Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump bellsoft/liberica-openjre-alpine from 17.0.12 to 23-38 in /docker-jans-persistence-loader #9525

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 19, 2024

Bumps bellsoft/liberica-openjre-alpine from 17.0.12 to 23-38.

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
bellsoft/liberica-openjre-alpine [>= 21.pre.37.a, < 22]
bellsoft/liberica-openjre-alpine [>= 20.pre.37.a, < 21]
bellsoft/liberica-openjre-alpine [>= 19.pre.37.a, < 20]
bellsoft/liberica-openjre-alpine [>= 18.pre.37.a, < 19]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps bellsoft/liberica-openjre-alpine from 17.0.12 to 23-38.

---
updated-dependencies:
- dependency-name: bellsoft/liberica-openjre-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added docker Pull requests that update Docker code kind-dependencies Pull requests that update a dependency file labels Sep 19, 2024
Copy link

DryRun Security Summary

The provided code changes update the Docker image for the "jans-persistence-loader" component, including updating the base image, performing Alpine Linux package updates, synchronizing configuration assets from a Git repository, installing Python dependencies, setting environment variables, and disabling a key regeneration feature, all with a focus on security-oriented improvements.

Expand for full summary

Summary:

The provided code changes are related to updating the Docker image for the "jans-persistence-loader" component. The changes include updating the base image to a newer version of the Java runtime, performing Alpine Linux package updates, synchronizing configuration assets from a Git repository, installing Python dependencies, setting environment variables, and disabling a key regeneration feature.

From an application security perspective, the most important aspects to review are the secure management of the source code repository, the review of Python dependencies for known vulnerabilities, the handling of environment variables to ensure no sensitive information is exposed, and the impact of the configuration changes on the overall security of the application. Overall, the changes seem to be security-oriented, but it's essential to carefully review the specific details to ensure that no security vulnerabilities are introduced.

Files Changed:

  • docker-jans-persistence-loader/Dockerfile: The changes in this file include:
    1. Updating the base image from "bellsoft/liberica-openjre-alpine:17.0.12" to "bellsoft/liberica-openjre-alpine:23-38", which likely includes the latest security patches and bug fixes for the Java runtime.
    2. Performing an update and upgrade of the Alpine Linux packages to ensure the latest security patches are applied.
    3. Cloning a Git repository and checking out a specific commit to fetch various configuration files, scripts, and templates. This process should be carefully reviewed to ensure the source repository and the specific commit are trusted and do not contain any malicious content.
    4. Installing Python dependencies from a "requirements.txt" file, which should be reviewed for known vulnerabilities.
    5. Setting various environment variables related to configuration adapters, caching, and other settings. These environment variables should be carefully reviewed to ensure they do not contain any sensitive information.
    6. Disabling the "keyRegenerationEnabled" feature in the "jans-auth-config.json" file, which should be reviewed to understand the impact on the overall security of the application.
    7. Creating a non-root user with UID 1000 and setting appropriate permissions, which is a good security practice.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@iromli
Copy link
Contributor

iromli commented Sep 26, 2024

The suggested version is incompatible.

@dependabot ignore this major version

@dependabot dependabot bot closed this Sep 26, 2024
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 26, 2024

OK, I won't notify you about version 23-38.x.x again, unless you re-open this PR.

@dependabot dependabot bot deleted the dependabot/docker/docker-jans-persistence-loader/bellsoft/liberica-openjre-alpine-23-38 branch September 26, 2024 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docker Pull requests that update Docker code kind-dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant