Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove use of Java 8 #238

Closed
abelsromero opened this issue Feb 6, 2022 · 14 comments · Fixed by #240
Closed

Remove use of Java 8 #238

abelsromero opened this issue Feb 6, 2022 · 14 comments · Fixed by #240

Comments

@abelsromero
Copy link
Member

This is to spun conversation...

We are using Java8 for he image and we are already passed 2 LTS from that, v11 (Sept 2018) and v17 (Sept 2021).

I run some tests and:

My opinion is to upgrade to latests Java LTS and Alpine, unless there's some support reason to still use older Alpine. wdyt?

asciidoctor:latest (alpine 3.13.7)
==================================
Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 5, CRITICAL: 3)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat    | CVE-2022-22822   | CRITICAL | 2.2.10-r1         | 2.2.10-r2     | expat: Integer overflow in            |
|          |                  |          |                   |               | addBinding in xmlparse.c              |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22822 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-22823   |          |                   |               | expat: Integer overflow in            |
|          |                  |          |                   |               | build_model in xmlparse.c             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22823 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-22824   |          |                   |               | expat: Integer overflow in            |
|          |                  |          |                   |               | defineAttribute in xmlparse.c         |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22824 |
+          +------------------+----------+                   +               +---------------------------------------+
|          | CVE-2021-45960   | HIGH     |                   |               | expat: Large number of prefixed XML   |
|          |                  |          |                   |               | attributes on a single tag can...     |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-45960 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2021-46143   |          |                   |               | expat: Integer overflow               |
|          |                  |          |                   |               | in doProlog in xmlparse.c             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-46143 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-22825   |          |                   |               | expat: Integer overflow               |
|          |                  |          |                   |               | in lookup in xmlparse.c               |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22825 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-22826   |          |                   |               | expat: Integer overflow in            |
|          |                  |          |                   |               | nextScaffoldPart in xmlparse.c        |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22826 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-22827   |          |                   |               | expat: Integer overflow               |
|          |                  |          |                   |               | in storeAtts in xmlparse.c            |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22827 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libblkid | CVE-2021-3995    | MEDIUM   | 2.36.1-r1         | 2.37.3-r0     | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of FUSE filesystems belonging         |
|          |                  |          |                   |               | to users with similar uid...          |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3995  |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2021-3996    |          |                   |               | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of filesystems in libmount            |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3996  |
+----------+------------------+          +                   +               +---------------------------------------+
| libmount | CVE-2021-3995    |          |                   |               | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of FUSE filesystems belonging         |
|          |                  |          |                   |               | to users with similar uid...          |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3995  |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2021-3996    |          |                   |               | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of filesystems in libmount            |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3996  |
+----------+------------------+          +                   +               +---------------------------------------+
| libuuid  | CVE-2021-3995    |          |                   |               | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of FUSE filesystems belonging         |
|          |                  |          |                   |               | to users with similar uid...          |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3995  |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2021-3996    |          |                   |               | util-linux: Unauthorized unmount      |
|          |                  |          |                   |               | of filesystems in libmount            |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3996  |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
@dduportal
Copy link
Contributor

That sounds a wonderful idea! Are you willing to contribute it or do you want help?

@abelsromero
Copy link
Member Author

That sounds a wonderful idea! Are you willing to contribute it or do you want help?

It's ok, thanks, just need to find some time.

@abelsromero abelsromero mentioned this issue Feb 7, 2022
Merged
@barthel
Copy link
Contributor

barthel commented Mar 26, 2023

This change cuts of the possibility to build a armv7 container image as long as Alpine do not provide an openjdk package higher than version 8.

@dduportal
Copy link
Contributor

This change cuts of the possibility to build a armv7 container image as long as Alpine do not provide an openjdk package higher than version 8.

What is the use case of asciidoctor on an armv7 CPU (except the "sport" of doing it)?

I'm wondering if the effort required are worth it. Isn'( arm64 / armv8 enough?

