Skip to content

Update dependencies to make scanners happy#779

Merged
wendigo merged 7 commits into
mainfrom
serafin/cves
Oct 9, 2025
Merged

Update dependencies to make scanners happy#779
wendigo merged 7 commits into
mainfrom
serafin/cves

Conversation

@wendigo
Copy link
Copy Markdown
Contributor

@wendigo wendigo commented Oct 8, 2025
edited
Loading

Description

This doesn't address any exploitable CVE but makes scanners happy :)

Before:

NAME                INSTALLED                FIXED IN                                            TYPE          VULNERABILITY        SEVERITY  EPSS           RISK   
mina-core           2.2.3                    2.2.4                                               java-archive  GHSA-76h9-2vwh-w278  Critical  36.5% (96th)   34.3   
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-7264        Low       7.1% (91st)    2.9    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-7264        Low       7.1% (91st)    2.9    
shadow-utils        2:4.9-12.el9                                                                 rpm           CVE-2024-56433       Low       3.6% (87th)    1.2    
tar                 2:1.34-7.el9             (won't fix)                                         rpm           CVE-2005-2541        Medium    1.5% (80th)    0.9    
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-9681        Low       0.6% (67th)    0.2    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-9681        Low       0.6% (67th)    0.2    
openssl-libs        1:3.2.2-6.el9_5.1        (won't fix)                                         rpm           CVE-2024-41996       Low       0.4% (62nd)    0.2    
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-11053       Low       0.3% (55th)    0.1    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-11053       Low       0.3% (55th)    0.1    
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-30749       High      0.2% (39th)    0.1    
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-50106       High      0.2% (39th)    0.1    
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2024-34459       Low       0.2% (43rd)    < 0.1  
glib2               2.68.4-16.el9_6.2                                                            rpm           CVE-2023-32636       Low       0.2% (38th)    < 0.1  
jetty-http2-common  12.0.23                  12.0.25                                             java-archive  GHSA-mmxm-8w33-wc4h  High      < 0.1% (22nd)  < 0.1  
openjdk             24+36                    11.0.28, 17.0.16, 21.0.8, *24.0.2                   binary        CVE-2025-50059       High      < 0.1% (21st)  < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-1632        Low       0.2% (36th)    < 0.1  
commons-lang3       3.15.0                   3.18.0                                              java-archive  GHSA-j288-q9x7-2f5v  Medium    < 0.1% (20th)  < 0.1  
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2025-9086        Medium    < 0.1% (22nd)  < 0.1  
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2025-9086        Medium    < 0.1% (22nd)  < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2024-13176       Low       < 0.1% (26th)  < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2023-45322       Low       < 0.1% (23rd)  < 0.1  
openjdk             24+36                    1.8.0_452, 8.0.452, 11.0.27, 17.0.15, *24.0.1, ...  binary        CVE-2025-21587       High      < 0.1% (12th)  < 0.1  
openjdk             24+36                    1.8.0_452, 8.0.452, 11.0.27, 17.0.15, *24.0.1, ...  binary        CVE-2025-30698       Medium    < 0.1% (17th)  < 0.1  
tar                 2:1.34-7.el9                                                                 rpm           CVE-2025-45582       Medium    < 0.1% (14th)  < 0.1  
systemd-libs        252-51.el9_6.2                                                               rpm           CVE-2025-4598        Medium    < 0.1% (16th)  < 0.1  
pcre2               10.40-6.el9                                                                  rpm           CVE-2022-41409       Low       < 0.1% (19th)  < 0.1  
pcre2-syntax        10.40-6.el9                                                                  rpm           CVE-2022-41409       Low       < 0.1% (19th)  < 0.1  
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-30754       Medium    < 0.1% (14th)  < 0.1  
ncurses-base        6.2-10.20210508.el9_6.2                                                      rpm           CVE-2023-50495       Low       < 0.1% (15th)  < 0.1  
ncurses-libs        6.2-10.20210508.el9_6.2                                                      rpm           CVE-2023-50495       Low       < 0.1% (15th)  < 0.1  
libatomic           11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
libgcc              11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
libstdc++           11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
tar                 2:1.34-7.el9                                                                 rpm           CVE-2023-39804       Low       < 0.1% (20th)  < 0.1  
glib2               2.68.4-16.el9_6.2                                                            rpm           CVE-2025-3360        Low       < 0.1% (19th)  < 0.1  
openjdk             24+36                    21.0.7, *24.0.1                                     binary        CVE-2025-30691       Medium    < 0.1% (10th)  < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-27113       Low       < 0.1% (18th)  < 0.1  
gawk                5.1.0-6.el9                                                                  rpm           CVE-2023-4156        Low       < 0.1% (7th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9230        Medium    < 0.1% (5th)   < 0.1  
coreutils-single    8.32-39.el9                                                                  rpm           CVE-2025-5278        Medium    < 0.1% (5th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9232        Low       < 0.1% (7th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9231        Medium    < 0.1% (2nd)   < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-9714        Medium    < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5916        Low       < 0.1% (4th)   < 0.1  
sqlite-libs         3.34.1-8.el9_6                                                               rpm           CVE-2024-0232        Low       < 0.1% (3rd)   < 0.1  
libarchive          3.5.3-6.el9_6            (won't fix)                                         rpm           CVE-2023-30571       Medium    < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5918        Low       < 0.1% (3rd)   < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-6170        Low       < 0.1% (4th)   < 0.1  
gnupg2              2.3.3-4.el9                                                                  rpm           CVE-2022-3219        Low       < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5917        Low       < 0.1% (3rd)   < 0.1  
gnupg2              2.3.3-4.el9                                                                  rpm           CVE-2025-30258       Low       < 0.1% (2nd)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5915        Low       < 0.1% (1st)   < 0.1

