From 6f319530804255c8e95d66263ebe146fb4479cd0 Mon Sep 17 00:00:00 2001 From: Ricardo Zanini Date: Mon, 23 Dec 2024 15:32:46 -0500 Subject: [PATCH] NO-ISSUE: Fix security issues on images Signed-off-by: Ricardo Zanini --- .../src/main/resources/application.properties | 2 +- packages/cors-proxy-image/Containerfile | 2 +- packages/dashbuilder-viewer-image/Containerfile | 2 +- packages/dev-deployment-base-image/README.md | 4 ++-- packages/dev-deployment-base-image/env/index.js | 2 +- packages/dev-deployment-dmn-form-webapp-image/Containerfile | 2 +- .../dev/Containerfile.ddus-buildtime-install | 2 +- .../dev/Containerfile.ddus-fileserver | 2 +- .../dev/Containerfile.ddus-runtime-install | 2 +- packages/kie-sandbox-extended-services-image/env/index.js | 2 +- packages/kie-sandbox-webapp-image/Containerfile | 2 +- .../resources/incubator-kie-kogito-base-builder-image.yaml | 2 +- .../incubator-kie-kogito-data-index-ephemeral-image.yaml | 2 +- .../incubator-kie-kogito-data-index-postgresql-image.yaml | 2 +- .../resources/incubator-kie-kogito-jit-runner-image.yaml | 2 +- .../incubator-kie-kogito-jobs-service-allinone-image.yaml | 2 +- .../incubator-kie-kogito-jobs-service-ephemeral-image.yaml | 2 +- .../incubator-kie-kogito-jobs-service-postgresql-image.yaml | 2 +- packages/kogito-management-console/Containerfile | 2 +- packages/maven-m2-repo-via-http-image/Containerfile | 2 +- .../resources/incubator-kie-sonataflow-builder-image.yaml | 4 ++-- .../resources/incubator-kie-sonataflow-devmode-image.yaml | 4 ++-- .../incubator-kie-sonataflow-management-console-image.yaml | 2 +- packages/sonataflow-operator/images/manager.yaml | 2 +- 24 files changed, 27 insertions(+), 27 deletions(-) diff --git a/examples/sonataflow-greeting/src/main/resources/application.properties b/examples/sonataflow-greeting/src/main/resources/application.properties index ce9b26ac3ce..f0030b12430 100644 --- a/examples/sonataflow-greeting/src/main/resources/application.properties +++ b/examples/sonataflow-greeting/src/main/resources/application.properties @@ -28,5 +28,5 @@ quarkus.native.native-image-xmx=8g %container.quarkus.container-image.registry=dev.local %container.quarkus.container-image.tag=1.0-SNAPSHOT %container.quarkus.jib.jvm-entrypoint=/home/kogito/kogito-app-launch.sh -%container.quarkus.jib.base-jvm-image=registry.access.redhat.com/ubi9/openjdk-17:1.20 +%container.quarkus.jib.base-jvm-image=registry.access.redhat.com/ubi9/openjdk-17:1.21 %container.quarkus.jib.working-directory=/home/kogito/bin diff --git a/packages/cors-proxy-image/Containerfile b/packages/cors-proxy-image/Containerfile index f7ca5372f04..a17e9775111 100644 --- a/packages/cors-proxy-image/Containerfile +++ b/packages/cors-proxy-image/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG CORS_PROXY_DEFAULT_PORT=8080 ARG CORS_PROXY_DEFAULT_ORIGIN=* diff --git a/packages/dashbuilder-viewer-image/Containerfile b/packages/dashbuilder-viewer-image/Containerfile index fcc4531b36b..990aabc0f0e 100644 --- a/packages/dashbuilder-viewer-image/Containerfile +++ b/packages/dashbuilder-viewer-image/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 RUN microdnf --disableplugin=subscription-manager -y install httpd \ && microdnf --disableplugin=subscription-manager clean all \ diff --git a/packages/dev-deployment-base-image/README.md b/packages/dev-deployment-base-image/README.md index 1e1d0b5ea97..bea7e8a78f8 100644 --- a/packages/dev-deployment-base-image/README.md +++ b/packages/dev-deployment-base-image/README.md @@ -21,9 +21,9 @@ Docker image with Java and Maven, as well as the dev-deployment-upload-service b ## Build arguments -- `BUILDER_IMAGE_ARG`: The base image used for building this image (defaults to `registry.access.redhat.com/ubi9/openjdk-17:1.20`). +- `BUILDER_IMAGE_ARG`: The base image used for building this image (defaults to `registry.access.redhat.com/ubi9/openjdk-17:1.21`). - Tested with: - - registry.access.redhat.com/ubi9/openjdk-17:1.20 + - registry.access.redhat.com/ubi9/openjdk-17:1.21 - icr.io/appcafe/ibm-semeru-runtimes:open-17-jdk-ubi-minimal ## Environment variables diff --git a/packages/dev-deployment-base-image/env/index.js b/packages/dev-deployment-base-image/env/index.js index 6970faab87a..3fa07d5b047 100644 --- a/packages/dev-deployment-base-image/env/index.js +++ b/packages/dev-deployment-base-image/env/index.js @@ -24,7 +24,7 @@ const rootEnv = require("@kie-tools/root-env/env"); module.exports = composeEnv([rootEnv], { vars: varsWithName({ DEV_DEPLOYMENT_BASE_IMAGE__builderImage: { - default: "registry.access.redhat.com/ubi9/openjdk-17:1.20", + default: "registry.access.redhat.com/ubi9/openjdk-17:1.21", description: "The image used in the FROM import.", }, DEV_DEPLOYMENT_BASE_IMAGE__userId: { diff --git