Skip to content

Update SapMachine dockerfiles #19641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update SapMachine dockerfiles #19641

wants to merge 1 commit into from

Conversation

RealCLanger
Copy link
Contributor

This updates the source dockerfiles for SapMachine.

It basically contains two fixes:

  1. Trigger build of alpine based images by inserting dependency to nss lib. This should remove the vulnerability.
  2. Fix entry point for JRE images

@RealCLanger RealCLanger requested a review from a team as a code owner August 11, 2025 06:15
@github-actions GitHub Actions
Copy link

Diff for 38d715c: 
diff --git a/_bashbrew-cat b/_bashbrew-cat
index ca32639..bd39d55 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -14,19 +14,19 @@ GitCommit: 8d84d8ee2e839d8f5f923978ff4446704318120f
 Directory: dockerfiles/11/ubuntu/22_04/jdk-headless
 
 Tags: 11-jre, 11-jre-ubuntu, 11.0.28-jre, 11.0.28-jre-ubuntu, 11-jre-ubuntu-noble, 11-jre-ubuntu-24.04, 11.0.28-jre-ubuntu-noble, 11.0.28-jre-ubuntu-24.04
-GitCommit: 8d84d8ee2e839d8f5f923978ff4446704318120f
+GitCommit: fe73fbcedcbaed0232d7276f2901aebe33e347fc
 Directory: dockerfiles/11/ubuntu/24_04/jre
 
 Tags: 11-jre-headless, 11-jre-headless-ubuntu, 11.0.28-jre-headless, 11.0.28-jre-headless-ubuntu, 11-jre-headless-ubuntu-noble, 11-jre-headless-ubuntu-24.04, 11.0.28-jre-headless-ubuntu-noble, 11.0.28-jre-headless-ubuntu-24.04
-GitCommit: 8d84d8ee2e839d8f5f923978ff4446704318120f
+GitCommit: fe73fbcedcbaed0232d7276f2901aebe33e347fc
 Directory: dockerfiles/11/ubuntu/24_04/jre-headless
 
 Tags: 11-jre-headless-ubuntu-jammy, 11-jre-headless-ubuntu-22.04, 11.0.28-jre-headless-ubuntu-jammy, 11.0.28-jre-headless-ubuntu-22.04
-GitCommit: 8d84d8ee2e839d8f5f923978ff4446704318120f
+GitCommit: fe73fbcedcbaed0232d7276f2901aebe33e347fc
 Directory: dockerfiles/11/ubuntu/22_04/jre-headless
 
 Tags: 11-jre-ubuntu-jammy, 11-jre-ubuntu-22.04, 11.0.28-jre-ubuntu-jammy, 11.0.28-jre-ubuntu-22.04
-GitCommit: 8d84d8ee2e839d8f5f923978ff4446704318120f
+GitCommit: fe73fbcedcbaed0232d7276f2901aebe33e347fc
 Directory: dockerfiles/11/ubuntu/22_04/jre
 
 Tags: 11-ubuntu-jammy, 11-ubuntu-22.04, 11-jdk-ubuntu-jammy, 11-jdk-ubuntu-22.04, 11.0.28-ubuntu-jammy, 11.0.28-ubuntu-22.04, 11.0.28-jdk-ubuntu-jammy, 11.0.28-jdk-ubuntu-22.04
@@ -39,11 +39,11 @@ GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
 Directory: dockerfiles/17/ubuntu/24_04/jdk
 
 Tags: 17-alpine, 17.0.16-alpine, 17-jdk-alpine, 17.0.16-jdk-alpine, 17-alpine-3.22, 17-jdk-alpine-3.22, 17.0.16-alpine-3.22, 17.0.16-jdk-alpine-3.22
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/alpine/3_22/jdk
 
 Tags: 17-alpine-3.21, 17-jdk-alpine-3.21, 17.0.16-alpine-3.21, 17.0.16-jdk-alpine-3.21
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/alpine/3_21/jdk
 
 Tags: 17-jdk-headless, 17-jdk-headless-ubuntu, 17.0.16-jdk-headless, 17.0.16-jdk-headless-ubuntu, 17-jdk-headless-ubuntu-noble, 17-jdk-headless-ubuntu-24.04, 17.0.16-jdk-headless-ubuntu-noble, 17.0.16-jdk-headless-ubuntu-24.04
@@ -58,30 +58,30 @@ Directory: dockerfiles/17/ubuntu/22_04/jdk-headless
 
