kandi background
Explore Kits

jib | Build container images for your Java applications. | Continuous Deployment library

 by   GoogleContainerTools Java Version: v0.10.0-cli License: Apache-2.0

 by   GoogleContainerTools Java Version: v0.10.0-cli License: Apache-2.0

Download this library from

kandi X-RAY | jib Summary

jib is a Java library typically used in Devops, Continuous Deployment, Gradle, Docker, Maven applications. jib has no bugs, it has no vulnerabilities, it has build file available, it has a Permissive License and it has high support. You can download it from GitHub, Maven.
Jib builds optimized Docker and OCI images for your Java applications without a Docker daemon - and without deep mastery of Docker best-practices. It is available as plugins for Maven and Gradle and as a Java library. Maven: See documentation for jib-maven-plugin. Gradle: See documentation for jib-gradle-plugin. Jib Core: A general-purpose container-building library for Java. Jib CLI: A command-line interface for building images that uses Jib Core. For more information, check out the official blog post or watch this talk (slides).
Support
Support
Quality
Quality
Security
Security
License
License
Reuse
Reuse

kandi-support Support

  • jib has a highly active ecosystem.
  • It has 11721 star(s) with 1218 fork(s). There are 338 watchers for this library.
  • There were 4 major release(s) in the last 6 months.
  • There are 127 open issues and 1257 have been closed. On average issues are closed in 52 days. There are 7 open pull requests and 0 closed requests.
  • It has a negative sentiment in the developer community.
  • The latest version of jib is v0.10.0-cli
jib Support
Best in #Continuous Deployment
Average in #Continuous Deployment
jib Support
Best in #Continuous Deployment
Average in #Continuous Deployment

quality kandi Quality

  • jib has 0 bugs and 0 code smells.
jib Quality
Best in #Continuous Deployment
Average in #Continuous Deployment
jib Quality
Best in #Continuous Deployment
Average in #Continuous Deployment

securitySecurity

  • jib has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
  • jib code analysis shows 0 unresolved vulnerabilities.
  • There are 0 security hotspots that need review.
jib Security
Best in #Continuous Deployment
Average in #Continuous Deployment
jib Security
Best in #Continuous Deployment
Average in #Continuous Deployment

license License

  • jib is licensed under the Apache-2.0 License. This license is Permissive.
  • Permissive licenses have the least restrictions, and you can use them in most projects.
jib License
Best in #Continuous Deployment
Average in #Continuous Deployment
jib License
Best in #Continuous Deployment
Average in #Continuous Deployment

buildReuse

  • jib releases are available to install and integrate.
  • Deployable package is available in Maven.
  • Build file is available. You can build the component from source.
  • Installation instructions are available. Examples and code snippets are not available.
  • It has 56842 lines of code, 4123 functions and 670 files.
  • It has medium code complexity. Code complexity directly impacts maintainability of the code.
jib Reuse
Best in #Continuous Deployment
Average in #Continuous Deployment
jib Reuse
Best in #Continuous Deployment
Average in #Continuous Deployment
Top functions reviewed by kandi - BETA

kandi has reviewed jib and discovered the below as its top functions. This is intended to give you an instant insight into jib implemented functionality, and help decide if they suit your requirements.

  • Build a JavaContainerBuilder .
  • Builds a list of layers from a file specification .
  • Builds the project artifacts .
  • Build docker .
  • Build an image .
  • Build the tar image .
  • Updates an image builder with the given container configuration template .
  • Pull the base image manifest .
  • Extracts a docker image from a tar archive .
  • Run the build .

jib Key Features

Fast - Deploy your changes fast. Jib separates your application into multiple layers, splitting dependencies from classes. Now you don’t have to wait for Docker to rebuild your entire Java application - just deploy the layers that changed.

Reproducible - Rebuilding your container image with the same contents always generates the same image. Never trigger an unnecessary update again.

