Updates to java 8.422.05 and latest maven

Fixes #93

Signed-off-by: Adrian Cole <[email protected]>

.github/workflows/deploy.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

.github/workflows/security.yml

@@ -0,0 +1,59 @@
+---
+name: security
+
+# We don't scan documentation-only commits.
+on:  # yamllint disable-line rule:truthy
+  push:  # non-tagged pushes to master
+    branches:
+      - master
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - '**/*.md'
+      - './build-bin/*lint'
+      - ./build-bin/mlc_config.json
+  pull_request:  # pull requests targeted at the master branch.
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.md'
+      - './build-bin/*lint'
+      - ./build-bin/mlc_config.json
+
+jobs:
+  security:
+    name: security
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
+    # skip commits made by the release plugin
+    if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        name: Cache Trivy Database
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy
+          restore-keys: ${{ runner.os }}-trivy
+      - name: Run Trivy vulnerability and secret scanner
+        uses: aquasecurity/trivy-action@master
+        id: trivy
+        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'  # scan the entire repository
+          scanners: vuln,secret
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          output: trivy-report.md
+          cache-dir: .trivy
+      - name: Set Summary
+        shell: bash
+        if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
+        # Add the Trivy report to the summary
+        #
+        # Note: This will cause a workflow error if trivy-report.md > the step
+        # limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
+        run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY

.github/workflows/test.yml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

Dockerfile

@@ -11,11 +11,11 @@ ARG docker_parent_image=ghcr.io/openzipkin/alpine:3.20.2
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.
 # COPY --from= works around the issue.
-FROM scratch as code
+FROM scratch AS code
 
 COPY . /code/
 
-FROM $docker_parent_image as base
+FROM $docker_parent_image AS base
 
 # java_version is hard-coded here to allow the following to work:
 #  * `docker build https://github.com/openzipkin/docker-java.git`
@@ -24,7 +24,7 @@ FROM $docker_parent_image as base
 #  * Use current version from https://pkgs.alpinelinux.org/packages?name=openjdk8
 # This is defined in many places because Docker has no "env" script functionality unless you use
 # docker-compose: When updating, update everywhere.
-ARG java_version=8.402.06
+ARG java_version=8.422.05
 ARG java_home=/usr/lib/jvm/java-1.8-openjdk
 LABEL java-version=$java_version
 LABEL java-home=$java_home
@@ -39,17 +39,17 @@ WORKDIR /java
 ENTRYPOINT ["java", "-jar"]
 
 # The JDK image includes a few build utilities and Maven
-FROM base as jdk
+FROM base AS jdk
 LABEL org.opencontainers.image.description="OpenJDK on Alpine Linux"
-ARG java_version=8.402.06
-ARG maven_version=3.9.8
+ARG java_version=8.422.05
+ARG maven_version=3.9.9
 LABEL maven-version=$maven_version
 
 COPY --from=code /code/install.sh .
 RUN ./install.sh $java_version $maven_version && rm install.sh
 
 # Our JRE image is minimal: Only Alpine, libc6-compat and a JRE
-FROM base as jre
+FROM base AS jre
 LABEL org.opencontainers.image.description="OpenJDK JRE provided by IcedTea on Alpine Linux"
 
 # Finalize JRE install:

README.md

@@ -15,27 +15,25 @@ This is an internal base layer primarily used in [zipkin](https://github.com/ope
 
 To try the image, run the `java -version` command:
 ```bash
-docker run --rm ghcr.io/openzipkin/java:8.402.06 -version
-openjdk version "1.8.0_402"
-OpenJDK Runtime Environment (IcedTea 3.30.0) (Alpine 8.402.06-r0)
-OpenJDK 64-Bit Server VM (build 25.402-b06, mixed mode)
+openjdk version "1.8.0_422"
+OpenJDK Runtime Environment (IcedTea 3.32.0) (Alpine 8.422.05-r0)
+OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode)
 ```
 
 ## Release process
 Build the `Dockerfile` using the current version without the revision classifier from here:
  * https://pkgs.alpinelinux.org/packages?name=openjdk8
 ```bash
-# Note 8.402.06 not 8.402.06-r1!
-./build-bin/build 8.402.06
+# Note 8.422.05 not 8.422.05-r1!
+./build-bin/build 8.422.05
 ```
 
 Next, verify the built image matches that version:
 ```bash
-docker run --rm openzipkin/java:test -version
-openjdk version "1.8.0_402"
-OpenJDK Runtime Environment (IcedTea 3.30.0) (Alpine 8.402.06-r0)
-OpenJDK 64-Bit Server VM (build 25.402-b06, mixed mode)
+openjdk version "1.8.0_422"
+OpenJDK Runtime Environment (IcedTea 3.32.0) (Alpine 8.422.05-r0)
+OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode)
 ```
 
-To release the image, push a tag matching the arg to `build-bin/build` (ex `8.402.06`).
+To release the image, push a tag matching the arg to `build-bin/build` (ex `8.422.05`).
 This triggers a [GitHub Actions](https://github.com/openzipkin/docker-java/actions) job to push the image.

install.sh

@@ -49,5 +49,5 @@ apache_backup_mirror=https://downloads.apache.org/
 (wget ${apache_mirror}${maven_dist_path} || wget ${apache_backup_mirror}${maven_dist_path}) | tar xz --strip=1 -C maven
 ln -s ${PWD}/maven/bin/mvn /usr/bin/mvn
 
-mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.4.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
-mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.7.1:get -Dmdep.skip
+mvn -q --batch-mode org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=maven.version -q -DforceStdout || maybe_log_crash
+mvn -q --batch-mode org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get -Dmdep.skip