<div dir="ltr">



<div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thank you Even, these are very helpful suggestions.</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">I tried removing jdk and flattening the image but jdk was still there in the diff folder.</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Because of other dependencies, we are trying to stay with v3.8. I tried to regenerate using v3.8.5 (git hash1d418c1). I updated ARG ARROW_VERSION=15.0.2-1 a<span style="font-size:12pt">fter getting the error</span></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The following packages have unmet dependencies:<br> libarrow-dev : Depends: libarrow1500 (= 15.0.1-1) but 15.0.2-1 is to be installed</blockquote><br>This time I get to:<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Step 46/46 : RUN . /buildscripts/bh-set-envvars.sh     && /buildscripts/bh-gdal.sh<br>...<br>-- Configuring done<br>-- Generating done<br>-- Build files have been written to: /gdal/build<br>[  1%] Building CXX object port/CMakeFiles/cpl_iconv.dir/cpl_recode_iconv.cpp.o<br>...<br>[ 51%] Built target gdal_MRF<br>make: *** [Makefile:136: all] Error 2<br>The command '/bin/sh -c . /buildscripts/bh-set-envvars.sh     && /buildscripts/bh-gdal.sh' returned a non-zero code: 2</blockquote><br>How can I resolve this error?</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Alternatively, we have considered a different solution that uses ubuntu:22.04 as our base image and then installing GDAL but also having problems with installing GDAL (<span style="font-size:12pt">I can't seem to get past dependency conflicts for v3.8.5 in pipenv so trying </span><span style="font-size:12pt">v3.8.3</span><span style="font-size:12pt">), getting an error:</span></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Collecting gdal==3.8.3 (from -r /tmp/pipenv-gde160cj-requirements/pipenv-ndnw2zi0-hashed-reqs.txt (line 62))<br>  Downloading GDAL-3.8.3.tar.gz (802 kB)<br>     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 802.5/802.5 kB 104.5 MB/s eta 0:00:00<br>  Preparing metadata (setup.py): started<br>  Preparing metadata (setup.py): finished with status 'error'<br>error: subprocess-exited-with-error<br> <br>  × python setup.py egg_info did not run successfully.<br><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">  │ exit code: 1</span></blockquote><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Exception: Python bindings of GDAL 3.8.3 require at least libgdal 3.8.3, but 3.4.1 was found</blockquote><div> </div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">How can we upgrade libgdal (in our Dockerfile)?</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Many thanks!</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Matt</div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br></div><div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br><br><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_1856025454347068502divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Even Rouault <<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>><br>
<b>Sent:</b> Monday, September 9, 2024 1:56 PM<br>
<b>To:</b> Matt Luck - NOAA Affiliate <<a href="mailto:matt.luck@noaa.gov" target="_blank">matt.luck@noaa.gov</a>>; <a href="mailto:gdal-dev@lists.osgeo.org" target="_blank">gdal-dev@lists.osgeo.org</a> <<a href="mailto:gdal-dev@lists.osgeo.org" target="_blank">gdal-dev@lists.osgeo.org</a>><br>
<b>Subject:</b> Re: [gdal-dev] Upgrade or remove Java JDK 17 in GDAL Docker image</font>
<div> </div>
</div>
<div>
<p>Matt,</p>
<p><br>
</p>
<p>Several potential solutions:</p>
<p><br>
</p>
<p>1) Regenerate the Docker image from sources:</p>
<p><br>
</p>
<p>git clone <a href="https://github.com/OSGeo/gdal" target="_blank">
https://github.com/OSGeo/gdal</a></p>
<p>cd gdal</p>
<p>./docker/ubuntu-full/build.sh<br>
</p>
<p><br>
</p>
<p>2) Same as 1), but before edit ./docker/ubuntu-full/Dockerfile to remove all traces of java/jdk from it</p>
<p><br>
</p>
<p>3) Use the existing image, remove the openjdk package, and "flatten" the Docker layers with docker export / docker import (cf
<a href="https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2" target="_blank">
https://forums.docker.com/t/how-to-flatten-an-image-with-127-parents/1600/2</a>), so that the layer where it was installed disappears</p>
<p><br>
</p>
<p>4) Wait a couple hours while I'm regenerating it to be updated to <tt style="word-break:break-word">
17.0.12+7-1ubuntu2~24.04</tt></p>
<p><br>
</p>
<p>Even<br>
</p>
<p><br>
</p>
<div>Le 09/09/2024 à 19:29, Matt Luck - NOAA Affiliate via gdal-dev a écrit :<br>
</div>
<blockquote type="cite">
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Hi, our IT department has detected a security vulnerability in the Java JDK version 17 that's installed in the ubuntu-full docker image (see message below). I am able to remove the Java files from the Docker image via the Dockerfile and I've tried changing
 the `JAVA_VERSION` in the Dockerfile, but there always seems to be a reference remaining in the Docker diff files that I can't seem to get rid of.</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
To reproduce:</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
A `docker system prune -a -f`, then `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds nothing, but then `docker pull <a href="http://ghcr.io/osgeo/gdal:ubuntu-full-3.9.1" target="_blank">ghcr.io/osgeo/gdal:ubuntu-full-3.9.1`</a> followed by `sudo find /var/lib/docker/overlay2 -type d -name java-17-openjdk-amd64` finds:<br>
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/jvm/java-17-openjdk-amd64</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/lib/debug/usr/lib/jvm/java-17-openjdk-amd64</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
/var/lib/docker/overlay2/1d5a9f2712fb9b28bfa857509a45fb334005cda0ea58fea8a259af8eb3fcb2db/diff/usr/share/gdb/auto-load/usr/lib/jvm/java-17-openjdk-amd64</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Because they're diff files, those files exist whether or not they're actually in the container and thus the vulnerability is always triggered. Is there a solution and/or a way to either upgrade the Java version or remove Java entirely if it's not needed so
 that we can deal with this issue in the future?</div>
<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
On Mon, Jul 8, 2024 at 10:21 AM X wrote:</div>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
All,</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Please see the vulns below and remediate as soon as possible. These are in containers.</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Path              : /var/lib/docker/overlay2/48c2e3da9fc2282822d4522e28ca46788f5357a14a8a38f687e2cadbf9de68d7/diff/usr/lib/jvm/java-17-openjdk-amd64/<br>
  Installed version : 17.0.8<br>
  Fixed version     : Upgrade to a version greater than 17.0.10<br>
<br>
</div>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Path              : /var/lib/docker/overlay2/4aed72b0f0433c615afe67854c8c79bb7acca2fb01216bf6be25774180266f4d/diff/usr/lib/jvm/java-17-openjdk-amd64/<br>
  Installed version : 17.0.8<br>
  Fixed version     : Upgrade to a version greater than 17.0.10</div>
</blockquote>
<div style="direction:ltr;text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
gdal-dev mailing list
<a href="mailto:gdal-dev@lists.osgeo.org" target="_blank">gdal-dev@lists.osgeo.org</a>
<a href="https://lists.osgeo.org/mailman/listinfo/gdal-dev" target="_blank">https://lists.osgeo.org/mailman/listinfo/gdal-dev</a>
</pre>
</blockquote>
<pre cols="72">-- 
<a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a>
My software is free, but my time generally not.</pre>
</div>
</div>

</div>