 Tags: 17-jre, 17-jre-ubuntu, 17.0.16-jre, 17.0.16-jre-ubuntu, 17-jre-ubuntu-noble, 17-jre-ubuntu-24.04, 17.0.16-jre-ubuntu-noble, 17.0.16-jre-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/ubuntu/24_04/jre
 
 Tags: 17-jre-alpine, 17.0.16-jre-alpine, 17-jre-alpine-3.22, 17.0.16-jre-alpine-3.22
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/alpine/3_22/jre
 
 Tags: 17-jre-alpine-3.21, 17.0.16-jre-alpine-3.21
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/alpine/3_21/jre
 
 Tags: 17-jre-headless, 17-jre-headless-ubuntu, 17.0.16-jre-headless, 17.0.16-jre-headless-ubuntu, 17-jre-headless-ubuntu-noble, 17-jre-headless-ubuntu-24.04, 17.0.16-jre-headless-ubuntu-noble, 17.0.16-jre-headless-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/ubuntu/24_04/jre-headless
 
 Tags: 17-jre-headless-ubuntu-jammy, 17-jre-headless-ubuntu-22.04, 17.0.16-jre-headless-ubuntu-jammy, 17.0.16-jre-headless-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/ubuntu/22_04/jre-headless
 
 Tags: 17-jre-ubuntu-jammy, 17-jre-ubuntu-22.04, 17.0.16-jre-ubuntu-jammy, 17.0.16-jre-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 81ccc83d83e0714d37e84c84ee487f390cb2d4ce
+GitCommit: 874b80982a0c001fd11cb6638e5fcb6fe4cfb21f
 Directory: dockerfiles/17/ubuntu/22_04/jre
 
 Tags: 17-ubuntu-jammy, 17-ubuntu-22.04, 17-jdk-ubuntu-jammy, 17-jdk-ubuntu-22.04, 17.0.16-ubuntu-jammy, 17.0.16-ubuntu-22.04, 17.0.16-jdk-ubuntu-jammy, 17.0.16-jdk-ubuntu-22.04
@@ -96,20 +96,20 @@ Directory: dockerfiles/21/ubuntu/24_04/jdk-headless
 
 Tags: 21-jre, 21-jre-ubuntu, 21.0.8-jre, 21.0.8-jre-ubuntu, lts-jre-ubuntu, lts-jre-ubuntu-noble, lts-jre-ubuntu-24.04, 21-jre-ubuntu-noble, 21-jre-ubuntu-24.04, 21.0.8-jre-ubuntu-noble, 21.0.8-jre-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/ubuntu/24_04/jre
 
 Tags: 21-jre-headless, 21-jre-headless-ubuntu, 21.0.8-jre-headless, 21.0.8-jre-headless-ubuntu, lts-jre-headless-ubuntu, lts-jre-headless-ubuntu-noble, lts-jre-headless-ubuntu-24.04, 21-jre-headless-ubuntu-noble, 21-jre-headless-ubuntu-24.04, 21.0.8-jre-headless-ubuntu-noble, 21.0.8-jre-headless-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/ubuntu/24_04/jre-headless
 
 Tags: alpine, jdk-alpine, 24-alpine, 24.0.2-alpine, 24-jdk-alpine, 24.0.2-jdk-alpine, alpine-3.22, jdk-alpine-3.22, 24-alpine-3.22, 24-jdk-alpine-3.22, 24.0.2-alpine-3.22, 24.0.2-jdk-alpine-3.22
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/alpine/3_22/jdk
 
 Tags: alpine-3.21, jdk-alpine-3.21, 24-alpine-3.21, 24-jdk-alpine-3.21, 24.0.2-alpine-3.21, 24.0.2-jdk-alpine-3.21
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/alpine/3_21/jdk
 
 Tags: jdk-headless, jdk-headless-ubuntu, 24-jdk-headless, 24-jdk-headless-ubuntu, 24.0.2-jdk-headless, 24.0.2-jdk-headless-ubuntu, jdk-headless-ubuntu-noble, jdk-headless-ubuntu-24.04, 24-jdk-headless-ubuntu-noble, 24-jdk-headless-ubuntu-24.04, 24.0.2-jdk-headless-ubuntu-noble, 24.0.2-jdk-headless-ubuntu-24.04
@@ -124,30 +124,30 @@ Directory: dockerfiles/24/ubuntu/22_04/jdk-headless
 