Daemonless - Reduce your CLI dependencies. Build your Docker image from within Maven or Gradle and push to any registry of your choice. No more writing Dockerfiles and calling docker build/push.

How to quickly detect and remove log4j classes from our code base and the base image? "mvn dependency:tree" does not check base image

copy iconCopydownload iconDownload
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
mvn dependency:tree | grep log4j
#!/bin/sh
/opt/amq/bin/fix_log4j_1.x_cves.sh
/opt/amq/bin/launch.sh # the original, inherited entrypoint in jib
Starting to fix all CVEs regarding Log4j 1.x...
>>>>> Removing class file from '/opt/amq/lib/optional/log4j-1.2.17.redhat-1.jar':
removed 'org/apache/log4j/chainsaw/ControlPanel$1.class'
removed 'org/apache/log4j/chainsaw/ControlPanel$2.class'
...
>>>>> Removing class file from '/opt/amq/activemq-all-5.11.0.redhat-630495.jar':
...
#!/bin/bash
# Script to fix log4j 1.x CVEs. Initially it is only for CVE-2021-4104, but
# since there are multiple CVEs regarding log4j 1.x, they are all fixed here:

# Class File                                        CVE
# org/apache/log4j/net/SocketAppender.class         CVE-2019-17571
# org/apache/log4j/net/SocketServer.class           CVE-2019-17571
# org/apache/log4j/net/SMTPAppender$1.class         CVE-2020-9488
# org/apache/log4j/net/SMTPAppender.class           CVE-2020-9488
# org/apache/log4j/net/JMSAppender.class            CVE-2021-4104
# org/apache/log4j/net/JMSSink.class                CVE-2022-23302
# org/apache/log4j/net/JDBCAppender.class           CVE-2022-23305
# org/apache/log4j/chainsaw/*.class                 CVE-2022-23307

cves=(
'CVE-2019-17571'
'CVE-2019-17571'
'CVE-2020-9488'
'CVE-2020-9488'
'CVE-2021-4104'
'CVE-2022-23302'
'CVE-2022-23305'
'CVE-2022-23307'
)

size() {
    stat -c %s "$1"
}

extract_remove_repackage() {
    before=$1
    # jar xf -C some_dir only extract to current dir, we have to cd first
    jar_dir=$(dirname "$2")
    jar_file=$(basename "$2")
    temp_dir=$jar_dir/temp
    mkdir "$temp_dir"
    cp list.txt "$temp_dir"/ && cp "$2" "$temp_dir"/
    cd "$temp_dir"
    jar xf "$jar_file"
    # provide file and dir names to rm with list.txt
    xargs rm -rvf < list.txt && rm list.txt "$jar_file"
    jar cf "$jar_file" .
    mv "$jar_file" ../
    # go back and clean up
    cd "$before" && rm -rf "$temp_dir"
}

find_vulnerable_jars() {
    cd "$root_dir"
    jar -tvf "$1" | grep -E "$pattern" | awk '{ print $8 }' > list.txt
    if [ "$(size list.txt)" -gt 0 ]; then
        echo ">>>>> Removing class file from '$(realpath "$1")'":
        extract_remove_repackage "$(pwd)" "$1"
    else
        return 0
    fi
}
remove_classes_from_jars() {
    echo Starting to fix all CVEs regarding Log4j 1.x...
    # exclude jolokia.jar(link)
    # xargs can return error level to "if", when any of execution fails, while "find -exec" cannot
    # because we use custom function, xargs needs "bash -c"; thus we have to use "_" to pass each arg
    if find "$root_dir" -name "*.jar" -not -type l -print0 | xargs -0 -n1 bash -c 'find_vulnerable_jars "$@"' _; then
        echo All vunerable classes removed. CVE addressed:
        printf '%s\n' "${cves[@]}"
    else
        echo "Error while removing classes; exiting..."
        return 1
    fi
}

