Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SpringBoot native image to use builder-noble-java-tiny instead of builder-jammy-java-tiny #43960

Closed
patpatpat123 opened this issue Jan 24, 2025 · 2 comments
Closed

SpringBoot native image to use builder-noble-java-tiny instead of builder-jammy-java-tiny #43960

patpatpat123 opened this issue Jan 24, 2025 · 2 comments
Labels
status: duplicate A duplicate of another issue

Comments

@patpatpat123
Copy link

Hello team,

just wanted to reach out regarding the base image of a native image.

It has been announced here https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.4-Release-Notes#paketo-tiny-builder-for-building-oci-images since 3.4.0, the default base image to build native image is paketobuildpacks/builder-jammy-java-tiny

Would it be possible to use paketobuildpacks/builder-noble-java-tiny instead?

Rationale and justification

1 - Vulnerability:
Our company has business licenses for many container scanning tools.
Here is the scan result for something built using the default, paketobuildpacks/builder-jammy-java-tiny.
(By something, I mean from the plain Hello World SpringBoot app, pet clinic, all the way to very complex springboot apps)

Preparing to submit image for scanning...
✔️	Image Uploaded for Scanning
Scan results ready! Gathering...
✔️	Vulnerability report received:
		 3 Critical
		 16 High
		 18 Medium
		 4 Low
		 1 Negligible
		 1 Unknown
✔️	License report
Global Content Checks. Policy is applied to all scans as part of Product Security Guidance

CVE-2022-1292 CVE-2022-2068 CVE-2024-5535

Here is the result for something built using paketobuildpacks/builder-noble-java-tiny.

Preparing to submit image for scanning...
✔️	Image Uploaded for Scanning
Scan results ready! Gathering...
✔️	Vulnerability report received:
		 1 Critical
		 2 High
		 2 Medium
		 6 Low
		 1 Negligible
		 2 Unknown
Global Content Checks. Policy is applied to all scans as part of Product Security Guidance

CVE-2024-5535

The latest version of ubuntu has less vulnerabilities.

2 - Noble over Jammy
It has been officially announced Jammy systems should upgrade to Noble.

With the above two justifications, could you please weight if it would make sense to use the most up to date base image instead of paketobuildpacks/builder-jammy-java-tiny?

Thank you
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 24, 2025
@philwebb philwebb mentioned this issue Jan 24, 2025
Open
@philwebb
Copy link
Member

I don't think we can upgrade in the 3.4.x line. We're considering our options for 3.5.x (see #42711)

@philwebb philwebb added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 24, 2025
@patpatpat123
Copy link
Author

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philwebb @spring-projects-issues @patpatpat123