fix(docker): update base image to eclipse-temurin 17.0.19 on Ubuntu 24.04 (noble)#24230
Merged
wing328 merged 2 commits intoJul 7, 2026
Merged
Conversation
…6.04 Bump the published CLI and online image base from eclipse-temurin:17.0.9_9-jre-focal (Ubuntu 20.04) to eclipse-temurin:17.0.19_10-jre-resolute (Ubuntu 26.04). The focal-based image carried the critical/high CVEs reported by Snyk, which stem from outdated Ubuntu 20.04 system libraries (libcurl, freetype, krb5, glibc, sqlite, zlib, expat, libxml2, etc.). The resolute base ships patched versions of these and updates the JRE from 17.0.9 to 17.0.19. Stays glibc-based (same lineage as focal) and publishes linux/amd64 and linux/arm64, matching the release workflow's multi-arch build. Fixes OpenAPITools#16791
…ead of 26.04 (resolute) The previous commit moved the base image to eclipse-temurin:17.0.19_10-jre-resolute (Ubuntu 26.04). Comparing all three candidates with `trivy image --severity HIGH,CRITICAL`: - eclipse-temurin:17.0.9_9-jre-focal (Ubuntu 20.04, current): trivy reports 0 findings, but only because Ubuntu 20.04 is EOL and Canonical no longer publishes security advisories for it — trivy itself warns detection is "insufficient". This is consistent with Snyk (which doesn't rely on distro-published advisories) flagging real CVEs, per OpenAPITools#16791. - eclipse-temurin:17.0.19_10-jre-resolute (Ubuntu 26.04): 0 OS-package findings, and the OS itself is in-support. However its base layer bundles /usr/bin/pebble (Canonical's Go-based service manager, not a dpkg package), which carries 6 unpatched HIGH-severity CVEs (stale golang.org/x/net and stdlib crypto/x509, all with fixes already published upstream). Our entrypoint never invokes pebble, but it's still on disk and gets scanned, so it would likely reproduce the exact class of finding this fix is meant to close. - eclipse-temurin:17.0.19_10-jre-noble (Ubuntu 24.04 LTS, supported through 2029): same JRE 17.0.19 build, 0 HIGH/CRITICAL findings, no pebble binary, and a smaller image (89.9 MB vs 104.2 MB for resolute). Switch both Dockerfiles to the noble tag: it resolves the same focal/EOL problem as resolute without introducing a new set of live CVEs from a bundled binary we don't use, and Ubuntu 24.04 is a more conservative upgrade path than day-one 26.04. Refs OpenAPITools#16791
Member
|
thanks for the PR cc @OpenAPITools/generator-core-team |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
openapi-generator-cliandopenapi-generator-onlineDocker base images fromeclipse-temurin:17.0.9_9-jre-focal(Ubuntu 20.04) toeclipse-temurin:17.0.19_10-jre-noble(Ubuntu 24.04 LTS).trivyexplicitly flags detection against it as unreliable. Snyk, which doesn't rely on distro-published advisories, was still reporting real critical/high CVEs in the outdated system libraries (glibc, libcurl, krb5, sqlite, zlib, expat, libxml2, etc.), per [DOCKER][openapi-generator-cli] snyk reports image has vulnerabilities #16791.Verification
Built the actual images from this branch and compared against the currently published images with
trivy image --severity HIGH,CRITICAL:openapitools/openapi-generator-cli:v7.23.0(published, focal)jackson-databindbump already in master)Also scanned
openapi-generator-onlinebuilt the same way. Its OS layer is likewise clean on noble, but the image still carries ~37 HIGH/CRITICAL findings (Tomcat, Spring Framework/Boot, snakeyaml, logback) from stale bundled dependencies — unrelated to the Docker base image and unchanged by this PR. That's separate follow-up work, not in scope here.Test plan
docker build modules/openapi-generator-cli/succeeds against the new basedocker build modules/openapi-generator-online/succeeds against the new basetrivy imageshows 0 HIGH/CRITICAL OS-package findings on both built imagesFixes #16791
Summary by cubic
Update Docker base images for
openapi-generator-cliandopenapi-generator-onlinetoeclipse-temurin:17.0.19_10-jre-noble(Ubuntu 24.04 LTS) to move off EOL Ubuntu 20.04 and remove OS-level CVEs.trivyshows 0 HIGH/CRITICAL OS findings on both images, and this avoids the Ubuntu 26.04pebbleCVEs; fixes #16791.Written for commit 4a5ce60. Summary will update on new commits.