Fix Dockerfile: update OpenJDK base image to a valid tag

[Mehar-Shafaat-Ullah]

@Amitabh-DevOps

I noticed that the Dockerfile was using the openjdk:17-alpine tag, which seems to be unavailable, causing build issues. I've replaced it with the eclipse-temurin:17-jdk-alpine image, which is a stable and well-supported JDK 17 base image from the Eclipse Temurin project. This change should resolve the issue and improve build consistency.

Changes:

• Updated FROM openjdk:17-alpine to FROM eclipse-temurin:17-jdk-alpine

Summary by CodeRabbit

• Chores
  • Updated Docker base images for both build and deployment stages to Eclipse Temurin Java 17, improving runtime compatibility and security.
• Documentation
  • Added runtime-related comments in the Dockerfile to clarify image choices and runtime expectations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated the Dockerfile: switched the builder base image to maven:3.8.3-eclipse-temurin-17, corrected a malformed COPY/FROM sequence into separate steps, changed the deployer base image to eclipse-temurin:17-jdk-alpine, and added a runtime-related comment. No code or public API signatures changed.

Changes

Cohort / File(s)	Summary
Dockerfile edits Dockerfile	- Builder base image changed from maven:3.8.3-openjdk-17 to maven:3.8.3-eclipse-temurin-17. - Fixed malformed COPY . /appFROM ... into separate COPY and FROM steps. - Deployer base image changed from openjdk:17-alpine to eclipse-temurin:17-jdk-alpine. - Added a runtime-related comment noting use of eclipse-temurin:17-jdk-alpine.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review focus:
  • Validate the intended builder image tag (maven:3.8.3-eclipse-temurin-17) and availability.
  • Confirm the corrected COPY/FROM ordering/build stages are syntactically and functionally correct.
  • Verify the deployer image change to eclipse-temurin:17-jdk-alpine matches runtime needs and layers.
  • Ensure the added comment is accurate and non-misleading.

Poem

🐰 I hopped through lines of Docker ink,
Swapped builders, fixed a broken link,
Deployer donned Temurin's hat,
Layers tidy, image pat,
A carrot-toast to a cleaner build 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the OpenJDK base image in the Dockerfile to a valid, available tag (from openjdk:17-alpine to eclipse-temurin:17-jdk-alpine).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cffede8 and ee961b6.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Dockerfile (1)

23-26: Consider using eclipse-temurin:17-jre-alpine for a more optimized runtime image.

The switch to Eclipse Temurin for the deployer stage aligns well with the builder stage (line 8) and modernizes from the deprecated openjdk:17-alpine. However, for runtime containers, using the JRE-only variant (17-jre-alpine) would be more appropriate than JDK, reducing image size by excluding unnecessary build tools.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bceef5 and a6044d4.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

🧰 Additional context used

🪛 Hadolint (2.14.0)

Dockerfile

[error] 13-13: COPY with more than 2 arguments requires the last argument to end with /

(DL3021)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical syntax error: Two Docker commands concatenated into one line.

Line 13 contains a malformed command that concatenates COPY and FROM instructions. This will cause the Docker build to fail immediately with a syntax error.

Apply this diff to fix the syntax error:

-COPY . /appFROM openjdk:17-jdk-alpine as deployer
+COPY . /app

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY . /appFROM openjdk:17-jdk-alpine as deployer
	COPY . /app

🧰 Tools

🪛 Hadolint (2.14.0)

[error] 13-13: COPY with more than 2 arguments requires the last argument to end with /

(DL3021)

🤖 Prompt for AI Agents

In Dockerfile around line 13, the line currently concatenates two Docker
instructions ("COPY . /appFROM openjdk:17-jdk-alpine as deployer"); split this
into two separate lines so each Dockerfile directive stands alone: place "COPY .
/app" on its own line and "FROM openjdk:17-jdk-alpine as deployer" on its own
line; if this is intended to start a new build stage, ensure the FROM line
begins the stage (move it before any stage-specific COPY if necessary).

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6044d4 and 371deaf.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Consider upgrading to a newer Maven version instead of 3.8.3.

The maven:3.8.3-eclipse-temurin-17 tag appears to exist on Docker Hub, but it is not part of the actively maintained tags. Current supported Maven images use 3.9.11 or later versions with Eclipse Temurin. Since the PR objective is to fix unavailable base images, upgrading to maven:3.9.11-eclipse-temurin-17 or maven:3.8.9-eclipse-temurin-17 would be preferable for receiving security updates and ongoing support.

The eclipse-temurin:17-jdk-alpine image tag is actively available and appropriate for the deployer stage.

🤖 Prompt for AI Agents

In Dockerfile around lines 6 to 8, the base image uses an older, unmaintained
tag `maven:3.8.3-eclipse-temurin-17`; update the builder stage to a supported
Maven tag such as `maven:3.9.11-eclipse-temurin-17` (or at minimum
`maven:3.8.9-eclipse-temurin-17`) to ensure security updates and ongoing
support, and for the deployer stage prefer switching to an actively maintained
JDK runtime like `eclipse-temurin:17-jdk-alpine` as suggested by replacing the
FROM lines accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

eclipse-temurin 17-jdk-alpine Docker image

💡 Result:

Summary — eclipse-temurin:17-jdk-alpine

• What it is: the Eclipse Temurin OpenJDK 17 JDK packaged on an Alpine Linux base (musl libc). [1][2]
• Official source: image published on Docker Hub as eclipse-temurin:17-jdk-alpine. [1][2]
• Typical notes: smaller image size (Alpine) but uses musl instead of glibc — some Java native libraries or JVM features may be incompatible or require workarounds. Test your app on the image before production. [2][3]
• Pull command:
  docker pull eclipse-temurin:17-jdk-alpine. [1]

References
[1] Docker Hub — eclipse-temurin (image / tags).
[2] Docker Hub — image layer / eclipse-temurin:17-jdk-alpine.
[3] EchoHQ / ecosystem notes on Temurin Alpine variants (compatibility discussion).