# to be able to use in find -exec child shell, we need to export all vars and functions
# $1: where to search jars, should match copy-dependency output dir.
export root_dir=$1
export pattern=".*(JMS|JDBC|SMTP|Socket)Appender.*.class|.*SocketServer.class|.*JMSSink.class|org/apache/log4j/chainsaw/.*"
export -f size
export -f extract_remove_repackage
export -f find_vulnerable_jars
remove_classes_from_jars
<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>${version.activemq-all}</version>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${version.log4j}</version>
    <scope>provided</scope>
</dependency>
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-cve-jars</id>
            <phase>compile</phase>
            <goals>
                <goal>copy-dependencies</goal>
            </goals>
            <configuration>
                <includeArtifactIds>activemq-all,log4j</includeArtifactIds>
                <includeScope>provided</includeScope>
                <includeTypes>jar</includeTypes>
                <outputDirectory>${project.build.directory}/dependency</outputDirectory> <!-- default value -->
                <excludeTransitive>true</excludeTransitive>
            </configuration>
        </execution>
    </executions>
</plugin>
<plugin>
    <artifactId>exec-maven-plugin</artifactId>
    <groupId>org.codehaus.mojo</groupId>
    <executions>
        <execution>
            <id>remove-cve-classes</id>
            <phase>process-classes</phase>
            <goals>
                <goal>exec</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <executable>${project.build.scriptSourceDirectory}/log4j_cve_fix.sh</executable>
        <arguments>
            <!-- should match copy-dependency output dir -->
            <argument>${project.build.directory}/dependency</argument>
        </arguments>
    </configuration>
</plugin>
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <configuration>
        <from>
            <image>${docker.base.image}</image>
        </from>
        <to>
            <image>${docker.image}</image>
            <tags>
                <tag>${project.version}</tag>
            </tags>
        </to>
        <container>
            <appRoot>/dev/null</appRoot>
            <entrypoint>INHERIT</entrypoint> <!-- customized entrypoint not needed anymore, just revert to the way it was -->
        </container>
        <containerizingMode>packaged</containerizingMode>
        <extraDirectories>
            <paths>
                <path>${project.basedir}/src/main/jib</path>
                <path>${project.build.directory}/jib</path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq/lib/optional</into>
                    <includes>log4j-${version.log4j}.jar</includes>
                </path>
                <path>
                    <from>target/dependency</from>
                    <into>/opt/amq</into>
                    <includes>activemq-all-${version.activemq-all}.jar</includes>
                </path>
            </paths>
            <permissions>
                <permission>
                    <!-- don't forget to restrict writing to prevent tampering -->
                    <file>/opt/amq/conf/log4j.properties</file>
                    <mode>444</mode>
                </permission>
                <!-- the copied jars need to be executable -->
                <permission>
                    <file>/opt/amq/lib/${application.executable}</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/activemq-all-${version.activemq-all}.jar</file>
                    <mode>755</mode>
                </permission>
                <permission>
                    <file>/opt/amq/lib/optional/log4j-${version.log4j}.jar</file>
                    <mode>755</mode>
                </permission>
            </permissions>
        </extraDirectories>
    </configuration>
    <executions>
        <execution>
            <id>jib-build</id>
            <phase>package</phase>
            <goals>
                <goal>${jib.goal}</goal>
            </goals>
        </execution>
    </executions>
</plugin>
-----------------------
\- org.springframework.boot:spring-boot-starter-web:jar:2.6.0:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.6.0:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.6.0:compile
[INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile

<dependency>
    <groupId>your dep groupId</groupId>
    <artifactId>your dep artifactId</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-to-slf4j</artifactId>
            </exclusion>
    </exclusions>
</dependencies>
-----------------------
\- org.springframework.boot:spring-boot-starter-web:jar:2.6.0:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.6.0:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.6.0:compile
[INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile
[INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile

