Closed wkoot closed 10 months ago
Hello @wkoot thanks a lot for taking the time to participate in the community.
For the vulnerabilities, even if the binaries are being detected as vulnerable, the actual container will run a single JAVA process that does not use those affected binaries.
We have an internal triaging process to be reactive in assessing and making sure the image is secure, with both analysis tools and pen tests. We would like to provide this information directly on the docker hub vulnerability page, but this is not possible at the moment.
We moved away from alpine because the JRE was compiled with musl instead of glibc, which causes huge errors when running on ARM64 architecture. (this is why 17-jre-alpine does not provide ARM).
I see that 21-jre does contain ARM64, we will see when SonarQube move to JAVA 21.
This is a topic we have in mind, thanks a lot for providing community feedback on it.
Nonetheless you should not expect a short term change of the dockerfile.
Let me know if this answer your question.
Regards,
Ok, that is good to know. Will SonarQube move to java 21 directly, or is it more likely to be an earlier version? And is there already an issue for the java upgrade, to keep track of as blocker for this issue? Would it be an option to provide the alpine image with a warning regarding running on ARM64?
Regarding java21, here are the insight i have, no specific ticket.
Our development team is working on implementing full support for Java 21 in a future SonarQube release, but SonarQube 9.9 LTS will not be updated with Java 21 support.
We do not yet have a deadline or ETA for the release.
So far we moved only from java LTS to LTS, we will not use intermediate versions.
For the alpine image, i will add your feedback to our insights, if it grows enough it might be picked as a candidate.
So far you should not expect such image to be released.
Best Regards
We're currently using Sonar 10.1; I see that Java 21 is planned for SonarQube 10.X LTS. Is there a timeframe for this LTS version, or perhaps for the feature to be implemented in regular 10.X? Would you accept pull requests on this public github repo, for an alpine base image?
9.9 LTS was released in February 2023, and we ship approximately an LTS per year.
Sadly we won't accept such PR, everything under this repo should be releasable on the docker-hub. Releasing an alpine-based version is not something planed.
I will nonetheless put an insight into our product board, to indicate that this might be a need from our users, PM will take a look and consider it as potential candidate for the backlog.
If the 10.X LTS is to be shipped Q1 2024, will changes such as the java upgrade be available on regular 10.X beforehand?
Probably not, as we wont have another major release between the recent 10.3 and 10.4. Java compatibility is a big effort that will be packed inside a major update.
Does that mean that version 10.4 will feature the LTS version, including java 21?
It should yes, nonetheless schedule might be changing so you should not take those words for granted.
All recent/latest/lts versions contain vulnerabilities, the lts version even has a critical vulnerability: https://hub.docker.com/layers/library/sonarqube/lts-enterprise/images/sha256-83717919a9a6a68c879316317f2d52048be5f228aa25c395b659b500f626050d?context=repo&tab=vulnerabilities
Please consider providing alpine versions of the container again, the upstream eclipse-temurin project provides these also. Version 17-jre-alpine was pushed 2 days ago and does not contain vulnerabilities.