[FOLIO-2367] Remove openjdk8-jre-alpine Created: 28/Nov/19  Updated: 03/Jun/20  Resolved: 07/May/20

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Done Votes: 0
Labels: platform-backlog, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to OKAPI-786 Upgrade Dockerfile base docker image ... Closed
relates to FOLIO-1722 Update FOLIO Docker image: Alpine 3.1... Closed
relates to FOLIO-2334 Spike: Investigate using JVM features... Closed
relates to FOLIO-2358 Use JVM features (UseContainerSupport... Closed
Sprint: DevOps: sprint 87, DevOps: sprint 88, CP: sprint 79, DevOps: sprint 82, DevOps: sprint 83
Development Team: FOLIO DevOps

 Description   

Security vulnerabilities

The openjdk8-jre-alpine Docker image uses Alpine 3.5: https://github.com/folio-org/folio-tools/blob/76aa61f/folio-java-docker/openjdk8/Dockerfile.openjdk8-jre-alpine

Alpine 3.5 is out of support since 2018-11-01, no security updates:
https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases

Alpine 3.5 uses linux-vanilla 4.4.59-r1 that has more than 150 known security vulnerabilities: https://www.cvedetails.com/version/221677/Linux-Linux-Kernel-4.4.59.html

Alpine 3.5 uses openjdk8 8.191 that has more than 25 security vulnerabilities: https://pkgs.alpinelinux.org/packages?name=openjdk8&branch=v3.5 https://openjdk.java.net/groups/vulnerability/advisories/2019-10-15 https://openjdk.java.net/groups/vulnerability/advisories/2019-07-16 https://openjdk.java.net/groups/vulnerability/advisories/2019-04-16

Alpine 3.5 uses curl 7.61.1 that has 10 known security vulnerabilities: https://curl.haxx.se/docs/vuln-7.61.1.html

Alpine 3.5 uses busybox 1.25.1. that has 2 known security vulnerabilities: https://www.cvedetails.com/version/257068/Busybox-Busybox-1.25.1.html

Solution

It was decided (see FOLIO-1722 Closed ) that openjdk8-jre-alpine Docker image has reached end of life and all modules should switch to alpine-jre-openjdk8 Docker image that does not have known vulnerabilities: https://github.com/folio-org/folio-tools/blob/6118b46/folio-java-docker/openjdk8/Dockerfile.alpine-jre-openjdk8

Open tasks

A) Add End of Life notices and upgrade notes to

B) After all modules have switched to alpine-jre-openjdk8 and FOLIO Edelweiss has been released remove openjdk8-jre-alpine from



 Comments   
Comment by David Crossley [ 18/Dec/19 ]

Done Part A.

Comment by David Crossley [ 04/May/20 ]

In folio-tools/pull/104:

Removed the old deprecated Dockerfiles:
Dockerfile.openjdk8-jre
Dockerfile.openjdk8-jre-alpine

Now only using Dockerfile.alpine-jre-openjdk8

Comment by Julian Ladisch [ 04/May/20 ]

Thanks!

Comment by David Crossley [ 07/May/20 ]

Now removed both of those deprecated images from Docker Hub.

Thanks for your help Julian.

Generated at Thu Feb 08 23:20:09 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.