I am playing with Renovate the help keep the base images in my Dockerfiles up to date.
I am using openjdk:17slim as the image to try this with I have observed the following :
Approximately two weeks ago if you did a docker pull openjdk:17-slim you would get an image with the sha sha256:a507bb03601e726027ad01ae3f540c8b936ec1ab75512767a4e2e732da4fe7e3.
I will use this as my test sha as I want to see how/what Renovate will update me to.
In order to use Renovate you need to use the sha instead of the tag, so in my Dockerfile I put -
FROM openjdk@sha256:a507bb03601e726027ad01ae3f540c8b936ec1ab75512767a4e2e732da4fe7e3
I next run renovate and it suggests (via a merge request) to use this sha as the latest -
FROM openjdk@sha256:ed71f9910039df3e8624c3a059215cfefa5e3c5aecf5a53e200a763311fccb6d
I noticed that it was a little bigger and when I looked up the sha it brought me here which did not give me any detail about it (like if it was a slim image) -
I next ran a Trivy scans on both the original sha and the new sha to see what CVE differences there might be and I noticed that Trivy gives you a quick description of what it is when you run it (nice to know!).
The Trivy scan on the original sha (ending in 4fe7e3) stated that it was debian 11.3.
The Trivy scan on the sha (ending in ccb6d) that Renovate wants to upgrade to states that it is oracle 8.5.
I performed a docker inspect on both images and they were both openJDK 17 based (which is what is most important here).
The Trivy report did have much lest vulnerabilities in the oracle image then the debian (slim) one.
So My questions are -
1 - Is there a way to have Renovate suggest using the slim packages instead of changing it from slim to oracle?
2 - Other than size (not a huge difference) and vulnerabilities (the oracle one has much less vulnerabilites) is there any other reason I should not be using the oracle one that Renovate suggested? Why is it named oracle?
