Upgrade Go version 1.23.4 and pkg github.com/moby/sys/user, golang.org/x/sys

[vkamlesh]

No description provided.

[tianon]

See https://github.com/tianon/gosu/blob/master/SECURITY.md#version-updates

(I don't believe there have been any actual functional updates to the code we use that warrant updating)

[Bezuhlyi]

@tianon Maybe releasing a version that consists of two parts (functional version + golang version -> gosu-1.17_1.23.4) could help with the concern that if there are no functional changes, you should not release the new version just because of the newer golang used for the build? Similar to how they version Flink images.

I'd deeply appreciate having the option to download the newer version of gosu and put it on top of the Filink image rather than wasting time on requesting and justifying an exception for the dozens of golang vulnerabilities highlighted by Jfrog Xray scanner. It's a common request, after all, let's have some solution.

The guides like this https://internetworking.dev/mitigating-gosu-security-concerns/ is crazy.

//cc @vkamlesh

[m0t1x]

Maybe, from the functionality point of view, vulnerabilities detected are not a threat, since docker build process is a local process and maybe gosu is not using those functionalities reported by the scanner. Still, using Golang release which is almost 3 years old, and because the whole update process is really not a complex task, I think it is worth while to do this update. Like suggested by @Bezuhlyi , using a docker like tag convention app-ver_os-ver, which can in your case be app-ver_go-ver is pretty good idea.