eclipse-temurin:17-jre-alpine vulnerabilities

[zopahima]

eclipse-temurin:17-jre-alpine image contains multiple old vulnerabilities, is there any plan to address them in the near future? when can expected to get a patched version?
vul scan taken by trivy scanner.

[karianna]

The base layer gets updated by DockerHub (so you'll need to report to them), you can also tdnf update in the mean time.

[zopahima]

@karianna Already did it, I was referred to adoptium.
See - docker/roadmap#675

[omni-htg]

@zopahima As you can see in DockerHub, the last alpine:3.19 was built 5 months ago, and the image eclipse-temurin:17-jre-alpine you're pointing to was built after that using the latest 17.0.11+9 version.
So unless there's an update to alpine 3.19 or a new openjdk version, the image is not getting updated.
Perhaps the folks at Alpine could see this and trigger a bump on 3.19, give them a try.

EDIT: Apologies, it seems that alpine:3.20 has already been merged into temurin so it's only a matter of time until it gets to DockerHub.

[karianna]

@karianna Already did it, I was referred to adoptium. See - docker/roadmap#675

I think that's a different place to DockerHub - but I appreciate that this is frustrating, we need a better round robin policy here.

[zopahima]

@omni-htg Thanks!! Where can I track alpine merges into temurin? How can I track when it gets into DockerHub?