After:

NAME              INSTALLED            FIXED IN     TYPE  VULNERABILITY   SEVERITY  EPSS           RISK   
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-5535   Low       7.8% (91st)    3.5    
curl              8.9.1-5.el10                      rpm   CVE-2024-7264   Low       7.1% (91st)    2.9    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-7264   Low       7.1% (91st)    2.9    
shadow-utils      2:4.15.0-5.el10                   rpm   CVE-2024-56433  Low       3.6% (87th)    1.2    
tar               2:1.35-7.el10        (won't fix)  rpm   CVE-2005-2541   Medium    1.5% (80th)    0.9    
curl              8.9.1-5.el10                      rpm   CVE-2024-6197   Medium    1.3% (78th)    0.7    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-6197   Medium    1.3% (78th)    0.7    
openssl-libs      1:3.2.2-16.el10_0.4  (won't fix)  rpm   CVE-2024-41996  Low       0.4% (62nd)    0.2    
libtasn1          4.20.0-1.el10                     rpm   CVE-2024-12133  Medium    0.3% (56th)    0.2    
curl              8.9.1-5.el10                      rpm   CVE-2024-11053  Low       0.3% (55th)    0.1    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-11053  Low       0.3% (55th)    0.1    
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-4741   Low       0.1% (33rd)    < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-4603   Low       < 0.1% (26th)  < 0.1  
curl              8.9.1-5.el10                      rpm   CVE-2025-9086   Medium    < 0.1% (22nd)  < 0.1  
libcurl           8.9.1-5.el10                      rpm   CVE-2025-9086   Medium    < 0.1% (22nd)  < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-13176  Low       < 0.1% (26th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5987   Medium    < 0.1% (18th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5987   Medium    < 0.1% (18th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5318   Medium    < 0.1% (17th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5318   Medium    < 0.1% (17th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5372   Medium    < 0.1% (17th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5372   Medium    < 0.1% (17th)  < 0.1  
tar               2:1.35-7.el10                     rpm   CVE-2025-45582  Medium    < 0.1% (14th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5351   Medium    < 0.1% (11th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5351   Medium    < 0.1% (11th)  < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2025-9230   Medium    < 0.1% (5th)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-8277   Low       < 0.1% (12th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-8277   Low       < 0.1% (12th)  < 0.1  
curl              8.9.1-5.el10                      rpm   CVE-2025-10148  Low       < 0.1% (8th)   < 0.1  
libcurl           8.9.1-5.el10                      rpm   CVE-2025-10148  Low       < 0.1% (8th)   < 0.1  
coreutils         9.5-6.el10                        rpm   CVE-2025-5278   Medium    < 0.1% (5th)   < 0.1  
coreutils-common  9.5-6.el10                        rpm   CVE-2025-5278   Medium    < 0.1% (5th)   < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2025-9232   Low       < 0.1% (7th)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-8114   Medium    < 0.1% (3rd)   < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-8114   Medium    < 0.1% (3rd)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-4878   Low       < 0.1% (3rd)   < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-4878   Low       < 0.1% (3rd)   < 0.1

Additional context and related issues

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.
(X) Release notes are required, with the following suggested text:

* Use UBI10 micro as base Docker image

Summary by Sourcery

Upgrade Docker build environment to use UBI10 images and refactor JDK handling, and update key Maven dependencies to satisfy vulnerability scanners.