<dependency>
    <groupId>your dep groupId</groupId>
    <artifactId>your dep artifactId</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-to-slf4j</artifactId>
            </exclusion>
    </exclusions>
</dependencies>

Google Jib - Is it possible to run a linux command at container startup using CMD/ENTRYPOINT?

copy iconCopydownload iconDownload
#!/bin/sh

# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
  -cp $( cat /app/jib-classpath-file ) \
  $( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
  <!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
  <entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
  <permissions>
    <permission>
      <file>/my-entrypoint.sh</file>
      <mode>755</mode>
    </permission>
  </permissions>
</extraDirectories>
<container>
  <entrypoint>
    <arg>/bin/sh</arg>
    <arg>/my-entrypoint.sh</arg>
  </entrypoint>
</container>
          <container>
            <entrypoint>
              <arg>/bin/sh</arg>
              <arg>-c</arg>
              <arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
            </entrypoint>
          </container>
-----------------------
#!/bin/sh

# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
  -cp $( cat /app/jib-classpath-file ) \
  $( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
  <!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
  <entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
  <permissions>
    <permission>
      <file>/my-entrypoint.sh</file>
      <mode>755</mode>
    </permission>
  </permissions>
</extraDirectories>
<container>
  <entrypoint>
    <arg>/bin/sh</arg>
    <arg>/my-entrypoint.sh</arg>
  </entrypoint>
</container>
          <container>
            <entrypoint>
              <arg>/bin/sh</arg>
              <arg>-c</arg>
              <arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
            </entrypoint>
          </container>
-----------------------
#!/bin/sh

# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
  -cp $( cat /app/jib-classpath-file ) \
  $( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
  <!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
  <entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
  <permissions>
    <permission>
      <file>/my-entrypoint.sh</file>
      <mode>755</mode>
    </permission>
  </permissions>
</extraDirectories>
<container>
  <entrypoint>
    <arg>/bin/sh</arg>
    <arg>/my-entrypoint.sh</arg>
  </entrypoint>
</container>
          <container>
            <entrypoint>
              <arg>/bin/sh</arg>
              <arg>-c</arg>
              <arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
            </entrypoint>
          </container>
-----------------------
#!/bin/sh

# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
  -cp $( cat /app/jib-classpath-file ) \
  $( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
  <!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
  <entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
  <permissions>
    <permission>
      <file>/my-entrypoint.sh</file>
      <mode>755</mode>
    </permission>
  </permissions>
</extraDirectories>
<container>
  <entrypoint>
    <arg>/bin/sh</arg>
    <arg>/my-entrypoint.sh</arg>
  </entrypoint>
</container>
          <container>
            <entrypoint>
              <arg>/bin/sh</arg>
              <arg>-c</arg>
              <arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
            </entrypoint>
          </container>
-----------------------
#!/bin/sh

# Assumes `java` is on PATH in the base image.
exec java $JAVA_OPTS \
  -cp $( cat /app/jib-classpath-file ) \
  $( cat /app/jib-main-class-file )
exec java $JAVA_OPTS -cp @/app/jib-classpath-file @/app/jib-main-class-file
<container>
  <!-- Assumes you have /bin/sh as specified at the top of /my-entrypoint.sh. -->
  <entrypoint>/my-entrypoint.sh</entrypoint>
</container>
<!-- You also need to make the script executable. -->
<extraDirectories>
  <permissions>
    <permission>
      <file>/my-entrypoint.sh</file>
      <mode>755</mode>
    </permission>
  </permissions>
</extraDirectories>
<container>
  <entrypoint>
    <arg>/bin/sh</arg>
    <arg>/my-entrypoint.sh</arg>
  </entrypoint>
</container>
          <container>
            <entrypoint>
              <arg>/bin/sh</arg>
              <arg>-c</arg>
              <arg>exec java $JAVA_OPTS -cp $( cat /app/jib-classpath-file ) $( cat /app/jib-main-class-file )</arg>
            </entrypoint>
          </container>