 Tags: jre, jre-ubuntu, 24-jre, 24-jre-ubuntu, 24.0.2-jre, 24.0.2-jre-ubuntu, jre-ubuntu-noble, jre-ubuntu-24.04, 24-jre-ubuntu-noble, 24-jre-ubuntu-24.04, 24.0.2-jre-ubuntu-noble, 24.0.2-jre-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/ubuntu/24_04/jre
 
 Tags: jre-alpine, 24-jre-alpine, 24.0.2-jre-alpine, jre-alpine-3.22, 24-jre-alpine-3.22, 24.0.2-jre-alpine-3.22
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/alpine/3_22/jre
 
 Tags: jre-alpine-3.21, 24-jre-alpine-3.21, 24.0.2-jre-alpine-3.21
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/alpine/3_21/jre
 
 Tags: jre-headless, jre-headless-ubuntu, 24-jre-headless, 24-jre-headless-ubuntu, 24.0.2-jre-headless, 24.0.2-jre-headless-ubuntu, jre-headless-ubuntu-noble, jre-headless-ubuntu-24.04, 24-jre-headless-ubuntu-noble, 24-jre-headless-ubuntu-24.04, 24.0.2-jre-headless-ubuntu-noble, 24.0.2-jre-headless-ubuntu-24.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/ubuntu/24_04/jre-headless
 
 Tags: jre-headless-ubuntu-jammy, jre-headless-ubuntu-22.04, 24-jre-headless-ubuntu-jammy, 24-jre-headless-ubuntu-22.04, 24.0.2-jre-headless-ubuntu-jammy, 24.0.2-jre-headless-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/ubuntu/22_04/jre-headless
 
 Tags: jre-ubuntu-jammy, jre-ubuntu-22.04, 24-jre-ubuntu-jammy, 24-jre-ubuntu-22.04, 24.0.2-jre-ubuntu-jammy, 24.0.2-jre-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 7c561e5b3845d2d64659cef30adf35abfe9b1407
+GitCommit: 051d757d530f478f382196a670e172a334c3f3cc
 Directory: dockerfiles/24/ubuntu/22_04/jre
 
 Tags: latest, ubuntu, jdk, jdk-ubuntu, 24, 24-ubuntu, 24.0.2, 24.0.2-ubuntu, 24-jdk, 24-jdk-ubuntu, 24.0.2-jdk, 24.0.2-jdk-ubuntu, ubuntu-noble, ubuntu-24.04, jdk-ubuntu-noble, jdk-ubuntu-24.04, 24-ubuntu-noble, 24-ubuntu-24.04, 24-jdk-ubuntu-noble, 24-jdk-ubuntu-24.04, 24.0.2-ubuntu-noble, 24.0.2-ubuntu-24.04, 24.0.2-jdk-ubuntu-noble, 24.0.2-jdk-ubuntu-24.04
@@ -161,11 +161,11 @@ GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
 Directory: dockerfiles/21/ubuntu/24_04/jdk
 
 Tags: lts-alpine, 21-alpine, 21.0.8-alpine, lts-jdk-alpine, 21-jdk-alpine, 21.0.8-jdk-alpine, lts-alpine-3.22, lts-jdk-alpine-3.22, 21-alpine-3.22, 21-jdk-alpine-3.22, 21.0.8-alpine-3.22, 21.0.8-jdk-alpine-3.22
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/alpine/3_22/jdk
 
 Tags: lts-alpine-3.21, lts-jdk-alpine-3.21, 21-alpine-3.21, 21-jdk-alpine-3.21, 21.0.8-alpine-3.21, 21.0.8-jdk-alpine-3.21
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/alpine/3_21/jdk
 
 Tags: lts-jdk-headless-ubuntu-jammy, lts-jdk-headless-ubuntu-22.04, 21-jdk-headless-ubuntu-jammy, 21-jdk-headless-ubuntu-22.04, 21.0.8-jdk-headless-ubuntu-jammy, 21.0.8-jdk-headless-ubuntu-22.04
@@ -174,21 +174,21 @@ GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
 Directory: dockerfiles/21/ubuntu/22_04/jdk-headless
 
 Tags: lts-jre-alpine, 21-jre-alpine, 21.0.8-jre-alpine, lts-jre-alpine-3.22, 21-jre-alpine-3.22, 21.0.8-jre-alpine-3.22
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/alpine/3_22/jre
 
