Bump Nightly Docker image to Debian Bookworm

[sastorsl]

This PR bumps the base image for zaproxy from Debian Bullseye (11) to Debian Bookworm (12).
It also bumps openjdk from openjdk-11 to openjdk-17 - as 17 is the current default in Bookworm, and openjdk-11 is not directly available in Bookworm.

Resolves #8211.

[thc202]

The version 17 no longer bundles Nashorn.

[thc202]

This is outdated, in any case it will have to wait for the decision to drop Nashorn use.

[sastorsl]

Have removed it for now. Any instructions on how to formulate, what date to use, etc. is appreciated.

[thc202]

The description looks fine (updated to current changes), the date should match the day when the PR is merged.

[psiinon]

Yeah, we need to decide how long we want to keep supporting Nashorn, and by implication Java 11...

[sastorsl]

Many considerations with the underlying java I did not look into, that is for sure.

I guess dropping in temurin11 should not be too big of a deal though. Then the java issue could be postponed.

[sastorsl]

I could update the PR with temurin, but I would like your input on this first.

https://github.com/adoptium/temurin-build/wiki/Differences-between-Adopt-OpenJDK-binaries-and-Oracle-JDK-Binaries

[sastorsl]

Install:

# docker run --rm -ti debian:bookworm-slim bash
apt install curl
mkdir -p /etc/apt/keyrings
curl -s https://packages.adoptium.net/artifactory/api/gpg/key/public > /etc/apt/keyrings/adoptium.asc
echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list

apt update
apt install temurin-11-jdk

New java version

# java -version
openjdk version "11.0.21" 2023-10-17
OpenJDK Runtime Environment Temurin-11.0.21+9 (build 11.0.21+9)
OpenJDK 64-Bit Server VM Temurin-11.0.21+9 (build 11.0.21+9, mixed mode)

[thc202]

I'm good with installing Java 11, but, we should start by changing just the nightly image and then change the other images with time, just in case the newer base image causes issues downstream.

[sastorsl]

I'm good with installing Java 11, but, we should start by changing just the nightly image and then change the other images with time, just in case the newer base image causes issues downstream.

I've updated Dockerfile-live only now, and included temurin-11-jdk.
I've reverted the changes made in the rest of the Dockerfile's.

Let's see how it builds, and any comments you might have.

[psiinon]

Whats the difference in sizes like?
For some reason I cant build the live image locally, so I hacked the weekly to include similar changes. I had to disable the pip install as that was failing but bookworm was still bigger (although not by a lot):

docker images                          
REPOSITORY                            TAG       IMAGE ID       CREATED          SIZE
ssp/zap2docker-weekly-bookworm        latest    7ed8181b79f7   56 seconds ago   1.95GB
ssp/zap2docker-weekly                 latest    802a8dd2a6be   11 minutes ago   1.71GB

[sastorsl]

I saw that there was a couple more changes that was required.
I'll update the PR shortly.

In addition, I did what you did, and made a local build with just the basics, and compared sizes.

One (or more) packages draws in java-17-openjdk - so there are two java packages there.
And there is about 90M extra in x86_64-linux-gnu

Volumes                       bullseye  bookworm
/usr/lib/X11                  4.0K      4.0K
/usr/lib/apt                  1.1M      1.1M
/usr/lib/bfd-plugins          4.0K      4.0K
/usr/lib/binfmt.d             4.0K      8.0K
/usr/lib/compat-ld            4.0K      4.0K
/usr/lib/cpp                            0
/usr/lib/dbus-1.0             56K       56K
/usr/lib/debug                20K       20K
/usr/lib/dpkg                 36K       36K
/usr/lib/environment.d        4.0K      4.0K
/usr/lib/firefox-esr          228M (*)  226M (*)
/usr/lib/firmware                       72K
/usr/lib/gcc                  95M       120M (*)
/usr/lib/git-core             18M       23M
/usr/lib/gnupg                680K      728K
/usr/lib/gnupg2               4.0K      4.0K
/usr/lib/gold-ld              4.0K      4.0K
/usr/lib/init                           16K
/usr/lib/jvm                  258M (*)  494M (*)
/usr/lib/kernel               24K       28K
/usr/lib/locale               1.9M      404K
/usr/lib/lsb                            32K
/usr/lib/mime                 32K       40K
/usr/lib/modprobe.d                     8.0K
/usr/lib/modules-load.d       4.0K      4.0K
/usr/lib/mozilla              16K       16K
/usr/lib/openssh              1.2M      1.6M
/usr/lib/os-release           4.0K      4.0K
/usr/lib/pam.d                8.0K      8.0K
/usr/lib/python3              6.7M      25M
/usr/lib/python3.11                     54M
/usr/lib/python3.9            42M
/usr/lib/sasl2                4.0K      4.0K
/usr/lib/ssl                  24K       24K
/usr/lib/sysctl.d             12K       12K
/usr/lib/systemd              544K      4.8M
/usr/lib/sysusers.d           16K       24K
/usr/lib/tcltk                16K       16K
/usr/lib/terminfo                       228K
/usr/lib/tmpfiles.d           56K       64K
/usr/lib/udev                 16K       60K
/usr/lib/valgrind             16K       16K
/usr/lib/x86_64-linux-gnu     488M (*)  565M (*)
/usr/lib/xorg                 32K       32K

[sastorsl]

It seems that installing temurin before installing the rest of the packages we don't draw in openjdk.
I'll adapt the PR accordingly.

[sastorsl]

My local build is progressing (if somewhat slowly), and is passed my edits anyways.

docker build . --platform linux/amd64 -t zaproxy-live -t owasp/zap2docker-live:latest -t ghcr.io/zaproxy/zaproxy:nightly -t softwaresecurityproject/zap-nightly:latest -f Dockerfile-live

I'm interested in hearing if you are able to build and get tests running.

[sastorsl]

I got a build size of 2.15GB, as compared to 1.99GB in the "old".

A trivy scan showed 7 a drop from 14 CRITICAL to 4, and from 126 HIGH to 70 in the Total count.

trivy image --scanners vuln --format table --severity HIGH,CRITICAL zaproxy-live  # my build
# Total: 126 (HIGH: 112, CRITICAL: 14)

trivy image --scanners vuln --format table --severity HIGH,CRITICAL ghcr.io/zaproxy/zaproxy:stable
# Total: 74 (HIGH: 70, CRITICAL: 4)

[sastorsl]

I see that ubuntu:22.04 is 78MB and debian:bookworm-slim is 75MB. In comparison debian:bullseye-slim is 80MB.
ubuntu:22.04 also has packages for openjdk-11-jdk.

The immediate change I see is that one has to add the mozilla PPA to get firefox-esr.

According to the commits the images used to be ubuntu. Were there any compelling reasons for the switch?