Enhancements:

  • Upgrade base and build Docker images to UBI10 (ubi-micro and ubi) and switch to multi-stage builds with a packages overlay stage for runtime dependencies
  • Refactor build.sh and Dockerfile to rename JDK_VERSION to JDK_RELEASE_NAME and simplify Temurin JDK download URL construction, removing API-based release name lookup
  • Bump Maven dependencies: Jetty to 12.0.25, Airlift Units to 1.12, and Apache Mina Core to 2.2.4

@cla-bot cla-bot Bot added the cla-signed label Oct 8, 2025
@sourcery-ai
Copy link
Copy Markdown

sourcery-ai Bot commented Oct 8, 2025
edited
Loading

Reviewer's Guide

This PR updates the Docker build process to use UBI10 images and a new JDK release naming approach, refactors package installation in the Dockerfile with an overlay stage, and bumps key Maven dependencies to satisfy security scanners.

Flow diagram for new JDK release name handling in build.sh and Dockerfile

flowchart TD
    A["Read .java-version"] --> B["Set JDK_RELEASE_NAME variable"]
    B --> C["Pass JDK_RELEASE_NAME to Docker build args"]
    C --> D["Dockerfile uses JDK_RELEASE_NAME for JAVA_HOME and JDK download URL"]
Loading

File-Level Changes

Change Details Files
Bump base and build images to UBI10 and rename JDK version variable
  • Default base image changed from ubi9/ubi-minimal to ubi10/ubi-micro, and build image added
  • Renamed JDK_VERSION to JDK_RELEASE_NAME in build.sh and build arguments
  • Updated Docker build commands to use JDK_RELEASE_NAME and adjusted temurin_jdk_link calls
 docker/build.sh
docker/Dockerfile
Refactor Dockerfile package installation with overlay stage
  • Replaced microdnf commands with dnf
  • Introduced a 'packages' stage that installs required utilities into /tmp/overlay
  • Merged overlay into final image and removed cache files
 docker/Dockerfile
Upgrade Maven dependencies to fixed versions
  • Bumped io.airlift:units from 1.10 to 1.12
  • Upgraded org.apache.mina:mina-core to 2.2.4
  • Updated Jetty dependency version to 12.0.25
 pom.xml

Possibly linked issues

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@wendigo wendigo requested review from mosabua and oneonestar October 8, 2025 09:57
sourcery-ai[bot]
sourcery-ai Bot reviewed Oct 8, 2025
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • The build.sh usage/help text still refers to JDK_VERSION—please update it to mention JDK_RELEASE_NAME so the flags and logs stay consistent.
  • The temurin_jdk_link function signature and body no longer match (it no longer queries the API)—consider simplifying its parameters or renaming the function to avoid confusion.
  • In the jdk-download stage you’ve switched to dnf, but UBI10 micro supports microdnf; consider using microdnf there to keep the image lean.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The build.sh usage/help text still refers to JDK_VERSION—please update it to mention JDK_RELEASE_NAME so the flags and logs stay consistent.
- The temurin_jdk_link function signature and body no longer match (it no longer queries the API)—consider simplifying its parameters or renaming the function to avoid confusion.
- In the jdk-download stage you’ve switched to dnf, but UBI10 micro supports microdnf; consider using microdnf there to keep the image lean.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@wendigo
Copy link
Copy Markdown
Contributor Author

wendigo commented Oct 8, 2025

@mosabua ptal :)

@oneonestar
Copy link
Copy Markdown
Member

oneonestar commented Oct 9, 2025

Look like the scanners don't like *-minimal.
Will it be better to use ubi directly for runtime, instead of copy & overwrite a bunch of libs from from ubi to ubi-micro?

@wendigo
Copy link
Copy Markdown
Contributor Author

wendigo commented Oct 9, 2025

@oneonestar the copy is the way you add packages to micro which lacks package manager

@wendigo wendigo merged commit dba5d27 into main Oct 9, 2025
3 checks passed
@github-actions github-actions Bot added this to the 17 milestone Oct 9, 2025
@mosabua mosabua deleted the serafin/cves branch October 11, 2025 22:59
@mosabua mosabua mentioned this pull request Nov 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@oneonestar oneonestar oneonestar approved these changes

@mosabua mosabua Awaiting requested review from mosabua

Assignees

No one assigned

Labels

cla-signed

Milestone

17

Development

Successfully merging this pull request may close these issues.

2 participants

@wendigo @oneonestar