 Tags: lts-jre-alpine-3.21, 21-jre-alpine-3.21, 21.0.8-jre-alpine-3.21
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/alpine/3_21/jre
 
 Tags: lts-jre-headless-ubuntu-jammy, lts-jre-headless-ubuntu-22.04, 21-jre-headless-ubuntu-jammy, 21-jre-headless-ubuntu-22.04, 21.0.8-jre-headless-ubuntu-jammy, 21.0.8-jre-headless-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/ubuntu/22_04/jre-headless
 
 Tags: lts-jre-ubuntu-jammy, lts-jre-ubuntu-22.04, 21-jre-ubuntu-jammy, 21-jre-ubuntu-22.04, 21.0.8-jre-ubuntu-jammy, 21.0.8-jre-ubuntu-22.04
 Architectures: amd64, arm64v8, ppc64le
-GitCommit: 91e51ca6dbafe13fd8779addc7bd182899f48c4d
+GitCommit: 989c1beedf97fc313bd38094ba546c58edd44f74
 Directory: dockerfiles/21/ubuntu/22_04/jre
 
 Tags: lts-ubuntu-jammy, lts-ubuntu-22.04, lts-jdk-ubuntu-jammy, lts-jdk-ubuntu-22.04, 21-ubuntu-jammy, 21-ubuntu-22.04, 21-jdk-ubuntu-jammy, 21-jdk-ubuntu-22.04, 21.0.8-ubuntu-jammy, 21.0.8-ubuntu-22.04, 21.0.8-jdk-ubuntu-jammy, 21.0.8-jdk-ubuntu-22.04
diff --git a/sapmachine_11.0.28-jre-headless-ubuntu-22.04/Dockerfile b/sapmachine_11.0.28-jre-headless-ubuntu-22.04/Dockerfile
index 583ed49..98094c7 100644
--- a/sapmachine_11.0.28-jre-headless-ubuntu-22.04/Dockerfile
+++ b/sapmachine_11.0.28-jre-headless-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-11
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_11.0.28-jre-headless-ubuntu-24.04/Dockerfile b/sapmachine_11.0.28-jre-headless-ubuntu-24.04/Dockerfile
index e0e83cf..f10ac2c 100644
--- a/sapmachine_11.0.28-jre-headless-ubuntu-24.04/Dockerfile
+++ b/sapmachine_11.0.28-jre-headless-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-11
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_11.0.28-jre-ubuntu-22.04/Dockerfile b/sapmachine_11.0.28-jre-ubuntu-22.04/Dockerfile
index db93ed1..a4d88db 100644
--- a/sapmachine_11.0.28-jre-ubuntu-22.04/Dockerfile
+++ b/sapmachine_11.0.28-jre-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-11
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_11.0.28-jre-ubuntu-24.04/Dockerfile b/sapmachine_11.0.28-jre-ubuntu-24.04/Dockerfile
index 37bab2b..efdaa3c 100644
--- a/sapmachine_11.0.28-jre-ubuntu-24.04/Dockerfile
+++ b/sapmachine_11.0.28-jre-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-11
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_17.0.16-jdk-alpine-3.21/Dockerfile b/sapmachine_17.0.16-jdk-alpine-3.21/Dockerfile
index 625024f..15f1f59 100644
--- a/sapmachine_17.0.16-jdk-alpine-3.21/Dockerfile
+++ b/sapmachine_17.0.16-jdk-alpine-3.21/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-17-jdk=17.0.16-r0
+    apk add nss sapmachine-17-jdk=17.0.16-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-17-sapmachine-jdk
 
diff --git a/sapmachine_17.0.16-jdk-alpine-3.22/Dockerfile b/sapmachine_17.0.16-jdk-alpine-3.22/Dockerfile
index 7e32545..739c088 100644
--- a/sapmachine_17.0.16-jdk-alpine-3.22/Dockerfile
+++ b/sapmachine_17.0.16-jdk-alpine-3.22/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-17-jdk=17.0.16-r0
+    apk add nss sapmachine-17-jdk=17.0.16-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-17-sapmachine-jdk
 
