Fix docker vulnerabilities in tomcat layer

[HugoVeillette]

Hi,

Using "openltablets/ws:5.23.5", the from clause (tomcat:9.0.30-jdk11) pulls a total of 15 vulnerabilities marked as high. "tomcat:9.0.30-jdk11
Using "9.0-jdk11-openjdk-slim" (equivalent to tomcat:9.0.37-jdk11-openjdk-slim) has 0 vulnerabilities.

My suggestion is to update the docker files respectively for the WS and Webstudio and change the "From" clause to "9.0-jdk11-openjdk-slim".
This would ensure that:

• We ingest minor fixes (non breaking changes) for Tomcat such as vulnerability fix (the same way it is currently done for jdk11) every time we pull.
• Remove unnecessary dependencies such as perl, python, curl that are not required for the openlproject by using the "slim" tag.

Additionally, running a scan in the build pipeline (such as aquasec/trivy) would provide some level of awareness.

[yurkom]

Updating Tomcat to v9.0.37 has been covered by EPBDS-10064 in 3498c3a

[yurkom]

@HugoVeillette,

Thank You for pointing on the issue. Docker images for OpenL v5.23.5 has been updated. Could you check? openltablets/ws:5.23.5

As for '-slim' version of images, that it is not compatible with libraries which are used in OpenL, because of they use components which are absent in the slim images.

Anyway, I will research the way how to remove needless components from the OpenL images to reduce possible vulnerabilities in further.

Regards,
Yury

[HugoVeillette]

Hi @yurkom , Using trivy,
docker run aquasec/trivy --severity "HIGH,CRITICAL" openltablets/ws:5.23.5
we are down from 15 to 4 CVE (marked high severity).

Python 2.7 remains an area of concern (CVE-2020-8492).
Do you rely on python? Seems like we don't need it at runtime.

My suggestion would be to start from SLIM and then only add what you need to build the image. This with house cleaning of utilities used to build the image before publishing the layer.

Keep me posted.

Hugo

[yurkom]

@vlablack

Could you test slim images for:

• openltablets/ws:5.23.5
• openltablets/ws:5.23.5-all
• openltablets/webstudio:5.23.5
• openltablets/demo:5.23.5

For -jre8 as well.

[vpikus]

@yurkom, openltablets/webstudio:5.23.5 and openltablets/demo:5.23.5 don't work with openjdk-slim because some required libs are missing:
Caused by: java.lang.UnsatisfiedLinkError: /usr/local/openjdk-11/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory at java.lang.ClassLoader$NativeLibrary.load0(Native Method) ~[?:?] at java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2442) ~[?:?] at java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2498) ~[?:?] at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2694) ~[?:?] at java.lang.ClassLoader.loadLibrary(ClassLoader.java:2648) ~[?:?] at java.lang.Runtime.loadLibrary0(Runtime.java:830) ~[?:?] at java.lang.System.loadLibrary(System.java:1873) ~[?:?] at sun.font.FontManagerNativeLibrary$1.run(FontManagerNativeLibrary.java:57) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at sun.font.FontManagerNativeLibrary.<clinit>(FontManagerNativeLibrary.java

fontconfig isn't supported by slim openjdk: docker-library/openjdk#333 (comment)

openltablets/ws:5.23.5 and openltablets/ws:5.23.5-all are working fine and I've faced with no issues

[vpikus]

@HugoVeillette I've upgraded tomcat version to 9.0.37-jdk11-openjdk-slim for openltablets/ws:5.23.5 and openltablets/ws:5.23.5-all images and uploaded it to docker hub.
The count of vulnerabilities was decreased from 4 to 0

[HugoVeillette]

@vlablack thank you.