-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Nightly Docker image to Debian Bookworm #8212
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
The version 17 no longer bundles Nashorn. |
docker/CHANGELOG.md
Outdated
@@ -1,6 +1,9 @@ | |||
# Changelog | |||
All notable changes to the docker containers will be documented in this file. | |||
|
|||
### 2023-11-15 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is outdated, in any case it will have to wait for the decision to drop Nashorn use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have removed it for now. Any instructions on how to formulate, what date to use, etc. is appreciated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The description looks fine (updated to current changes), the date should match the day when the PR is merged.
Yeah, we need to decide how long we want to keep supporting Nashorn, and by implication Java 11... |
Many considerations with the underlying java I did not look into, that is for sure. I guess dropping in temurin11 should not be too big of a deal though. Then the java issue could be postponed. |
I could update the PR with temurin, but I would like your input on this first. |
Install: # docker run --rm -ti debian:bookworm-slim bash
apt install curl
mkdir -p /etc/apt/keyrings
curl -s https://packages.adoptium.net/artifactory/api/gpg/key/public > /etc/apt/keyrings/adoptium.asc
echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list
apt update
apt install temurin-11-jdk New java version # java -version
openjdk version "11.0.21" 2023-10-17
OpenJDK Runtime Environment Temurin-11.0.21+9 (build 11.0.21+9)
OpenJDK 64-Bit Server VM Temurin-11.0.21+9 (build 11.0.21+9, mixed mode) |
I'm good with installing Java 11, but, we should start by changing just the nightly image and then change the other images with time, just in case the newer base image causes issues downstream. |
I've updated Let's see how it builds, and any comments you might have. |
Whats the difference in sizes like?
|
I saw that there was a couple more changes that was required. In addition, I did what you did, and made a local build with just the basics, and compared sizes. One (or more) packages draws in
|
It seems that installing temurin before installing the rest of the packages we don't draw in openjdk. |
My local build is progressing (if somewhat slowly), and is passed my edits anyways. docker build . --platform linux/amd64 -t zaproxy-live -t owasp/zap2docker-live:latest -t ghcr.io/zaproxy/zaproxy:nightly -t softwaresecurityproject/zap-nightly:latest -f Dockerfile-live I'm interested in hearing if you are able to build and get tests running. |
This reverts commit 241ccdc. Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
…ebian 12)." This reverts commit ec48a33. Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
…) with temurin-11-jdk. Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
https://peps.python.org/pep-0668/ Further down the line using a python venv should be investigated. Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
c7bc279
to
7309e61
Compare
I got a build size of A trivy scan showed 7 a drop from 14 CRITICAL to 4, and from 126 HIGH to 70 in the Total count. trivy image --scanners vuln --format table --severity HIGH,CRITICAL zaproxy-live # my build
# Total: 126 (HIGH: 112, CRITICAL: 14)
trivy image --scanners vuln --format table --severity HIGH,CRITICAL ghcr.io/zaproxy/zaproxy:stable
# Total: 74 (HIGH: 70, CRITICAL: 4) |
I see that The immediate change I see is that one has to add the mozilla PPA to get According to the commits the images used to be ubuntu. Were there any compelling reasons for the switch? |
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
9e0fe4d
to
d3b4d11
Compare
…cker-bookworm Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
…cker-bookworm Signed-off-by: Stein Arne Storslett <sastorsl@users.noreply.github.com>
This PR bumps the base image for zaproxy from Debian Bullseye (11) to Debian Bookworm (12).
It also bumps openjdk from openjdk-11 to openjdk-17 - as 17 is the current default in Bookworm, and openjdk-11 is not directly available in Bookworm.
Resolves #8211.