Update amazoncorretto

[benty-amzn]

Corretto dockerfiles were updated to run updates at build time - see corretto-docker#67

[github-actions]

Diff for cafc58c:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 893f047..c63834d 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,6 +1,6 @@
 Maintainers: Amazon Corretto Team <corretto-team@amazon.com> (@corretto), Dan Lutker <lutkerd@amazon.com> (@lutkerd), Ben Taylor <benty@amazon.com> (@benty-amzn), Clive Verghese <verghese@amazon.com> (@cliveverghese)
 GitRepo: https://github.com/corretto/corretto-docker.git
-GitCommit: 9dbaca385d16c9f6ff9b0eb5b71eccdeb19909f3
+GitCommit: 395b88a4404de1f027656d7e2d1b1a611116d8d8
 
 Tags: 8, 8u302, 8u302-al2, 8-al2-full, 8-al2-jdk, latest
 Architectures: amd64, arm64v8
diff --git a/amazoncorretto_11-al2-full/Dockerfile b/amazoncorretto_11-al2-full/Dockerfile
index fd7be2b..dd7f53e 100644
--- a/amazoncorretto_11-al2-full/Dockerfile
+++ b/amazoncorretto_11-al2-full/Dockerfile
@@ -1,5 +1,7 @@
 FROM amazonlinux:2
 
+RUN yum -y upgrade --security
+
 ARG version=11.0.12.7-1
 # In addition to installing the Amazon corretto, we also install
 # fontconfig. The folks who manage the docker hub's
diff --git a/amazoncorretto_11-alpine-jdk/Dockerfile b/amazoncorretto_11-alpine-jdk/Dockerfile
index d7ee58a..40aa31b 100644
--- a/amazoncorretto_11-alpine-jdk/Dockerfile
+++ b/amazoncorretto_11-alpine-jdk/Dockerfile
@@ -2,6 +2,8 @@ FROM alpine:3.12
 
 ARG version=11.0.12.7.1
 
+RUN apk -U upgrade
+
 # Please note that the THIRD-PARTY-LICENSE could be out of date if the base image has been updated recently. 
 # The Corretto team will update this file but you may see a few days' delay.
 RUN wget -O /THIRD-PARTY-LICENSES-20200824.tar.gz https://corretto.aws/downloads/resources/licenses/alpine/THIRD-PARTY-LICENSES-20200824.tar.gz && \
diff --git a/amazoncorretto_16-al2-full/Dockerfile b/amazoncorretto_16-al2-full/Dockerfile
index 2b4286c..18d2f22 100644
--- a/amazoncorretto_16-al2-full/Dockerfile
+++ b/amazoncorretto_16-al2-full/Dockerfile
@@ -1,6 +1,9 @@
 FROM amazonlinux:2
 
 ARG version=16.0.2.7-1
+
+RUN yum -y upgrade --security
+
 # In addition to installing the Amazon corretto, we also install
 # fontconfig. The folks who manage the docker hub's
 # official image library have found that font management
diff --git a/amazoncorretto_16-alpine-jdk/Dockerfile b/amazoncorretto_16-alpine-jdk/Dockerfile
index e88586f..90431a7 100644
--- a/amazoncorretto_16-alpine-jdk/Dockerfile
+++ b/amazoncorretto_16-alpine-jdk/Dockerfile
@@ -2,6 +2,8 @@ FROM alpine:3.12
 
 ARG version=16.0.2.7.1
 
+RUN apk -U upgrade
+
 # Please note that the THIRD-PARTY-LICENSE could be out of date if the base image has been updated recently. 
 # The Corretto team will update this file but you may see a few days' delay.
 RUN wget -O /THIRD-PARTY-LICENSES-20200824.tar.gz https://corretto.aws/downloads/resources/licenses/alpine/THIRD-PARTY-LICENSES-20200824.tar.gz && \
diff --git a/amazoncorretto_8-alpine-jdk/Dockerfile b/amazoncorretto_8-alpine-jdk/Dockerfile
index fd26c29..e0c932e 100644
--- a/amazoncorretto_8-alpine-jdk/Dockerfile
+++ b/amazoncorretto_8-alpine-jdk/Dockerfile
@@ -2,6 +2,8 @@ FROM alpine:3.12
 
 ARG version=8.302.08.1
 
+RUN apk -U upgrade
+
 # Please note that the THIRD-PARTY-LICENSE could be out of date if the base image has been updated recently. 
 # The Corretto team will update this file but you may see a few days' delay.
 RUN wget -O /THIRD-PARTY-LICENSES-20200824.tar.gz https://corretto.aws/downloads/resources/licenses/alpine/THIRD-PARTY-LICENSES-20200824.tar.gz && \
diff --git a/amazoncorretto_8u302-alpine-jre/Dockerfile b/amazoncorretto_8u302-alpine-jre/Dockerfile
index 9cc59b6..0d3b764 100644
--- a/amazoncorretto_8u302-alpine-jre/Dockerfile
+++ b/amazoncorretto_8u302-alpine-jre/Dockerfile
@@ -2,6 +2,8 @@ FROM alpine:3.12
 
 ARG version=8.302.08.1
 
+RUN apk -U upgrade
+
 # Please note that the THIRD-PARTY-LICENSE could be out of date if the base image has been updated recently. 
 # The Corretto team will update this file but you may see a few days' delay.
 RUN wget -O /THIRD-PARTY-LICENSES-20200824.tar.gz https://corretto.aws/downloads/resources/licenses/alpine/THIRD-PARTY-LICENSES-20200824.tar.gz && \
diff --git a/amazoncorretto_latest/Dockerfile b/amazoncorretto_latest/Dockerfile
index bcbf323..1352389 100644
--- a/amazoncorretto_latest/Dockerfile
+++ b/amazoncorretto_latest/Dockerfile
@@ -1,6 +1,9 @@
 FROM amazonlinux:2
 
 ARG version=1.8.0_302.b08-1
+
+RUN yum -y upgrade --security
+
 # In addition to installing the Amazon corretto, we also install
 # fontconfig. The folks who manage the docker hub's
 # official image library have found that font management

[yosifkit]

One of the reasons that the best practices said to not to do apt-get upgrade in the Dockerfile was because of Official Images. We and Docker users in general needed a "best practices" for Dockerfiles and so items that were more relevant to the Official Images were also included in the general best practices.

In the beginning of docker containers and images, it was true that some packages could not be updated without running with --privileged. Since then, base images' initial packages were slimmed and packaging of most software has improved to not have that requirement.

"The maintainers of the base image should install security updates" is actually what the Official Images are supposed to provide:

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/tree/73f10b0daf2fb8e7b38efaccc0e90b3510919d51#why-does-my-security-scanner-show-that-an-image-has-cves

---

When apt/apk/yum upgrade is applied in a dependent image, it duplicates content of the base image, making the image larger than necessary. It also only delays the inevitable "there are outdated packages". The Official Images build pipeline makes heavy use of docker build cache, so that just rebuilding the all of the Dockerfiles won't cause any unnecessary change. So we rely on periodic base image updates.

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

[benty-amzn]

Your points all make sense, and we appreciate the feedback.

In this case, we've added the updates specifically to address a CVE in alpine:3.12 which has not been patched in the base image. Alpine has had #193 and #195 open for some time now, and the Corretto team has received customer requests to update our images to address this issue.

When the maintenance schedule of an official base image does not meet the needs of another official image, what is the best practice?

[benty-amzn]

We've reverted this change to corretto-docker while we investigate other options.