@dduportal
Copy link
Contributor

btw

  • JDK8 is end of life since 31 March of 2022 for active support - https://endoflife.date/java - so it would not make sense to have "new" support for it.
  • Temurin (Adoptium) JDK provides ARM base images as far as I can tell. At least on Debian base. Might be interesting to check

@barthel
Copy link
Contributor

barthel commented Mar 26, 2023
edited
Loading

I'm using asciidoctor on my Rasperry Pi 3B farm in combination with gitea and drone CI.
The armv7 branch of Alpine only provides openjdk8.

@barthel
Copy link
Contributor

barthel commented Mar 26, 2023

But maybe we could use Adotium/Temurin (https://github.com/adoptium/temurin19-binaries) as a replacement for vanilla OpenJDK.
Will try that and open a new issue for that.

@dduportal
Copy link
Contributor

@bar

I'm using asciidoctor on my Rasperry Pi 3B farm in combination with gitea and drone CI. The armv7 branch of Alpine only provides openjdk8.

Isn't the Rpi 3B an arm64 CPU?

@dduportal
Copy link
Contributor

But maybe we could use Adotium/Temurin (https://github.com/adoptium/temurin19-binaries) as a replacement for vanilla OpenJDK. Will try that and open a new issue for that.

Be careful of the following:

  • the JDK bindings for Alpine requires a compilation using the musl Libc. Installation will work, but probability is high that you'll face runtime error => that might need a change from Alpine to Debian as base image (I'm not aginst but it involves a lot of work + is a breaking change).
  • Keep using the JDK LTS line (e.g. JDK 17). JDK19 and JDK20 are short-timed distributions with a lot of changes that might not make it on the JDK 21 LTS next year.

=> WDYT of starting with the Temuring JDK17 in a Debian image only for armv7 as a first step?

@barthel
Copy link
Contributor

barthel commented Mar 26, 2023
edited
Loading

I know about the musl 'desaster' (adoptium/temurin-build#2688)

Could also be an easier option to provide a Asciidoctor Container Image based on Debian?

But let me open (later this day) new issues to discuss that.

@barthel
Copy link
Contributor

barthel commented Mar 26, 2023

Isn't the Rpi 3B an arm64 CPU?

Yes. But I've to use a 32bit OS for reason and have to use the same base image for Raspberry Pi Zero too.

It's a challenge, I know.

@dduportal
Copy link
Contributor

Isn't the Rpi 3B an arm64 CPU?

Yes. But I've to use a 32bit OS for reason and have to use the same base image for Raspberry Pi Zero too.

It's a challenge, I know.

No problem, I haven't used armv7 for a while so was wondering to get a state of the field reality from someone using it ;)

I know for a fact that @Poddingue also had the same issue for the Jenkins docker agent images as well (Alpine + JDK11/17 + armv7).

Adding a Debian image is clearly the next direction if we want an easy multi-platform support. But it does requires delivering a first working version before switching the default image (it will be a breaking change requiring a v2.x version of the image), unless we are ablle to add the Debian version along the actual Alpine.

@barthel
Copy link
Contributor

barthel commented Apr 28, 2023

I know for a fact that @Poddingue also had the same issue for the Jenkins docker agent images as well (Alpine + JDK11/17 + armv7).

@dduportal Could you please point me to the issue or commit?
I could not find anything suitable until now.

@dduportal
Copy link
Contributor

I know for a fact that @Poddingue also had the same issue for the Jenkins docker agent images as well (Alpine + JDK11/17 + armv7).

@dduportal Could you please point me to the issue or commit? I could not find anything suitable until now.

Here it is: adoptium/containers#141 (s/Poddingue/gounthar/g I mixed the GitHub and email handles of Bruno, my bad)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

breaking: Bump Alpine to 3.15 and Java Runtime to 17.x abelsromero/docker-asciidoctor
3 participants
@barthel @dduportal @abelsromero