diff --git a/sapmachine_17.0.16-jre-alpine-3.21/Dockerfile b/sapmachine_17.0.16-jre-alpine-3.21/Dockerfile
index acf0626..2059189 100644
--- a/sapmachine_17.0.16-jre-alpine-3.21/Dockerfile
+++ b/sapmachine_17.0.16-jre-alpine-3.21/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-17-jre=17.0.16-r0
+    apk add nss sapmachine-17-jre=17.0.16-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-17-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_17.0.16-jre-alpine-3.22/Dockerfile b/sapmachine_17.0.16-jre-alpine-3.22/Dockerfile
index 667de18..3855e87 100644
--- a/sapmachine_17.0.16-jre-alpine-3.22/Dockerfile
+++ b/sapmachine_17.0.16-jre-alpine-3.22/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-17-jre=17.0.16-r0
+    apk add nss sapmachine-17-jre=17.0.16-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-17-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_17.0.16-jre-headless-ubuntu-22.04/Dockerfile b/sapmachine_17.0.16-jre-headless-ubuntu-22.04/Dockerfile
index 142f292..925bb33 100644
--- a/sapmachine_17.0.16-jre-headless-ubuntu-22.04/Dockerfile
+++ b/sapmachine_17.0.16-jre-headless-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-17
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_17.0.16-jre-headless-ubuntu-24.04/Dockerfile b/sapmachine_17.0.16-jre-headless-ubuntu-24.04/Dockerfile
index c42680b..fe477a9 100644
--- a/sapmachine_17.0.16-jre-headless-ubuntu-24.04/Dockerfile
+++ b/sapmachine_17.0.16-jre-headless-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-17
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_17.0.16-jre-ubuntu-22.04/Dockerfile b/sapmachine_17.0.16-jre-ubuntu-22.04/Dockerfile
index 8ca6519..f55303f 100644
--- a/sapmachine_17.0.16-jre-ubuntu-22.04/Dockerfile
+++ b/sapmachine_17.0.16-jre-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-17
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_17.0.16-jre-ubuntu-24.04/Dockerfile b/sapmachine_17.0.16-jre-ubuntu-24.04/Dockerfile
index 3903c18..4141edf 100644
--- a/sapmachine_17.0.16-jre-ubuntu-24.04/Dockerfile
+++ b/sapmachine_17.0.16-jre-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-17
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_21.0.8-jdk-alpine-3.21/Dockerfile b/sapmachine_21.0.8-jdk-alpine-3.21/Dockerfile
index 56252a7..5a38296 100644
--- a/sapmachine_21.0.8-jdk-alpine-3.21/Dockerfile
+++ b/sapmachine_21.0.8-jdk-alpine-3.21/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-21-jdk=21.0.8-r0
+    apk add nss sapmachine-21-jdk=21.0.8-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-21-sapmachine-jdk
 
diff --git a/sapmachine_21.0.8-jdk-alpine-3.22/Dockerfile b/sapmachine_21.0.8-jdk-alpine-3.22/Dockerfile
index 1cca077..5c98ab2 100644
--- a/sapmachine_21.0.8-jdk-alpine-3.22/Dockerfile
+++ b/sapmachine_21.0.8-jdk-alpine-3.22/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-21-jdk=21.0.8-r0
+    apk add nss sapmachine-21-jdk=21.0.8-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-21-sapmachine-jdk
 
