stage 0: gosu ──────────────────────────────────────────────────────────── +# Rebuild gosu with a current Go toolchain so the runtime image ships no stale +# Go stdlib (Debian's apt gosu is built with an old Go that trips CVE scanners). +# The binary and its runtime behaviour are identical to the apt package. +FROM golang:1.25-alpine AS gosu-build +RUN CGO_ENABLED=0 GOBIN=/out go install github.com/tianon/gosu@latest + # ── Stage 1: shared ────────────────────────────────────────────────────────── FROM node:24-alpine AS shared-builder WORKDIR /app @@ -44,7 +51,7 @@ COPY server/package.json ./server/ # amd64 — static binary from KDE CDN (glibc 2.17+; wget stays for healthcheck) # arm64 — apt package (KDE publishes no arm64 static binary) RUN apt-get update && \ - apt-get install -y --no-install-recommends tzdata dumb-init gosu wget ca-certificates python3 build-essential && \ + apt-get install -y --no-install-recommends tzdata dumb-init wget ca-certificates python3 build-essential && \ npm ci --workspace=server --omit=dev && \ ARCH=$(dpkg --print-architecture) && \ if [ "$ARCH" = "amd64" ]; then \ @@ -60,6 +67,9 @@ RUN apt-get update && \ apt-get autoremove -y && \ rm -rf /var/lib/apt/lists/* /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx +# gosu rebuilt with a current Go toolchain (stage 0) — used by CMD to drop to node. +COPY --from=gosu-build /out/gosu /usr/local/bin/gosu + ENV XDG_CACHE_HOME=/tmp/kf6-cache # Prevent Qt from probing for a display in headless containers. ENV QT_QPA_PLATFORM=offscreen