HeinrichAD
commented
1 year ago As a hint why the update could be quite important. (I used trivy for the analysis.):
Jetty
Current available docker image online
plantuml/plantuml-server:jetty (debian 11.2)
============================================
Total: 516 (UNKNOWN: 6, LOW: 314, MEDIUM: 90, HIGH: 90, CRITICAL: 16)After the update
plantuml-server:jetty-local (ubuntu 22.04)
==========================================
Total: 23 (UNKNOWN: 0, LOW: 20, MEDIUM: 3, HIGH: 0, CRITICAL: 0)Tomcat
Current available docker image online
plantuml/plantuml-server:tomcat (debian 11.4)
=============================================
Total: 499 (UNKNOWN: 6, LOW: 313, MEDIUM: 84, HIGH: 87, CRITICAL: 9)After the update
plantuml-server:tomcat-local (ubuntu 22.04)
===========================================
Total: 23 (UNKNOWN: 0, LOW: 20, MEDIUM: 3, HIGH: 0, CRITICAL: 0)
Short: update maven artifacts and docker base image (as well as reduce there image size). This PR also close #253 that mentioned that the current used jetty version is vulnerable.
Update maven artifacts
checkstylestopped supporting jdk8 with version 10.0.0https://checkstyle.org/releasenotes.html#Release_10.0
-devfollowed by a dot and date (e.g.0.37.0-dev.20230308)Docker
There were same base image and naming changes for the jetty and tomcat images plantuml-server uses. Therefore, plantuml-server uses a rather old and vulnerable image, since there are no updates according to the old naming scheme.
Note:
autoremoveandcleancommands aftergraphvizinstallation. This reduces the images by about ~280 MB.