diff --git a/sapmachine_21.0.8-jre-alpine-3.21/Dockerfile b/sapmachine_21.0.8-jre-alpine-3.21/Dockerfile
index 0542f32..37d769c 100644
--- a/sapmachine_21.0.8-jre-alpine-3.21/Dockerfile
+++ b/sapmachine_21.0.8-jre-alpine-3.21/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-21-jre=21.0.8-r0
+    apk add nss sapmachine-21-jre=21.0.8-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-21-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_21.0.8-jre-alpine-3.22/Dockerfile b/sapmachine_21.0.8-jre-alpine-3.22/Dockerfile
index 7cda511..e01e1f0 100644
--- a/sapmachine_21.0.8-jre-alpine-3.22/Dockerfile
+++ b/sapmachine_21.0.8-jre-alpine-3.22/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-21-jre=21.0.8-r0
+    apk add nss sapmachine-21-jre=21.0.8-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-21-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_21.0.8-jre-headless-ubuntu-22.04/Dockerfile b/sapmachine_21.0.8-jre-headless-ubuntu-22.04/Dockerfile
index 87320fb..6d7bcfb 100644
--- a/sapmachine_21.0.8-jre-headless-ubuntu-22.04/Dockerfile
+++ b/sapmachine_21.0.8-jre-headless-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-21
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_21.0.8-jre-headless-ubuntu-24.04/Dockerfile b/sapmachine_21.0.8-jre-headless-ubuntu-24.04/Dockerfile
index 2b9d7bc..9298d78 100644
--- a/sapmachine_21.0.8-jre-headless-ubuntu-24.04/Dockerfile
+++ b/sapmachine_21.0.8-jre-headless-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-21
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_21.0.8-jre-ubuntu-22.04/Dockerfile b/sapmachine_21.0.8-jre-ubuntu-22.04/Dockerfile
index e3535a9..922b45c 100644
--- a/sapmachine_21.0.8-jre-ubuntu-22.04/Dockerfile
+++ b/sapmachine_21.0.8-jre-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-21
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_21.0.8-jre-ubuntu-24.04/Dockerfile b/sapmachine_21.0.8-jre-ubuntu-24.04/Dockerfile
index baa785e..5ceabc9 100644
--- a/sapmachine_21.0.8-jre-ubuntu-24.04/Dockerfile
+++ b/sapmachine_21.0.8-jre-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-21
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_24.0.2-jdk-alpine-3.21/Dockerfile b/sapmachine_24.0.2-jdk-alpine-3.21/Dockerfile
index 54173a4..1f479f1 100644
--- a/sapmachine_24.0.2-jdk-alpine-3.21/Dockerfile
+++ b/sapmachine_24.0.2-jdk-alpine-3.21/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-24-jdk=24.0.2-r0
+    apk add nss sapmachine-24-jdk=24.0.2-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-24-sapmachine-jdk
 
diff --git a/sapmachine_24.0.2-jdk-alpine-3.22/Dockerfile b/sapmachine_24.0.2-jdk-alpine-3.22/Dockerfile
index baad39e..278f4c3 100644
--- a/sapmachine_24.0.2-jdk-alpine-3.22/Dockerfile
+++ b/sapmachine_24.0.2-jdk-alpine-3.22/Dockerfile
@@ -3,7 +3,7 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-24-jdk=24.0.2-r0
+    apk add nss sapmachine-24-jdk=24.0.2-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-24-sapmachine-jdk
 
diff --git a/sapmachine_24.0.2-jre-alpine-3.21/Dockerfile b/sapmachine_24.0.2-jre-alpine-3.21/Dockerfile
index 88a8125..3a78714 100644
--- a/sapmachine_24.0.2-jre-alpine-3.21/Dockerfile
+++ b/sapmachine_24.0.2-jre-alpine-3.21/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.21
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-24-jre=24.0.2-r0
+    apk add nss sapmachine-24-jre=24.0.2-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-24-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_24.0.2-jre-alpine-3.22/Dockerfile b/sapmachine_24.0.2-jre-alpine-3.22/Dockerfile
index ced6e98..0ec7992 100644
--- a/sapmachine_24.0.2-jre-alpine-3.22/Dockerfile
+++ b/sapmachine_24.0.2-jre-alpine-3.22/Dockerfile
@@ -3,8 +3,8 @@ FROM alpine:3.22
 RUN wget -qO /etc/apk/keys/sapmachine-apk.rsa.pub https://dist.sapmachine.io/alpine/sapmachine-apk.rsa.pub && \
     echo "4444e47cabf35695f9406692848de191d3b7cbd47dcdc1ffb62f4f70aea06e89 /etc/apk/keys/sapmachine-apk.rsa.pub" | sha256sum -c - && \
     echo "https://dist.sapmachine.io/alpine" >> /etc/apk/repositories && \
-    apk add sapmachine-24-jre=24.0.2-r0
+    apk add nss sapmachine-24-jre=24.0.2-r0
 