---

🌐 Web query:

eclipse-temurin 17-jdk-alpine security vulnerabilities

💡 Result:

Short answer: eclipse-temurin:17-(jdk|jre)-alpine images have shown multiple security alerts tied to vulnerable Alpine packages and a few Java CVEs; fixes usually require rebuilding the Alpine-based image (to pick up updated Alpine/OpenJDK packages) or switching to a non‑Alpine Temurin image. Sources and examples below.

Evidence / notes

• Users reported a high‑severity libexpat/Alpine package vulnerability affecting Alpine-based Temurin images (issue discussion in docker-library). [1]
• Adoptium maintainers/issues show specific CVE reports against eclipse-temurin:17-jre-alpine (example: CVE-2024-8176) and requests to rebuild the image to remediate. [2]
• Several CVEs affecting Java/Graal/OpenJDK packaged in Alpine appear in vulnerability databases; Rapid7 lists multiple Alpine/Java CVEs (CVE-2024-20955, CVE-2024-21211, CVE-2023-22025, etc.) that have been surfaced for Alpine Java builds. [3][4][5]

Recommendations

• If you rely on alpine images, rebuild or pull the latest eclipse-temurin:17-jdk-alpine image once the upstream image is rebuilt (or rebuild your own from a current alpine base) to get patched Alpine packages. [1][2]
• Alternatively, use the non‑Alpine Temurin 17 images (e.g., debian/buster‑slim or slim variants) until the Alpine images are rebuilt, since many reports recommend that as a mitigation. [1][2]

Sources

1. docker-library issue re: libexpat / Alpine affecting temurin images.
2. adoptium/adoptium-support issue: eclipse-temurin:17-jre-alpine vulnerability (CVE-2024-8176).
3. Rapid7 — Alpine Linux CVE‑2024‑20955.
4. Rapid7 — Alpine Linux CVE‑2024‑21211.
5. Rapid7 — Alpine Linux CVE‑2023‑22025.

(If you want, I can check the current Temurin 17 Alpine image build date and list exact CVE IDs affecting the exact image digest you use.)

---

🌐 Web query:

openjdk alpine image deprecated

💡 Result:

Short answer: The official openjdk Docker image (including many alpine tags) is deprecated/removed. The Docker Official Image maintainers deprecated the openjdk repo and many Alpine-based OpenJDK tags were discontinued because upstream OpenJDK builds are glibc‑based (Alpine uses musl), causing compatibility and build/support issues. Migrate to a maintained distribution (examples: eclipse‑temurin, amazoncorretto, ibm‑semeru, liberica/zulu where available) or use glibc‑based slim Debian images. [1][2][3]

Actionable links:

• Docker Hub deprecation notice for openjdk. [1]
• docker-library/openjdk (DEPRECATED) repo. [2]
• Explanation of why Alpine OpenJDK tags were removed (musl vs glibc / upstream builds). [3]

References:
[1] Docker Hub — openjdk (deprecation notice).
[2] docker-library/openjdk (GitHub) — DEPRECATED.
[3] Discussion / explanation (StackOverflow / docker-library PRs) about Alpine (musl) incompatibility with upstream OpenJDK builds.

---

Reconsider the Eclipse Temurin Alpine variant due to known vulnerabilities.

While moving from the deprecated openjdk:17-alpine to a maintained distribution is the correct direction, eclipse-temurin:17-jdk-alpine images have shown multiple security alerts tied to vulnerable Alpine packages and a few Java CVEs. Recent vulnerabilities include CVE-2024-8176 and other CVEs affecting Alpine/Java packages (CVE-2024-20955, CVE-2024-21211, CVE-2023-22025).

Additionally, Alpine uses musl instead of glibc — some Java native libraries or JVM features may be incompatible or require workarounds.

Recommended mitigations:

• Use a non-Alpine Temurin 17 variant (e.g., eclipse-temurin:17-jdk-slim or debian-based) instead, or
• Ensure strict vulnerability scanning (e.g., Trivy/Snyk) in CI/CD and commit to rebuilding the Alpine image regularly to pick up patched Alpine packages.

🤖 Prompt for AI Agents

In Dockerfile around lines 23 to 25, the base image was changed to
eclipse-temurin:17-jdk-alpine which has known Alpine- and Java-related CVEs and
musl incompatibilities; replace that image with a non-Alpine Temurin 17 variant
(for example use eclipse-temurin:17-jdk-slim or another debian-based Temurin 17
image) by updating the FROM line, ensure the image tag or digest is pinned for
reproducibility, and add/enable vulnerability scanning (Trivy/Snyk) in CI and a
policy to regularly rebuild base images to pick up security fixes.

[Mehar-Shafaat-Ullah]

@Amitabh-DevOps
The previous openjdk:17-alpine base image is deprecated etc and often leads to manifest for openjdk:17-alpine not found: manifest unknown: manifest unknown
. I have updated the Dockerfile to use the Eclipse Temurin distribution to ensure a more stable and maintained build environment.

Changes made:

Stage 1: Updated builder image from maven:3.8.3-openjdk-17 to maven:3.8.3-eclipse-temurin-17.

Stage 2: Updated runtime image from openjdk:17-alpine to eclipse-temurin:17-jdk-alpine to reduce final image size while maintaining compatibility.