a/packages/dev-deployment-dmn-form-webapp-image/Containerfile b/packages/dev-deployment-dmn-form-webapp-image/Containerfile index 55e5c8e0366..3f775fc49c7 100644 --- a/packages/dev-deployment-dmn-form-webapp-image/Containerfile +++ b/packages/dev-deployment-dmn-form-webapp-image/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG DEV_DEPLOYMENT_DMN_FORM_WEBAPP_DEFAULT_PORT=8081 diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install index edc61a9a30f..03436d8db05 100644 --- a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install +++ b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG DDUS_FILESERVER_IP="" ARG DDUS_VERSION="0.0.0" diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver index 317871ea51c..b7a1b09e7b5 100644 --- a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver +++ b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG DDUS_VERSION="0.0.0" diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install index 9a1257528da..38a7768ad57 100644 --- a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install +++ b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 ENV DDUS_FILESERVER_IP="" ENV DDUS_VERSION="0.0.0" diff --git a/packages/kie-sandbox-extended-services-image/env/index.js b/packages/kie-sandbox-extended-services-image/env/index.js index 01b4f7303cc..fa256c27be7 100644 --- a/packages/kie-sandbox-extended-services-image/env/index.js +++ b/packages/kie-sandbox-extended-services-image/env/index.js @@ -28,7 +28,7 @@ const { module.exports = composeEnv([rootEnv], { vars: varsWithName({ KIE_SANDBOX_EXTENDED_SERVICES__builderImage: { - default: "registry.access.redhat.com/ubi9/openjdk-17:1.20", + default: "registry.access.redhat.com/ubi9/openjdk-17:1.21", description: "The image used in the FROM import.", }, KIE_SANDBOX_EXTENDED_SERVICES__imageRegistry: { diff --git a/packages/kie-sandbox-webapp-image/Containerfile b/packages/kie-sandbox-webapp-image/Containerfile index b581a0dcfdc..4470454d014 100644 --- a/packages/kie-sandbox-webapp-image/Containerfile +++ b/packages/kie-sandbox-webapp-image/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG KIE_SANDBOX_DEFAULT_PORT=8080 diff --git a/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml b/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml index 627f891be91..49b09efd8a8 100644 --- a/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml +++ b/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-base-builder" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17:1.19" +from: "registry.access.redhat.com/ubi8/openjdk-17:1.21" description: "Image with JDK and Maven, used as a base image. It is used by Web Tools !" labels: diff --git a/packages/kogito-data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml b/packages/kogito-data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml index a84340f07a5..e7b34795a3b 100644 --- a/packages/kogito-data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml +++ b/packages/kogito-data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml @@ -18,7 +18,7 @@ # name: "docker.io/apache/incubator-kie-kogito-data-index-ephemeral" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito Data Index Service for ephemeral PostgreSQL persistence provider" labels: diff --git a/packages/kogito-data-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml b/packages/kogito-data-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml index cf4c8027420..0c92ea2332f 100644 --- a/packages/kogito-data-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml +++ b/packages/kogito-data-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-data-index-postgresql" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito Data Index Service for PostgreSQL persistence provider" labels: diff --git a/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml b/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml index 323a6cc1d50..02ae0bf09bd 100644 --- a/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml +++ b/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-jit-runner" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito JIT Runner" labels: diff --git a/packages/kogito-jobs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml b/packages/kogito-jobs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml index 03a41ec9d9d..b0bd0a71fb3 100644 --- a/packages/kogito-jobs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml +++ b/packages/kogito-jobs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-jobs-service-ephemeral" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito Jobs Service with all available jdbc providers" labels: diff --git a/packages/kogito-jobs-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml