Skip to content

fix(docker): update base image to eclipse-temurin 17.0.19 on Ubuntu 24.04 (noble)#24230

Merged
wing328 merged 2 commits into
OpenAPITools:masterfrom
Shaun-3adesign:fix/16791-docker-base-image-cves
Jul 7, 2026
Merged

fix(docker): update base image to eclipse-temurin 17.0.19 on Ubuntu 24.04 (noble)#24230
wing328 merged 2 commits into
OpenAPITools:masterfrom
Shaun-3adesign:fix/16791-docker-base-image-cves

Conversation

@Shaun-3adesign

@Shaun-3adesign Shaun-3adesign commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps the published openapi-generator-cli and openapi-generator-online Docker base images from eclipse-temurin:17.0.9_9-jre-focal (Ubuntu 20.04) to eclipse-temurin:17.0.19_10-jre-noble (Ubuntu 24.04 LTS).
  • Ubuntu 20.04 (focal) reached end of standard support, so Canonical no longer publishes security advisories for it — trivy explicitly flags detection against it as unreliable. Snyk, which doesn't rely on distro-published advisories, was still reporting real critical/high CVEs in the outdated system libraries (glibc, libcurl, krb5, sqlite, zlib, expat, libxml2, etc.), per [DOCKER][openapi-generator-cli] snyk reports image has vulnerabilities #16791.
  • Ubuntu 24.04 is a current, fully-supported LTS (security updates through 2029) and ships the same JRE build (17.0.19_10) already used elsewhere.

Verification

Built the actual images from this branch and compared against the currently published images with trivy image --severity HIGH,CRITICAL:

openapitools/openapi-generator-cli:v7.23.0 (published, focal) This branch, built (noble)
OS support status EOL in-support LTS (through 2029)
OS-layer HIGH/CRITICAL 0, but unreliable — trivy warns detection is insufficient on EOL Ubuntu 0, reliable
App-layer (bundled jar) HIGH/CRITICAL 3 1 (unrelated jackson-databind bump already in master)

Also scanned openapi-generator-online built the same way. Its OS layer is likewise clean on noble, but the image still carries ~37 HIGH/CRITICAL findings (Tomcat, Spring Framework/Boot, snakeyaml, logback) from stale bundled dependencies — unrelated to the Docker base image and unchanged by this PR. That's separate follow-up work, not in scope here.

Test plan

  • docker build modules/openapi-generator-cli/ succeeds against the new base
  • docker build modules/openapi-generator-online/ succeeds against the new base
  • trivy image shows 0 HIGH/CRITICAL OS-package findings on both built images

Fixes #16791


Summary by cubic

Update Docker base images for openapi-generator-cli and openapi-generator-online to eclipse-temurin:17.0.19_10-jre-noble (Ubuntu 24.04 LTS) to move off EOL Ubuntu 20.04 and remove OS-level CVEs. trivy shows 0 HIGH/CRITICAL OS findings on both images, and this avoids the Ubuntu 26.04 pebble CVEs; fixes #16791.

Written for commit 4a5ce60. Summary will update on new commits.

Review in cubic

Shaun-Hirst and others added 2 commits July 7, 2026 16:20
…6.04

Bump the published CLI and online image base from
eclipse-temurin:17.0.9_9-jre-focal (Ubuntu 20.04) to
eclipse-temurin:17.0.19_10-jre-resolute (Ubuntu 26.04).

The focal-based image carried the critical/high CVEs reported by Snyk,
which stem from outdated Ubuntu 20.04 system libraries (libcurl, freetype,
krb5, glibc, sqlite, zlib, expat, libxml2, etc.). The resolute base ships
patched versions of these and updates the JRE from 17.0.9 to 17.0.19.

Stays glibc-based (same lineage as focal) and publishes linux/amd64 and
linux/arm64, matching the release workflow's multi-arch build.

Fixes OpenAPITools#16791
…ead of 26.04 (resolute)

The previous commit moved the base image to eclipse-temurin:17.0.19_10-jre-resolute
(Ubuntu 26.04). Comparing all three candidates with `trivy image --severity
HIGH,CRITICAL`:

- eclipse-temurin:17.0.9_9-jre-focal (Ubuntu 20.04, current): trivy reports 0
  findings, but only because Ubuntu 20.04 is EOL and Canonical no longer
  publishes security advisories for it — trivy itself warns detection is
  "insufficient". This is consistent with Snyk (which doesn't rely on
  distro-published advisories) flagging real CVEs, per OpenAPITools#16791.
- eclipse-temurin:17.0.19_10-jre-resolute (Ubuntu 26.04): 0 OS-package
  findings, and the OS itself is in-support. However its base layer bundles
  /usr/bin/pebble (Canonical's Go-based service manager, not a dpkg package),
  which carries 6 unpatched HIGH-severity CVEs (stale golang.org/x/net and
  stdlib crypto/x509, all with fixes already published upstream). Our
  entrypoint never invokes pebble, but it's still on disk and gets scanned,
  so it would likely reproduce the exact class of finding this fix is meant
  to close.
- eclipse-temurin:17.0.19_10-jre-noble (Ubuntu 24.04 LTS, supported through
  2029): same JRE 17.0.19 build, 0 HIGH/CRITICAL findings, no pebble binary,
  and a smaller image (89.9 MB vs 104.2 MB for resolute).

Switch both Dockerfiles to the noble tag: it resolves the same focal/EOL
problem as resolute without introducing a new set of live CVEs from a
bundled binary we don't use, and Ubuntu 24.04 is a more conservative upgrade
path than day-one 26.04.

Refs OpenAPITools#16791
@wing328

wing328 commented Jul 7, 2026

Copy link
Copy Markdown
Member

thanks for the PR

cc @OpenAPITools/generator-core-team

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@wing328 wing328 added this to the 7.24.0 milestone Jul 7, 2026
@wing328 wing328 merged commit 435b989 into OpenAPITools:master Jul 7, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[DOCKER][openapi-generator-cli] snyk reports image has vulnerabilities

3 participants