chore(deps): bump bellsoft/liberica-openjdk-alpine from 17.0.12 to 23-38 in /docker-jans-all-in-one

[dependabot]

Bumps bellsoft/liberica-openjdk-alpine from 17.0.12 to 23-38.

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
bellsoft/liberica-openjdk-alpine	[>= 21.pre.37.a, < 22]
bellsoft/liberica-openjdk-alpine	[>= 20.pre.37.a, < 21]
bellsoft/liberica-openjdk-alpine	[>= 19.pre.37.a, < 20]
bellsoft/liberica-openjdk-alpine	[>= 18.pre.37.a, < 19]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The changes made to the docker-jans-all-in-one/Dockerfile focus on improving the security and maintainability of the Janssen All-in-One (AIO) Docker image, including updating the base image, using a partial-clone and sparse-checkout approach, carefully managing environment variables, adjusting permissions and ownership, running the application as a non-root user, and setting up proper logging.

Expand for full summary

Summary:

The changes made to the docker-jans-all-in-one/Dockerfile appear to be focused on improving the security and maintainability of the Janssen All-in-One (AIO) Docker image. The key security-related changes include updating the base image to a newer version, using a partial-clone and sparse-checkout approach to reduce the attack surface, carefully managing environment variables, adjusting permissions and ownership, running the application as a non-root user, and setting up proper logging. These changes demonstrate a strong focus on applying security best practices in the Docker image build process.

While the changes look positive from a security perspective, it's important to review the specific configurations and environment variables to ensure there are no security vulnerabilities introduced. Additionally, the Nginx configuration files should be reviewed for any potential security issues, such as improper access control or input validation. Overall, the Dockerfile changes seem to be a step in the right direction for improving the security of the Janssen AIO application.

Files Changed:

• docker-jans-all-in-one/Dockerfile: This Dockerfile has been updated to build a Docker image for the Janssen All-in-One (AIO) application. The key security-related changes include:
  • Updating the base image from bellsoft/liberica-openjdk-alpine:17.0.12 to bellsoft/liberica-openjdk-alpine:23-38, which may include security and bug fixes.
  • Using a partial-clone and sparse-checkout approach to pull the necessary assets from the Janssen project's monorepo, reducing the attack surface.
  • Setting various environment variables to configure the different Janssen components, which should be carefully reviewed for any sensitive information or security vulnerabilities.
  • Adjusting the ownership and permissions of directories and files to ensure they are accessible by the non-root jans user running the container.
  • Creating a non-root jans user to run the application, which is a recommended security practice.
  • Setting up logging to forward the Nginx access and error logs to stdout and stderr.
  • Copying Nginx configuration files for the different Janssen components, which should be reviewed for any potential security issues.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.