Closed wintwoo closed 2 years ago
wintwoo
commented
2 years ago Note this PR does not remove the older versions of sbt (which include the vulnerable log4j versions). Removing the older sbt versions should be considered. The 'latest' tag points to sbt-1.6.2.
wintwoo
commented
2 years ago LGTM, and thank you for the contribution!
Please confirm that you have successfully built the new image and provide details on what test(s) you have run to confirm correctness.
@bendory I've removed the old sbt versions per our discussion.
Container builds successfully, output of gcloud container images list-tags gcr.io/<my-project>/scala-sbt:
DIGEST TAGS TIMESTAMP
9cbd344d3462 1.6.2-jdk-8,latest 2022-03-03T22:12:59Check sbt version using docker run -it --entrypoint /bin/bash gcr.io/<my-project>/scala-sbt:latest -c "cd /tmp && sbt sbtVersion"
[info] [launcher] getting org.scala-sbt sbt 1.6.2 (this may take some time)...
[info] [launcher] getting Scala 2.12.15 (for sbt)...
[info] Updated file /tmp/project/build.properties: set sbt.version to 1.6.2
[info] welcome to sbt 1.6.2 (Oracle Corporation Java 1.8.0_275)
[info] loading project definition from /tmp/project
[info] Updating
https://repo1.maven.org/maven2/jline/jline/2.14.6/jline-2.14.6.pom
100.0% [##########] 19.4 KiB (44.8 KiB / s)
[info] Resolved dependencies
[info] Fetching artifacts of
https://repo1.maven.org/maven2/jline/jline/2.14.6/jline-2.14.6.jar
100.0% [##########] 262.5 KiB (511.7 KiB / s)
[info] Fetched artifacts of
[info] set current project to tmp (in build file:/tmp/)
[info] 1.6.2Building a test project using the container:
Step #0: Digest: sha256:9cbd344d34624bf12fc6e1f35b5bb658caf6f9a4e74408555562fccaa8761c80
Step #0: Status: Downloaded newer image for gcr.io/<my-project>/scala-sbt:latest
Step #0: gcr.io/<my-project>/scala-sbt:latest
Step #0: [info] [launcher] getting org.scala-sbt sbt 1.6.2 (this may take some time)...
...
Step #0: [info] welcome to sbt 1.6.2 (Oracle Corporation Java 1.8.0_275)
sbt >=1.6.1 currently updates log4j 2 to 2.17.1, which fixes multiple log4j CVEs.