How to decide Quarkus application arguments in Kubernetes at run-time?

copy iconCopydownload iconDownload
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3

ARG JAVA_PACKAGE=java-11-openjdk-headless
ARG RUN_JAVA_VERSION=1.3.8
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
# Install java and the run-java script
# Also set up permissions for user `1001`
RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \
    && microdnf update \
    && microdnf clean all \
    && mkdir /deployments \
    && chown 1001 /deployments \
    && chmod "g+rwX" /deployments \
    && chown 1001:root /deployments \
    && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \
    && chown 1001 /deployments/run-java.sh \
    && chmod 540 /deployments/run-java.sh \
    && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security

# Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size.
ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
# We make four distinct layers so if there are application changes the library layers can be re-used
COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/
COPY --chown=1001 target/quarkus-app/*.jar /deployments/
COPY --chown=1001 target/quarkus-app/app/ /deployments/app/
COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/

EXPOSE 8080
USER 1001

# [== BEFORE ==]
# ENTRYPOINT [ "/deployments/run-java.sh" ]
# [== AFTER ==]
ENTRYPOINT "/deployments/run-java.sh" $CLI_ARGUMENTS

JIB with GitHub Actions

copy iconCopydownload iconDownload
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
      # Adds Gradle init script that applies the Jib Gradle plugin.
      echo "initscript {
              repositories { maven { url 'https://plugins.gradle.org/m2' } }
              dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
            }
            rootProject {
              afterEvaluate {
                if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
                  project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
                }
              }
            }" > "$HOME"/init-script.gradle
      # Runs the Gradle Jib build.
      gradle jib \
        --init-script="$HOME"/init-script.gradle \
        -Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
      # Adds Gradle init script that applies the Jib Gradle plugin.
      echo "initscript {
              repositories { maven { url 'https://plugins.gradle.org/m2' } }
              dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
            }
            rootProject {
              afterEvaluate {
                if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
                  project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
                }
              }
            }" > "$HOME"/init-script.gradle
      # Runs the Gradle Jib build.
      gradle jib \
        --init-script="$HOME"/init-script.gradle \
        -Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build -Djib.to.image=foo
      # Adds Gradle init script that applies the Jib Gradle plugin.
      echo "initscript {
              repositories { maven { url 'https://plugins.gradle.org/m2' } }
              dependencies { classpath 'gradle.plugin.com.google.cloud.tools:jib-gradle-plugin:3.2.0' }
            }
            rootProject {
              afterEvaluate {
                if (!project.plugins.hasPlugin('com.google.cloud.tools.jib')) {
                  project.apply plugin: com.google.cloud.tools.jib.gradle.JibPlugin
                }
              }
            }" > "$HOME"/init-script.gradle
      # Runs the Gradle Jib build.
      gradle jib \
        --init-script="$HOME"/init-script.gradle \
        -Djib.to.image=foo
jib jar --target=my-registry.example.com/jar-app myapp.jar
-----------------------
name: JIB container publish

on:
  release:
    types: [created]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: JIB container build and publish
        uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
        with:
          PASSWORD: ${{ secrets.GITHUB_TOKEN }}

GitHub Actions: Error 401 Unauthorized in JIB maven plugin

copy iconCopydownload iconDownload
Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5

Jib create folder for temporary files and changing folder ownership

copy iconCopydownload iconDownload
    extraDirectories.paths = ['jib-extra']

    pluginExtensions {
        pluginExtension {
            implementation = 'com.google.cloud.tools.jib.gradle.extension.ownership.JibOwnershipExtension'
            configuration {
                rules {
                    rule {
                        // must be absolute path starting with '/'
                        glob = '/app/export'
                        ownership = '1000'
                    }
                    // if you have files under /app/export
                    rule {
                        glob = '/app/export/**'
                        ownership = '1000'
                    }
                }
            }

