Finding the Docker Image Build Date

It’s become common today to build projects based on Docker images. Somebody will find a blog post of a sample Dockerfile and verify it works with their application. As long as you use :latest or :alpine everything should be good right?

An example was a recent project I was helping on where the Dockerfile looked like:

FROM maven:alpine AS build
COPY src /usr/src/app/src
COPY pom.xml /usr/src/app
COPY configuration/settings.xml /usr/src/app
RUN mvn -s /usr/src/app/settings.xml -f /usr/src/app/pom.xml clean package

FROM openjdk:8-alpine
COPY --from=build /usr/src/app/target/myapp*.jar /usr/app/myapp.jar
ENTRYPOINT ["java","-jar","/usr/app/myapp.jar"]

The JDK 8 is not the surprise. Depending on who you believe, maintenance for OpenJDK 8 is planned for at least another 4 years, until September 2023. According to RedHat – The OpenJDK Lifecycle

I have a habit of checking the Docker images much more closely. The scary issue I found was that these images have not been updated in 2 years:

If you want a more exact date, you can use docker inspect

docker inspect -f '{{ .Created }}' maven:alpine
docker inspect -f '{{ .Created }}' openjdk:8-alpine

Checking the Alpine project, a few weeks after this image was built, a number of CVE’s were reported:

CVE-2021-3450, CVE-2021-3450, CVE-2021-23841, CVE-2021-3449

The OpenJDK project is receiving maintenance. The Alpine project is still patching CVE’s. The person who builds these images for Docker just stopped pushing updates so you need to check for an image that is being updated.  In this case, doijanky is pushing images under tags like 3.8.2-ibmjava-8-alpine or ibmjava-alpine which were updated 2021-09-01T06:33:21.362865623Z which is much better.

Of course, you can also look at using buildpacks to avoid needing to use Docker.


Spread the word

twitter icon facebook icon linkedin icon