 ENV JAVA_HOME=/usr/lib/jvm/java-24-sapmachine-jre
 
-CMD ["jshell"]
+CMD ["sh"]
diff --git a/sapmachine_24.0.2-jre-headless-ubuntu-22.04/Dockerfile b/sapmachine_24.0.2-jre-headless-ubuntu-22.04/Dockerfile
index 1d62400..f82fb6e 100644
--- a/sapmachine_24.0.2-jre-headless-ubuntu-22.04/Dockerfile
+++ b/sapmachine_24.0.2-jre-headless-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-24
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_24.0.2-jre-headless-ubuntu-24.04/Dockerfile b/sapmachine_24.0.2-jre-headless-ubuntu-24.04/Dockerfile
index fbb77e2..351e124 100644
--- a/sapmachine_24.0.2-jre-headless-ubuntu-24.04/Dockerfile
+++ b/sapmachine_24.0.2-jre-headless-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-24
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_24.0.2-jre-ubuntu-22.04/Dockerfile b/sapmachine_24.0.2-jre-ubuntu-22.04/Dockerfile
index a7693fc..2c977b0 100644
--- a/sapmachine_24.0.2-jre-ubuntu-22.04/Dockerfile
+++ b/sapmachine_24.0.2-jre-ubuntu-22.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-24
 
-CMD ["jshell"]
+CMD ["bash"]
diff --git a/sapmachine_24.0.2-jre-ubuntu-24.04/Dockerfile b/sapmachine_24.0.2-jre-ubuntu-24.04/Dockerfile
index 365250c..740662c 100644
--- a/sapmachine_24.0.2-jre-ubuntu-24.04/Dockerfile
+++ b/sapmachine_24.0.2-jre-ubuntu-24.04/Dockerfile
@@ -13,4 +13,4 @@ RUN apt-get update && \
 
 ENV JAVA_HOME=/usr/lib/jvm/sapmachine-24
 
-CMD ["jshell"]
+CMD ["bash"]

Relevant Maintainers:

@tianon
Copy link
Member

tianon commented Aug 12, 2025
edited
Loading

Trigger build of alpine based images by inserting dependency to nss lib. This should remove the vulnerability.

-    apk add sapmachine-21-jdk=21.0.8-r0
+    apk add nss sapmachine-21-jdk=21.0.8-r0

Is this somehow exploitable from SapMachine? My read of the vulnerability in question was that the vector was extremely thin, and certainly didn't seem to warrant going out of our way for an image rebuild, and we generally do not allow "no-op" changes to Dockerfiles like this, preferring instead to encourage the base image maintainers to update if something is serious enough to warrant rebuilds.

@RealCLanger
Copy link
Contributor Author

RealCLanger commented Aug 12, 2025
edited
Loading

Trigger build of alpine based images by inserting dependency to nss lib. This should remove the vulnerability.

-    apk add sapmachine-21-jdk=21.0.8-r0
+    apk add nss sapmachine-21-jdk=21.0.8-r0

Is this somehow exploitable from SapMachine? My read of the vulnerability in question was that the vector was extremely thin, and certainly didn't seem to warrant going out of our way for an image rebuild, and we generally do not allow "no-op" changes to Dockerfiles like this, preferring instead to encourage the base image maintainers to update if something is serious enough to warrant rebuilds.

Well, CVE-2025-6965 has a severity of 7.2 (High), so we thought it would warrant an update. It's hard to see how exploitable it would be from a JDK. The issue is within sqlite-libs and this package is not part of the base image but comes through the apk dependencies of the sapmachine package.

I can certainly remove the noop-change in the dockerfile. Is there a way to request a forced rebuild for certain tags without modifying the dockerfile?

@yosifkit
Copy link
Member

I can certainly remove the noop-change in the dockerfile. Is there a way to request a forced rebuild for certain tags without modifying the dockerfile?

Not currently. We want to provide periodic rebuilds for all DOI, but we haven't been able to prioritize it yet.

One issue is that this temporary fix must stay in the Dockerfile almost indefinitely (or at least until each next JDK bump). If our build system isn't specifically aware of a rebuild (our future plan), and this is ever reverted while the base image still hasn't been updated, then the old image build would be reused (since the build context and parent match).

@RealCLanger
Copy link
Contributor Author

I can certainly remove the noop-change in the dockerfile. Is there a way to request a forced rebuild for certain tags without modifying the dockerfile?

Not currently. We want to provide periodic rebuilds for all DOI, but we haven't been able to prioritize it yet.

One issue is that this temporary fix must stay in the Dockerfile almost indefinitely (or at least until each next JDK bump). If our build system isn't specifically aware of a rebuild (our future plan), and this is ever reverted while the base image still hasn't been updated, then the old image build would be reused (since the build context and parent match).

OK, I was planning to remove the noop change with the next version bump. But then I guess we'll have to live with the vulnerability until then. Users will have to do apk upgrade to get rid of it in the meanwhile...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
library/sapmachine
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RealCLanger @tianon @yosifkit