NO-ISSUE: Fix security issues on images

Signed-off-by: Ricardo Zanini <[email protected]>
apache · Dec 23, 2024 · 6f31953 · 6f31953
1 parent c59b389
commit 6f31953
Show file tree

Hide file tree

Showing 24 changed files with 27 additions and 27 deletions.
diff --git a/examples/sonataflow-greeting/src/main/resources/application.properties b/examples/sonataflow-greeting/src/main/resources/application.properties
@@ -28,5 +28,5 @@ quarkus.native.native-image-xmx=8g
 %container.quarkus.container-image.registry=dev.local
 %container.quarkus.container-image.tag=1.0-SNAPSHOT
 %container.quarkus.jib.jvm-entrypoint=/home/kogito/kogito-app-launch.sh
-%container.quarkus.jib.base-jvm-image=registry.access.redhat.com/ubi9/openjdk-17:1.20
+%container.quarkus.jib.base-jvm-image=registry.access.redhat.com/ubi9/openjdk-17:1.21
 %container.quarkus.jib.working-directory=/home/kogito/bin
diff --git a/packages/cors-proxy-image/Containerfile b/packages/cors-proxy-image/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG CORS_PROXY_DEFAULT_PORT=8080
 ARG CORS_PROXY_DEFAULT_ORIGIN=*

diff --git a/packages/dashbuilder-viewer-image/Containerfile b/packages/dashbuilder-viewer-image/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 RUN microdnf --disableplugin=subscription-manager -y install httpd \
   && microdnf --disableplugin=subscription-manager clean all \

diff --git a/packages/dev-deployment-base-image/README.md b/packages/dev-deployment-base-image/README.md
@@ -21,9 +21,9 @@ Docker image with Java and Maven, as well as the dev-deployment-upload-service b
 
 ## Build arguments
 
-- `BUILDER_IMAGE_ARG`: The base image used for building this image (defaults to `registry.access.redhat.com/ubi9/openjdk-17:1.20`).
+- `BUILDER_IMAGE_ARG`: The base image used for building this image (defaults to `registry.access.redhat.com/ubi9/openjdk-17:1.21`).
   - Tested with:
-    - registry.access.redhat.com/ubi9/openjdk-17:1.20
+    - registry.access.redhat.com/ubi9/openjdk-17:1.21
     - icr.io/appcafe/ibm-semeru-runtimes:open-17-jdk-ubi-minimal
 
 ## Environment variables

diff --git a/packages/dev-deployment-base-image/env/index.js b/packages/dev-deployment-base-image/env/index.js
@@ -24,7 +24,7 @@ const rootEnv = require("@kie-tools/root-env/env");
 module.exports = composeEnv([rootEnv], {
   vars: varsWithName({
     DEV_DEPLOYMENT_BASE_IMAGE__builderImage: {
-      default: "registry.access.redhat.com/ubi9/openjdk-17:1.20",
+      default: "registry.access.redhat.com/ubi9/openjdk-17:1.21",
       description: "The image used in the FROM import.",
     },
     DEV_DEPLOYMENT_BASE_IMAGE__userId: {

diff --git a/packages/dev-deployment-dmn-form-webapp-image/Containerfile b/packages/dev-deployment-dmn-form-webapp-image/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG DEV_DEPLOYMENT_DMN_FORM_WEBAPP_DEFAULT_PORT=8081
 

diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-buildtime-install
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG DDUS_FILESERVER_IP=""
 ARG DDUS_VERSION="0.0.0"

diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-fileserver
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG DDUS_VERSION="0.0.0"
 

diff --git a/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install b/packages/dev-deployment-upload-service/dev/Containerfile.ddus-runtime-install
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ENV DDUS_FILESERVER_IP=""
 ENV DDUS_VERSION="0.0.0"

diff --git a/packages/kie-sandbox-extended-services-image/env/index.js b/packages/kie-sandbox-extended-services-image/env/index.js
@@ -28,7 +28,7 @@ const {
 module.exports = composeEnv([rootEnv], {
   vars: varsWithName({
     KIE_SANDBOX_EXTENDED_SERVICES__builderImage: {
-      default: "registry.access.redhat.com/ubi9/openjdk-17:1.20",
+      default: "registry.access.redhat.com/ubi9/openjdk-17:1.21",
       description: "The image used in the FROM import.",
     },
     KIE_SANDBOX_EXTENDED_SERVICES__imageRegistry: {

diff --git a/packages/kie-sandbox-webapp-image/Containerfile b/packages/kie-sandbox-webapp-image/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG KIE_SANDBOX_DEFAULT_PORT=8080
 

diff --git a/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml b/packages/kogito-base-builder-image/resources/incubator-kie-kogito-base-builder-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-base-builder"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17:1.19"
+from: "registry.access.redhat.com/ubi8/openjdk-17:1.21"
 description: "Image with JDK and Maven, used as a base image. It is used by Web Tools !"
 
