OS vulnerabilities in paketobuildpacks/builder-jammy-tiny:0.0.206 (latest)

[syedyusufh]

Hello. Tried building a Spring Boot native image and found a good number of OS vulnerabilities reported in paketobuildpacks/builder-jammy-tiny:0.0.206

Kindly suggest a way forward as Spring Boot AOT native image can be built via Paketo build pack only.

[robdimsdale]

Looks like the automation to keep the stack up to date in the builder got stuck: paketo-buildpacks/builder-jammy-tiny#279 (review)

Once that's merged, you can expect a new builder with an up-to-date stack to be released automatically.

[syedyusufh]

Thanks for the quick help, really a valuable one for us.

Sorry if this is a basic question. Is there a way the underlying OS can be easily replaced, say like alpine in place of ubuntu?

[robdimsdale]

no, we don't support alpine stacks. We support four variations of the ubuntu 22.04 (jammy) OS: full, base, tiny, and static, in decreasing order of number of packages.

You're using the tiny stack which has a very small footprint and is comparable to alpine. You could try using the static stack if you want essentially no packages, but that doesn't have libc so unless you're statically linking your binaries it's unlikely to work for you.

[robdimsdale]

https://github.com/paketo-buildpacks/builder-jammy-tiny/releases/tag/v0.0.207 was just released with the most recent OS images and buildpacks

[syedyusufh]

Thanks again