[FOLIO-3500] Remove folio-java-docker workarounds for zlib Created: 12/May/22  Updated: 27/Jun/22  Resolved: 27/Jun/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: David Crossley Assignee: David Crossley
Resolution: Duplicate Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3480 folioci/alpine-jre-openjdk11:1.3.1 Zi... Closed
relates to FOLIO-3487 folioci/alpine-jre-openjdk11: apk upg... Closed
relates to FOLIO-3499 Create new folioci/alpine-jre-openjdk... Closed
relates to FOLIO-3529 Rebuild folioci/alpine-jre-openjdk11 ... Closed
Sprint: DevOps Sprint 142
Development Team: FOLIO DevOps
RCA Group: TBD

 Description   

With FOLIO-3480 Closed and FOLIO-3487 Closed we needed to add a workaround for the zlib ZipException on Windows.

As at 2022-05-12 that fix is still not in eclipse-temurin:11-jre-alpine or eclipse-temurin:17-jre-alpine
Update 2022-06-24: Both eclipse-temurin versions were updated two days ago, so should now contain this zlib fix.

When it is available, then remove the workound in the Dockerfile of both folio-tools/folio-java-docker/openjdk11 and folio-tools/folio-java-docker/openjdk17,
and re-build.



 Comments   
Comment by Julian Ladisch [ 24/Jun/22 ]

I don't see "apk upgrade" as workaround.

To the contrary, this is a good security measure.

To foster caching of Docker layers the alpine and the temurin image don't use "apk upgrade" and therefore may contain outdated packages with bugs and security vulnerabilities.

It's the responsibility of folioci/alpine-jre-openjdk* to run "apk upgrade".

Quote from https://snyk.io/blog/take-actions-to-improve-security-in-your-docker-images/ : "Any Docker image should be rebuilt regularly to prevent known vulnerabilities in your image that have already been solved."

Why "apk upgrade" is recommended now but wasn't recommended a few years ago: https://pythonspeed.com/articles/security-updates-in-docker/

"What you want to do is to pin the base image version and just apt/apk update." https://cloudberry.engineering/article/dockerfile-security-best-practices/#5-do-not-upgrade-your-system-packages

Comment by David Crossley [ 27/Jun/22 ]

Ah, thanks, must have misunderstood the linked tickets FOLIO-3480 Closed and FOLIO-3487 Closed .

Closing this ticket, and opening FOLIO-3529 Closed to rebuild these images.

Generated at Thu Feb 08 23:28:36 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.