b/packages/kogito-jobs-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml index e9b17647ad7..9adabc4967d 100644 --- a/packages/kogito-jobs-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml +++ b/packages/kogito-jobs-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-jobs-service-ephemeral" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito in memory Jobs Service" labels: diff --git a/packages/kogito-jobs-service-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml b/packages/kogito-jobs-service-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml index 06ac396d1cb..2f7e9844ff7 100644 --- a/packages/kogito-jobs-service-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml +++ b/packages/kogito-jobs-service-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml @@ -20,7 +20,7 @@ schema_version: 1 name: "docker.io/apache/incubator-kie-kogito-jobs-service-postgresql" version: "main" -from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20" +from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21" description: "Runtime image for Kogito Jobs Service based on Postgresql" labels: diff --git a/packages/kogito-management-console/Containerfile b/packages/kogito-management-console/Containerfile index e58ae32a702..2c2440d5a0f 100644 --- a/packages/kogito-management-console/Containerfile +++ b/packages/kogito-management-console/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 ARG KOGITO_MANAGEMENT_CONSOLE_PORT=8080 diff --git a/packages/maven-m2-repo-via-http-image/Containerfile b/packages/maven-m2-repo-via-http-image/Containerfile index 214b9e3164f..88c1053f8c6 100644 --- a/packages/maven-m2-repo-via-http-image/Containerfile +++ b/packages/maven-m2-repo-via-http-image/Containerfile @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4 +FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5 # Argument for configuring the port ARG PORT=80 diff --git a/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml b/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml index 5955cbad3a6..13de03b566b 100644 --- a/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml +++ b/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml @@ -17,7 +17,7 @@ # under the License. # - name: builder - from: "registry.access.redhat.com/ubi8/openjdk-17:1.19" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.21" version: "main" modules: repositories: @@ -34,7 +34,7 @@ - name: org.kie.sonataflow.common.build - name: "docker.io/apache/incubator-kie-sonataflow-builder" - from: "registry.access.redhat.com/ubi8/openjdk-17:1.19" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.21" version: "main" description: "Kogito Serverless Workflow base builder with Quarkus extensions libraries preinstalled" diff --git a/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml b/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml index 8bd15fb6bfd..129498f7d80 100644 --- a/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml +++ b/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml @@ -17,7 +17,7 @@ # under the License. # - name: builder - from: "registry.access.redhat.com/ubi8/openjdk-17:1.19" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.21" version: "main" modules: repositories: @@ -37,7 +37,7 @@ manager: microdnf - name: "docker.io/apache/incubator-kie-sonataflow-devmode" - from: "registry.access.redhat.com/ubi8/openjdk-17:1.19" + from: "registry.access.redhat.com/ubi8/openjdk-17:1.21" version: "main" description: "Kogito Serverless Workflow development mode with Quarkus extensions libraries preinstalled" diff --git a/packages/sonataflow-management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml b/packages/sonataflow-management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml index 01ebf37e650..ee71ccc9acf 100644 --- a/packages/sonataflow-management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml +++ b/packages/sonataflow-management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml @@ -17,7 +17,7 @@ # under the License. # - name: "docker.io/apache/incubator-kie-sonataflow-devmode" - from: "registry.access.redhat.com/ubi9/httpd-24:1-336.1725850633" + from: "registry.access.redhat.com/ubi9/httpd-24:9.5" version: "0.0.0" description: "SonataFlow Management Console Image" diff --git a/packages/sonataflow-operator/images/manager.yaml b/packages/sonataflow-operator/images/manager.yaml index ca60f1df2a6..b8ebd7338c7 100644 --- a/packages/sonataflow-operator/images/manager.yaml +++ b/packages/sonataflow-operator/images/manager.yaml @@ -33,7 +33,7 @@ - name: sonataflow-operator version: 0.0.0 - from: "registry.access.redhat.com/ubi9/ubi-micro:9.5-1731519709" + from: "registry.access.redhat.com/ubi9/ubi-micro:9.5" description: Runtime Image for the Operator args: