Description
Component(s)
auto-instrumentation
Describe the issue you're reporting
The javaagent.go (link) component is doing an injection step that runs the cp command at least once, but perhaps several times, from inside the container. This strongly implies that the cp command is available in the container, which prevents distributions from publishing scratch images containing only the agent jar file (and/or extensions). As a result, java agent distributions are required to use FROM busybox or another (linux) distribution, which brings a set of binaries.
This unnecessarily exposes java agent images to vulnerabilities for which the java agent isn't directly related related. This may also make windows compatibility more challenging if cp is required.
I don't know kubernetes operators well enough right now to suggest how this might be addressed, but would appreciate it if we can give this some consideration. Thanks!