How to solve permissions for push to Google Artifact Registry from Cloud Build using jib-maven-plugin?

copy iconCopydownload iconDownload
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <version>3.1.4</version>
    <configuration>
        <from>
            <image>${base.image}</image>
        </from>
        <to>
            <image>${docker.image.repo}/${project.artifactId}:latest</image>
            <tags>
                <tag>${VERSION_ID}</tag>
                <tag>latest</tag>
            </tags>
        </to>
        <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
        <allowInsecureRegistries>true</allowInsecureRegistries>
        <container>
            <ports>
                <port>8080</port>
            </ports>
        </container>
    </configuration>
    <executions>
        <execution>
            <id>build-and-push-docker-image</id>
            <phase>package</phase>
            <goals>
                <goal>build</goal>
            </goals>
        </execution>
    </executions>
</plugin>
...
  - name: 'gcr.io/cloud-builders/gcloud'
    args:
      - '-c'
      - >
        gcloud auth configure-docker --quiet --verbosity=debug `echo
        ${_CONTAINER_REPO} | cut -d / -f 1` 
        /root 
    id: gcloud auth
    entrypoint: /bin/bash
...
  - name: 'gcr.io/cloud-builders/mvn:3.5.0-jdk-8'
    args:
      - '-Dmaven.test.skip=false'
      - '-Dmaven.repo.local=/workspace/.m2/repository'
      - '--settings'
      - custom-settings.xml
      - clean
      - install
      - '-DskipITs'
      - '-B'
      - '-X'
      - '-DVERSION_ID=$TAG_NAME'
      - '-DBRANCH_ID=master'
      - '-DPROJECT_ID=$PROJECT_ID'
      - '-DCONTAINER_REPO=${_CONTAINER_REPO}'
      - '-DMAVEN_REPO=${_MAVEN_REPO}'
      - '-DDOCKER_CONFIG=/builder/home/.docker'
      - '-P'
      - release
    id: build
-----------------------
<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <version>3.1.4</version>
    <configuration>
        <from>
            <image>${base.image}</image>
        </from>
        <to>
            <image>${docker.image.repo}/${project.artifactId}:latest</image>
            <tags>
                <tag>${VERSION_ID}</tag>
                <tag>latest</tag>
            </tags>
        </to>
        <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
        <allowInsecureRegistries>true</allowInsecureRegistries>
        <container>
            <ports>
                <port>8080</port>
            </ports>
        </container>
    </configuration>
    <executions>
        <execution>
            <id>build-and-push-docker-image</id>
            <phase>package</phase>
            <goals>
                <goal>build</goal>
            </goals>
        </execution>
    </executions>
</plugin>
...
  - name: 'gcr.io/cloud-builders/gcloud'
    args:
      - '-c'
      - >
        gcloud auth configure-docker --quiet --verbosity=debug `echo
        ${_CONTAINER_REPO} | cut -d / -f 1` 
        /root 
    id: gcloud auth
    entrypoint: /bin/bash
...
  - name: 'gcr.io/cloud-builders/mvn:3.5.0-jdk-8'
    args:
      - '-Dmaven.test.skip=false'
      - '-Dmaven.repo.local=/workspace/.m2/repository'
      - '--settings'
      - custom-settings.xml
      - clean
      - install
      - '-DskipITs'
      - '-B'
      - '-X'
      - '-DVERSION_ID=$TAG_NAME'
      - '-DBRANCH_ID=master'
      - '-DPROJECT_ID=$PROJECT_ID'
      - '-DCONTAINER_REPO=${_CONTAINER_REPO}'
      - '-DMAVEN_REPO=${_MAVEN_REPO}'
      - '-DDOCKER_CONFIG=/builder/home/.docker'
      - '-P'
      - release
    id: build

