From 5d1f3f96678ad737c892163efb061304805a2b1d Mon Sep 17 00:00:00 2001 From: Adrian Cole <64215+codefromthecrypt@users.noreply.github.com> Date: Tue, 19 Nov 2024 16:08:48 +0800 Subject: [PATCH] Updates to Alpine 3.20.3, Java 17.0.13_p11 and latest maven deps Signed-off-by: Adrian Cole --- .github/workflows/deploy.yml | 2 +- .github/workflows/security.yml | 59 ++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 4 +-- Dockerfile | 16 ++++----- README.md | 22 ++++++------- install.sh | 6 ++-- 6 files changed, 84 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e0b8ffd..1272980 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ on: jobs: deploy: - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat steps: - name: Checkout Repository uses: actions/checkout@v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..511e35a --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,59 @@ +--- +name: security + +# We don't scan documentation-only commits. +on: # yamllint disable-line rule:truthy + push: # non-tagged pushes to master + branches: + - master + tags-ignore: + - '*' + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + pull_request: # pull requests targeted at the master branch. + branches: + - master + paths-ignore: + - '**/*.md' + - './build-bin/*lint' + - ./build-bin/mlc_config.json + +jobs: + security: + name: security + runs-on: ubuntu-24.04 # newest available distribution, aka numbat + # skip commits made by the release plugin + if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - uses: actions/cache@v4 + name: Cache Trivy Database + with: + path: .trivy + key: ${{ runner.os }}-trivy + restore-keys: ${{ runner.os }}-trivy + - name: Run Trivy vulnerability and secret scanner + uses: aquasecurity/trivy-action@master + id: trivy + env: # See https://github.com/aquasecurity/trivy/discussions/7668 + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db + with: + scan-type: 'fs' + scan-ref: '.' # scan the entire repository + scanners: vuln,secret + exit-code: '1' + severity: HIGH,CRITICAL + output: trivy-report.md + cache-dir: .trivy + - name: Set Summary + shell: bash + if: ${{ failure() && steps.trivy.conclusion == 'failure' }} + # Add the Trivy report to the summary + # + # Note: This will cause a workflow error if trivy-report.md > the step + # limit 1MiB. If this was due to too many CVEs, consider fixing them ;) + run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2b59285..b53fd0f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,13 +17,13 @@ on: jobs: test: name: test (${{ matrix.name }}) - runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish + runs-on: ubuntu-24.04 # newest available distribution, aka numbat strategy: fail-fast: false # don't fail fast as some failures are LTS specific matrix: # match with maven-enforcer-plugin rules in pom.xml include: - name: build-arg - version: 17.0.12_p7 + version: 17.0.13_p11 - name: implicit version: master steps: diff --git a/Dockerfile b/Dockerfile index 1025e34..c91dcd0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ # docker_parent_image is the base layer of full and jre image # # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/alpine -ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2 +ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.3 # java_version and java_home are hard-coded here to allow the following: # * `docker build https://github.com/openzipkin/docker-java.git` @@ -17,17 +17,17 @@ ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2 # When updating, also update the README # * Use current version from https://pkgs.alpinelinux.org/packages?name=openjdk17, stripping # the `-rX` at the end. -ARG java_version=17.0.12_p7 +ARG java_version=17.0.13_p11 ARG java_home=/usr/lib/jvm/java-17-openjdk # We copy files from the context into a scratch container first to avoid a problem where docker and # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally. # COPY --from= works around the issue. -FROM scratch as code +FROM scratch AS code COPY . /code/ -FROM $docker_parent_image as base +FROM $docker_parent_image AS base # java_version is hard-coded here to allow the following to work: # * `docker build https://github.com/openzipkin/docker-java.git` @@ -51,17 +51,17 @@ WORKDIR /java ENTRYPOINT ["java", "-jar"] # The JDK image includes a few build utilities and Maven -FROM base as jdk +FROM base AS jdk LABEL org.opencontainers.image.description="OpenJDK on Alpine Linux" ARG java_version -ARG maven_version=3.9.8 +ARG maven_version=3.9.9 LABEL maven-version=$maven_version COPY --from=code /code/install.sh . RUN ./install.sh $java_version $maven_version && rm install.sh # Use a temporary target to build a JRE using the JDK we just built -FROM jdk as install +FROM jdk AS install WORKDIR /install @@ -93,7 +93,7 @@ jdk.localedata --include-locales en \ --output jre # Our JRE image is minimal: Only Alpine, gcompat and a stripped down JRE -FROM base as jre +FROM base AS jre LABEL org.opencontainers.image.description="Minimal OpenJDK JRE on Alpine Linux" COPY --from=install /install/jre/ ${JAVA_HOME}/ diff --git a/README.md b/README.md index 3491dbf..26a3825 100644 --- a/README.md +++ b/README.md @@ -15,10 +15,10 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope To try the image, run the `java -version` command: ```bash -$ docker run --rm ghcr.io/openzipkin/java:17.0.12_p7 -version -openjdk version "17.0.12" 2024-07-16 -OpenJDK Runtime Environment (build 17.0.12+7-alpine-r0) -OpenJDK 64-Bit Server VM (build 17.0.12+7-alpine-r0, mixed mode, sharing) +$ docker run --rm ghcr.io/openzipkin/java:17.0.13_p11 -version +openjdk version "17.0.13" 2024-10-15 +OpenJDK Runtime Environment (build 17.0.13+11-alpine-r0) +OpenJDK 64-Bit Server VM (build 17.0.13+11-alpine-r0, mixed mode, sharing) ``` ## Release process @@ -39,26 +39,26 @@ Build the [Dockerfile](Dockerfile) using the current version without the revision classifier from here: * https://pkgs.alpinelinux.org/packages?name=openjdk17 ```bash -# Note 17.0.12_p7 not 17.0.12_p7-r2! -./build-bin/build 17.0.12_p7 +# Note 17.0.13_p11 not 17.0.13_p11-r2! +./build-bin/build 17.0.13_p11 ``` Next, verify the built image matches that version: ```bash $ docker run --rm openzipkin/java:test -version -openjdk version "17.0.12" 2024-07-16 -OpenJDK Runtime Environment (build 17.0.12+7-alpine-r0) -OpenJDK 64-Bit Server VM (build 17.0.12+7-alpine-r0, mixed mode, sharing) +openjdk version "17.0.13" 2024-10-15 +OpenJDK Runtime Environment (build 17.0.13+11-alpine-r0) +OpenJDK 64-Bit Server VM (build 17.0.13+11-alpine-r0, mixed mode, sharing) ``` -To release the image, push a tag matching the arg to `build-bin/build` (ex `17.0.12_p7`). +To release the image, push a tag matching the arg to `build-bin/build` (ex `17.0.13_p11`). This triggers a [GitHub Actions](https://github.com/openzipkin/docker-java/actions) job to push the image. ## java.lang.ClassNotFoundException The image ending in `-jre` is stripped to only retain the minimal modules needed by Zipkin. This is to make it as small as possible. If the `zipkin` or `zipkin-slim` images fail with a -`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile][Dockerfile]. +`java.lang.ClassNotFoundException`, it may be related to the modules linked in the [Dockerfile](Dockerfile). If the package begins with `java.`, `sun.` or `com.sun.`, it is likely a JRE module. To verify, use `javap` without any other options. If a result is printed, you need to link a corresponding module. diff --git a/install.sh b/install.sh index 09e8eca..d0d01df 100755 --- a/install.sh +++ b/install.sh @@ -19,7 +19,7 @@ maybe_log_crash() { } java_version=${1?java_version is required. ex --strip-debug} -maven_version=${2?maven_version is required. ex 3.9.8} +maven_version=${2?maven_version is required. ex 3.9.9} java_major_version=$(echo ${java_version}| cut -f1 -d .) package=openjdk${java_major_version} @@ -43,5 +43,5 @@ apache_backup_mirror=https://downloads.apache.org/ (wget ${apache_mirror}${maven_dist_path} || wget ${apache_backup_mirror}${maven_dist_path}) | tar xz --strip=1 -C maven ln -s ${PWD}/maven/bin/mvn /usr/bin/mvn -mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.4.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash -mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.7.1:get -Dmdep.skip +mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash +mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get -Dmdep.skip