[FOLIO-1722] Update FOLIO Docker image: Alpine 3.10, openjdk-jre-base 8.222, agent-bond 1.2.0. Created: 21/Jan/19  Updated: 11/Aug/20  Resolved: 28/Nov/19

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Julian Ladisch
Resolution: Done Votes: 0
Labels: back-end, ci, core, platform-backlog, security, sprint55
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-1544 switch to Alpine to shrink docker con... Closed
is blocked by FOLIO-1724 Test updated alpine base FOLIO Docker... Closed
Relates
relates to FOLIO-2367 Remove openjdk8-jre-alpine Closed
relates to FOLIO-1941 SPIKE: Revisit approach to the FOLIO ... Closed
relates to UXPROD-1821 3rd party dependency upgrades (Q4 2019) Closed
relates to UXPROD-2214 3rd party dependency upgrades (Q1 2020) Closed
Sprint:
Story Points: 2
Development Team: Core: Platform
Tester Assignee: John Malconian

 Description   

The Alpine base FOLIO Docker image uses Alpine 3.5: https://github.com/folio-org/folio-tools/blob/76aa61f/folio-java-docker/openjdk8/Dockerfile.openjdk8-jre-alpine

Alpine 3.5 is out of support since 2018-11-01, no security updates:
https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases

Alpine 3.5 uses linux-vanilla 4.4.59-r1 that has more than 150 known security vulnerabilities: https://www.cvedetails.com/version/221677/Linux-Linux-Kernel-4.4.59.html

Alpine 3.5 uses openjdk8 8.191 that has more than 25 security vulnerabilities: https://pkgs.alpinelinux.org/packages?name=openjdk8&branch=v3.5 https://openjdk.java.net/groups/vulnerability/advisories/2019-10-15 https://openjdk.java.net/groups/vulnerability/advisories/2019-07-16 https://openjdk.java.net/groups/vulnerability/advisories/2019-04-16

Alpine 3.5 uses curl 7.61.1 that has 10 known security vulnerabilities: https://curl.haxx.se/docs/vuln-7.61.1.html

Alpine 3.5 uses busybox 1.25.1. that has 2 known security vulnerabilities: https://www.cvedetails.com/version/257068/Busybox-Busybox-1.25.1.html

Using the fabric8 image as a base will automatically update Alpine,
openjdk and agent-bond.



 Comments   
Comment by Julian Ladisch [ 21/Jan/19 ]

John Malconian The pull request is ready for code review, if ok please merge: https://github.com/folio-org/folio-tools/pull/60

Comment by Julian Ladisch [ 30/Sep/19 ]

Note that there is a dedicated issue for reviewing the pull request: https://folio-org.atlassian.net/browse/FOLIO-1724

Comment by David Crossley [ 28/Nov/19 ]

Closed. This was subsequently handled by FOLIO-2358 Closed and FOLIO-2334 Closed .

Generated at Thu Feb 08 23:15:25 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.