fedramp(image): apt-get upgrade in dependencies stage#2
Open
geekshiv-spotdraft wants to merge 1 commit into
Open
fedramp(image): apt-get upgrade in dependencies stage#2geekshiv-spotdraft wants to merge 1 commit into
geekshiv-spotdraft wants to merge 1 commit into
Conversation
The runtime stage already runs 'apt-get update && apt-get upgrade -y'. This propagates the same upgrade into the dependencies stage so the JDK / gdal / tesseract / curl install layer gets Ubuntu jammy security backports as well. Note: cxf-core 3.5.4 -> 3.5.5 (PATCH) is bundled inside tika-server.jar and cannot be patched from the Dockerfile alone — it requires bumping TIKA_VERSION (a major upstream change) and is intentionally out of scope for this 0-breaking-risk PR.
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
Comment on lines
+11
to
12
| RUN DEBIAN_FRONTEND=noninteractive apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y install openjdk-17-jre-headless gdal-bin tesseract-ocr \ | ||
| tesseract-ocr-eng tesseract-ocr-ita tesseract-ocr-fra tesseract-ocr-spa tesseract-ocr-deu curl |
There was a problem hiding this comment.
dependencies runs apt-get upgrade/install without refreshing package lists, so cached base layers can leave stale metadata here — should we add apt-get update to this RUN first?
Want Baz to fix this for you? Activate Fixer
Prompt for AI Agents
Before applying, verify this suggestion against the current code. In Dockerfile around
lines 11-12 in the `dependencies` stage, the `RUN DEBIAN_FRONTEND=noninteractive apt-get
-y upgrade && ... apt-get -y install ...` runs without an `apt-get update`, relying on
cached apt lists from the `base` stage. Fix this by adding `apt-get update` in the same
RUN command (or otherwise refreshing `/var/lib/apt/lists`) before `upgrade` and
`install`, and keep it in a single layer to avoid stale metadata. Also consider cleaning
apt lists afterward (e.g., removing `/var/lib/apt/lists/*`) to prevent bloating the
image.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Summary
The runtime stage already runs `apt-get update && apt-get upgrade -y`. This PR propagates the same upgrade into the dependencies stage so the JDK / gdal / tesseract / curl install layer also picks up Ubuntu jammy security backports during `docker build`.
Zero breaking-change risk — only DEB_REV / DEB_PATCH backports get applied.
Out of scope
Test plan
Made with Cursor
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Add
apt-get upgradeto the dependencies stage so the JDK/GDAL/Tesseract/Curl install layer benefits from Ubuntu jammy security backports during docker builds. Ensure the container stages align by matching the runtime stage’s package freshness expectations.Latest Contributors(2)