Adding prometheus jmx agent jar to JIB build

copy iconCopydownload iconDownload
        container {
            jvmFlags = ...
        }
        extraDirectories {
            paths {
                path {
                    setFrom("$jibExtraDir")
                }
            }
        }
extraDirectories.paths = "$jibExtraDir"
-----------------------
        container {
            jvmFlags = ...
        }
        extraDirectories {
            paths {
                path {
                    setFrom("$jibExtraDir")
                }
            }
        }
extraDirectories.paths = "$jibExtraDir"

Error creating bean with name 'solverManager', Unsatisfied dependency expressed through constructor parameter

copy iconCopydownload iconDownload
java.lang.NullPointerException: null at java.compiler@11.0.12/javax.tools.ToolProvider.lambda$matches$0(Unknown Source) 

Maven jib:dockerBuild fails for non-root user on Ubuntu (and in Windows wsl2 as well)

copy iconCopydownload iconDownload
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
$ docker login -u foo -p bar
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
[ERROR] {"details":"incorrect username or password"}
Using credentials from Docker config (/home/user/.docker/config.json) for localhost:5000/java
Using credential helper docker-credential-gcr for gcr.io/project/repo
-----------------------
gcloud auth configure-docker`
gcloud auth configure-docker eu.gcr.io 
-----------------------
gcloud auth configure-docker`
gcloud auth configure-docker eu.gcr.io 

Community Discussions

Trending Discussions on jib
  • Including files (NOT classpath resource) in Quarkus Native
  • Best practices while building docker images for spring boot app via gradle
  • How to quickly detect and remove log4j classes from our code base and the base image? &quot;mvn dependency:tree&quot; does not check base image
  • Google Jib - Is it possible to run a linux command at container startup using CMD/ENTRYPOINT?
  • 503 from server: Service Unavailable: Back-end server is at capacity
  • jib - customized entrypoint can only remove classes at runtime, but will fail 3pp vulnerability check before deployment
  • How to decide Quarkus application arguments in Kubernetes at run-time?
  • Container Creation Fails with Jib after upgrading to 2.7.0.Final
  • JIB with GitHub Actions
  • GitHub Actions: Error 401 Unauthorized in JIB maven plugin
Trending Discussions on jib

QUESTION

Including files (NOT classpath resource) in Quarkus Native

Asked 2022-Apr-08 at 06:02

In Quarkus, to include random files as classpath resource, we use quarkus.native.resources.includes (https://quarkus.io/guides/writing-native-applications-tips#including-resources).

How to include files in the file system? I.e. something read using new File(thePath).

If we use Jib, we simply put those files inside src/main/jib. But that's for non-native.

ANSWER

Answered 2022-Apr-08 at 06:02

Building a native binary has nothing to do with adding files to the file system of the target platform.

If your goal is to create a container image using the native binary and also add files to the container image's filesystem, then you can use Quarkus with Jib and the files to src/main/jib (as you mentioned). These files will be included on the built container image as described here.

Source https://stackoverflow.com/questions/71787633

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install jib

Maven - See the jib-maven-plugin Quickstart. Gradle - See the jib-gradle-plugin Quickstart. Jib Core - See the Jib Core Quickstart. Jib CLI - See the Jib CLI doc.
Maven - See the jib-maven-plugin Quickstart.
Gradle - See the jib-gradle-plugin Quickstart.
Jib Core - See the Jib Core Quickstart.
Jib CLI - See the Jib CLI doc.

Support

We welcome contributions! Here's how you can contribute:.

DOWNLOAD this Library from

Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items
Find more libraries
Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

Share this Page

share link
Reuse Pre-built Kits with jib
Consider Popular Continuous Deployment Libraries
Compare Continuous Deployment Libraries with Highest Support
Compare Continuous Deployment Libraries with Highest Quality
Compare Continuous Deployment Libraries with Highest Security
Compare Continuous Deployment Libraries with Permissive License
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items
Find more libraries
Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

  • © 2022 Open Weaver Inc.