It’s become common today to build projects based on Docker images. Somebody will find a blog post of a sample Dockerfile and verify it works with their application. As long as you use :latest or :alpine everything should be good right?
An example was a recent project I was helping on where the Dockerfile looked like:
FROM maven:alpine AS build COPY src /usr/src/app/src COPY pom.xml /usr/src/app COPY configuration/settings.xml /usr/src/app RUN mvn -s /usr/src/app/settings.xml -f /usr/src/app/pom.xml clean package FROM openjdk:8-alpine COPY --from=build /usr/src/app/target/myapp*.jar /usr/app/myapp.jar EXPOSE 5000 ENTRYPOINT ["java","-jar","/usr/app/myapp.jar"]
The JDK 8 is not the surprise. Depending on who you believe, maintenance for OpenJDK 8 is planned for at least another 4 years, until September 2023. According to RedHat – The OpenJDK Lifecycle
https://access.redhat.com/solutions/4934371
I have a habit of checking the Docker images much more closely. The scary issue I found was that these images have not been updated in 2 years:
If you want a more exact date, you can use docker inspect
docker inspect -f '{{ .Created }}' maven:alpine
2019-05-11T04:21:07.847377418Z
docker inspect -f '{{ .Created }}' openjdk:8-alpine
2019-05-11T01:32:17.777332452Z
Checking the Alpine project, a few weeks after this image was built, a number of CVE’s were reported:
CVE-2019-1563,CVE-2019-1549,CVE-2019-1547
CVE-2021-3450, CVE-2021-3450, CVE-2021-23841, CVE-2021-3449
The OpenJDK project is receiving maintenance. The Alpine project is still patching CVE’s. The person who builds these images for Docker just stopped pushing updates so you need to check for an image that is being updated. In this case, doijanky is pushing images under tags like 3.8.2-ibmjava-8-alpine or ibmjava-alpine which were updated 2021-09-01T06:33:21.362865623Z which is much better.
Of course, you can also look at using buildpacks to avoid needing to use Docker.
Cheers.
Spread the word