 labels:

diff --git a/...data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml b/...data-index-ephemeral-image/resources/incubator-kie-kogito-data-index-ephemeral-image.yaml
@@ -18,7 +18,7 @@
 #
 name: "docker.io/apache/incubator-kie-kogito-data-index-ephemeral"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito Data Index Service for ephemeral PostgreSQL persistence provider"
 
 labels:

diff --git a/...ta-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml b/...ta-index-postgresql-image/resources/incubator-kie-kogito-data-index-postgresql-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-data-index-postgresql"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito Data Index Service for PostgreSQL persistence provider"
 
 labels:

diff --git a/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml b/packages/kogito-jit-runner-image/resources/incubator-kie-kogito-jit-runner-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-jit-runner"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito JIT Runner"
 
 labels:

diff --git a/...bs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml b/...bs-service-allinone-image/resources/incubator-kie-kogito-jobs-service-allinone-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-jobs-service-ephemeral"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito Jobs Service with all available jdbc providers"
 
 labels:

diff --git a/...-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml b/...-service-ephemeral-image/resources/incubator-kie-kogito-jobs-service-ephemeral-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-jobs-service-ephemeral"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito in memory Jobs Service"
 
 labels:

diff --git a/...ervice-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml b/...ervice-postgresql-image/resources/incubator-kie-kogito-jobs-service-postgresql-image.yaml
@@ -20,7 +20,7 @@ schema_version: 1
 
 name: "docker.io/apache/incubator-kie-kogito-jobs-service-postgresql"
 version: "main"
-from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.20"
+from: "registry.access.redhat.com/ubi8/openjdk-17-runtime:1.21"
 description: "Runtime image for Kogito Jobs Service based on Postgresql"
 
 labels:

diff --git a/packages/kogito-management-console/Containerfile b/packages/kogito-management-console/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 ARG KOGITO_MANAGEMENT_CONSOLE_PORT=8080
 

diff --git a/packages/maven-m2-repo-via-http-image/Containerfile b/packages/maven-m2-repo-via-http-image/Containerfile
@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.4
+FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi-minimal:9.5
 
 # Argument for configuring the port
 ARG PORT=80

diff --git a/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml b/packages/sonataflow-builder-image/resources/incubator-kie-sonataflow-builder-image.yaml
@@ -17,7 +17,7 @@
 # under the License.
 #
 - name: builder
-  from: "registry.access.redhat.com/ubi8/openjdk-17:1.19"
+  from: "registry.access.redhat.com/ubi8/openjdk-17:1.21"
   version: "main"
   modules:
     repositories:
@@ -34,7 +34,7 @@
       - name: org.kie.sonataflow.common.build
 
 - name: "docker.io/apache/incubator-kie-sonataflow-builder"
-  from: "registry.access.redhat.com/ubi8/openjdk-17:1.19"
+  from: "registry.access.redhat.com/ubi8/openjdk-17:1.21"
   version: "main"
   description: "Kogito Serverless Workflow base builder with Quarkus extensions libraries preinstalled"
 

diff --git a/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml b/packages/sonataflow-devmode-image/resources/incubator-kie-sonataflow-devmode-image.yaml
@@ -17,7 +17,7 @@
 # under the License.
 #
 - name: builder
-  from: "registry.access.redhat.com/ubi8/openjdk-17:1.19"
+  from: "registry.access.redhat.com/ubi8/openjdk-17:1.21"
   version: "main"
   modules:
     repositories:
@@ -37,7 +37,7 @@
     manager: microdnf
 
 - name: "docker.io/apache/incubator-kie-sonataflow-devmode"
-  from: "registry.access.redhat.com/ubi8/openjdk-17:1.19"
+  from: "registry.access.redhat.com/ubi8/openjdk-17:1.21"
   version: "main"
   description: "Kogito Serverless Workflow development mode with Quarkus extensions libraries preinstalled"
 

diff --git a/...management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml b/...management-console-image/resources/incubator-kie-sonataflow-management-console-image.yaml
@@ -17,7 +17,7 @@
 # under the License.
 #
 - name: "docker.io/apache/incubator-kie-sonataflow-devmode"
-  from: "registry.access.redhat.com/ubi9/httpd-24:1-336.1725850633"
+  from: "registry.access.redhat.com/ubi9/httpd-24:9.5"
   version: "0.0.0"
   description: "SonataFlow Management Console Image"
 

diff --git a/packages/sonataflow-operator/images/manager.yaml b/packages/sonataflow-operator/images/manager.yaml
@@ -33,7 +33,7 @@
 
 - name: sonataflow-operator
   version: 0.0.0
-  from: "registry.access.redhat.com/ubi9/ubi-micro:9.5-1731519709"
+  from: "registry.access.redhat.com/ubi9/ubi-micro:9.5"
   description: Runtime Image for the Operator
 
   args: