Update dependencies to make scanners happy

[wendigo]

Description

This doesn't address any exploitable CVE but makes scanners happy :)

Before:

NAME                INSTALLED                FIXED IN                                            TYPE          VULNERABILITY        SEVERITY  EPSS           RISK   
mina-core           2.2.3                    2.2.4                                               java-archive  GHSA-76h9-2vwh-w278  Critical  36.5% (96th)   34.3   
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-7264        Low       7.1% (91st)    2.9    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-7264        Low       7.1% (91st)    2.9    
shadow-utils        2:4.9-12.el9                                                                 rpm           CVE-2024-56433       Low       3.6% (87th)    1.2    
tar                 2:1.34-7.el9             (won't fix)                                         rpm           CVE-2005-2541        Medium    1.5% (80th)    0.9    
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-9681        Low       0.6% (67th)    0.2    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-9681        Low       0.6% (67th)    0.2    
openssl-libs        1:3.2.2-6.el9_5.1        (won't fix)                                         rpm           CVE-2024-41996       Low       0.4% (62nd)    0.2    
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2024-11053       Low       0.3% (55th)    0.1    
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2024-11053       Low       0.3% (55th)    0.1    
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-30749       High      0.2% (39th)    0.1    
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-50106       High      0.2% (39th)    0.1    
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2024-34459       Low       0.2% (43rd)    < 0.1  
glib2               2.68.4-16.el9_6.2                                                            rpm           CVE-2023-32636       Low       0.2% (38th)    < 0.1  
jetty-http2-common  12.0.23                  12.0.25                                             java-archive  GHSA-mmxm-8w33-wc4h  High      < 0.1% (22nd)  < 0.1  
openjdk             24+36                    11.0.28, 17.0.16, 21.0.8, *24.0.2                   binary        CVE-2025-50059       High      < 0.1% (21st)  < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-1632        Low       0.2% (36th)    < 0.1  
commons-lang3       3.15.0                   3.18.0                                              java-archive  GHSA-j288-q9x7-2f5v  Medium    < 0.1% (20th)  < 0.1  
curl-minimal        7.76.1-31.el9_6.1                                                            rpm           CVE-2025-9086        Medium    < 0.1% (22nd)  < 0.1  
libcurl-minimal     7.76.1-31.el9_6.1                                                            rpm           CVE-2025-9086        Medium    < 0.1% (22nd)  < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2024-13176       Low       < 0.1% (26th)  < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2023-45322       Low       < 0.1% (23rd)  < 0.1  
openjdk             24+36                    1.8.0_452, 8.0.452, 11.0.27, 17.0.15, *24.0.1, ...  binary        CVE-2025-21587       High      < 0.1% (12th)  < 0.1  
openjdk             24+36                    1.8.0_452, 8.0.452, 11.0.27, 17.0.15, *24.0.1, ...  binary        CVE-2025-30698       Medium    < 0.1% (17th)  < 0.1  
tar                 2:1.34-7.el9                                                                 rpm           CVE-2025-45582       Medium    < 0.1% (14th)  < 0.1  
systemd-libs        252-51.el9_6.2                                                               rpm           CVE-2025-4598        Medium    < 0.1% (16th)  < 0.1  
pcre2               10.40-6.el9                                                                  rpm           CVE-2022-41409       Low       < 0.1% (19th)  < 0.1  
pcre2-syntax        10.40-6.el9                                                                  rpm           CVE-2022-41409       Low       < 0.1% (19th)  < 0.1  
openjdk             24+36                    1.8.0_462, 8.0.462, 11.0.28, 17.0.16, *24.0.2, ...  binary        CVE-2025-30754       Medium    < 0.1% (14th)  < 0.1  
ncurses-base        6.2-10.20210508.el9_6.2                                                      rpm           CVE-2023-50495       Low       < 0.1% (15th)  < 0.1  
ncurses-libs        6.2-10.20210508.el9_6.2                                                      rpm           CVE-2023-50495       Low       < 0.1% (15th)  < 0.1  
libatomic           11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
libgcc              11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
libstdc++           11.5.0-5.el9_5                                                               rpm           CVE-2022-27943       Low       < 0.1% (15th)  < 0.1  
tar                 2:1.34-7.el9                                                                 rpm           CVE-2023-39804       Low       < 0.1% (20th)  < 0.1  
glib2               2.68.4-16.el9_6.2                                                            rpm           CVE-2025-3360        Low       < 0.1% (19th)  < 0.1  
openjdk             24+36                    21.0.7, *24.0.1                                     binary        CVE-2025-30691       Medium    < 0.1% (10th)  < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-27113       Low       < 0.1% (18th)  < 0.1  
gawk                5.1.0-6.el9                                                                  rpm           CVE-2023-4156        Low       < 0.1% (7th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9230        Medium    < 0.1% (5th)   < 0.1  
coreutils-single    8.32-39.el9                                                                  rpm           CVE-2025-5278        Medium    < 0.1% (5th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9232        Low       < 0.1% (7th)   < 0.1  
openssl-libs        1:3.2.2-6.el9_5.1                                                            rpm           CVE-2025-9231        Medium    < 0.1% (2nd)   < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-9714        Medium    < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5916        Low       < 0.1% (4th)   < 0.1  
sqlite-libs         3.34.1-8.el9_6                                                               rpm           CVE-2024-0232        Low       < 0.1% (3rd)   < 0.1  
libarchive          3.5.3-6.el9_6            (won't fix)                                         rpm           CVE-2023-30571       Medium    < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5918        Low       < 0.1% (3rd)   < 0.1  
libxml2             2.9.13-12.el9_6                                                              rpm           CVE-2025-6170        Low       < 0.1% (4th)   < 0.1  
gnupg2              2.3.3-4.el9                                                                  rpm           CVE-2022-3219        Low       < 0.1% (1st)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5917        Low       < 0.1% (3rd)   < 0.1  
gnupg2              2.3.3-4.el9                                                                  rpm           CVE-2025-30258       Low       < 0.1% (2nd)   < 0.1  
libarchive          3.5.3-6.el9_6                                                                rpm           CVE-2025-5915        Low       < 0.1% (1st)   < 0.1

After:

NAME              INSTALLED            FIXED IN     TYPE  VULNERABILITY   SEVERITY  EPSS           RISK   
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-5535   Low       7.8% (91st)    3.5    
curl              8.9.1-5.el10                      rpm   CVE-2024-7264   Low       7.1% (91st)    2.9    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-7264   Low       7.1% (91st)    2.9    
shadow-utils      2:4.15.0-5.el10                   rpm   CVE-2024-56433  Low       3.6% (87th)    1.2    
tar               2:1.35-7.el10        (won't fix)  rpm   CVE-2005-2541   Medium    1.5% (80th)    0.9    
curl              8.9.1-5.el10                      rpm   CVE-2024-6197   Medium    1.3% (78th)    0.7    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-6197   Medium    1.3% (78th)    0.7    
openssl-libs      1:3.2.2-16.el10_0.4  (won't fix)  rpm   CVE-2024-41996  Low       0.4% (62nd)    0.2    
libtasn1          4.20.0-1.el10                     rpm   CVE-2024-12133  Medium    0.3% (56th)    0.2    
curl              8.9.1-5.el10                      rpm   CVE-2024-11053  Low       0.3% (55th)    0.1    
libcurl           8.9.1-5.el10                      rpm   CVE-2024-11053  Low       0.3% (55th)    0.1    
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-4741   Low       0.1% (33rd)    < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-4603   Low       < 0.1% (26th)  < 0.1  
curl              8.9.1-5.el10                      rpm   CVE-2025-9086   Medium    < 0.1% (22nd)  < 0.1  
libcurl           8.9.1-5.el10                      rpm   CVE-2025-9086   Medium    < 0.1% (22nd)  < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2024-13176  Low       < 0.1% (26th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5987   Medium    < 0.1% (18th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5987   Medium    < 0.1% (18th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5318   Medium    < 0.1% (17th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5318   Medium    < 0.1% (17th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5372   Medium    < 0.1% (17th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5372   Medium    < 0.1% (17th)  < 0.1  
tar               2:1.35-7.el10                     rpm   CVE-2025-45582  Medium    < 0.1% (14th)  < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-5351   Medium    < 0.1% (11th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-5351   Medium    < 0.1% (11th)  < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2025-9230   Medium    < 0.1% (5th)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-8277   Low       < 0.1% (12th)  < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-8277   Low       < 0.1% (12th)  < 0.1  
curl              8.9.1-5.el10                      rpm   CVE-2025-10148  Low       < 0.1% (8th)   < 0.1  
libcurl           8.9.1-5.el10                      rpm   CVE-2025-10148  Low       < 0.1% (8th)   < 0.1  
coreutils         9.5-6.el10                        rpm   CVE-2025-5278   Medium    < 0.1% (5th)   < 0.1  
coreutils-common  9.5-6.el10                        rpm   CVE-2025-5278   Medium    < 0.1% (5th)   < 0.1  
openssl-libs      1:3.2.2-16.el10_0.4               rpm   CVE-2025-9232   Low       < 0.1% (7th)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-8114   Medium    < 0.1% (3rd)   < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-8114   Medium    < 0.1% (3rd)   < 0.1  
libssh            0.11.1-1.el10                     rpm   CVE-2025-4878   Low       < 0.1% (3rd)   < 0.1  
libssh-config     0.11.1-1.el10                     rpm   CVE-2025-4878   Low       < 0.1% (3rd)   < 0.1

Additional context and related issues

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.
(X) Release notes are required, with the following suggested text:

* Use UBI10 micro as base Docker image

Summary by Sourcery

Upgrade Docker build environment to use UBI10 images and refactor JDK handling, and update key Maven dependencies to satisfy vulnerability scanners.

Enhancements:

• Upgrade base and build Docker images to UBI10 (ubi-micro and ubi) and switch to multi-stage builds with a packages overlay stage for runtime dependencies
• Refactor build.sh and Dockerfile to rename JDK_VERSION to JDK_RELEASE_NAME and simplify Temurin JDK download URL construction, removing API-based release name lookup
• Bump Maven dependencies: Jetty to 12.0.25, Airlift Units to 1.12, and Apache Mina Core to 2.2.4

[sourcery-ai]

Reviewer's Guide

This PR updates the Docker build process to use UBI10 images and a new JDK release naming approach, refactors package installation in the Dockerfile with an overlay stage, and bumps key Maven dependencies to satisfy security scanners.

Flow diagram for new JDK release name handling in build.sh and Dockerfile

flowchart TD
    A["Read .java-version"] --> B["Set JDK_RELEASE_NAME variable"]
    B --> C["Pass JDK_RELEASE_NAME to Docker build args"]
    C --> D["Dockerfile uses JDK_RELEASE_NAME for JAVA_HOME and JDK download URL"]

Loading

File-Level Changes

Change	Details	Files
Bump base and build images to UBI10 and rename JDK version variable	Default base image changed from ubi9/ubi-minimal to ubi10/ubi-micro, and build image added Renamed JDK_VERSION to JDK_RELEASE_NAME in build.sh and build arguments Updated Docker build commands to use JDK_RELEASE_NAME and adjusted temurin_jdk_link calls	docker/build.sh docker/Dockerfile
Refactor Dockerfile package installation with overlay stage	Replaced microdnf commands with dnf Introduced a 'packages' stage that installs required utilities into /tmp/overlay Merged overlay into final image and removed cache files	docker/Dockerfile
Upgrade Maven dependencies to fixed versions	Bumped io.airlift:units from 1.10 to 1.12 Upgraded org.apache.mina:mina-core to 2.2.4 Updated Jetty dependency version to 12.0.25	pom.xml

Possibly linked issues

• #CVE-2024-52046: The PR updates the mina-core dependency to version 2.2.4, which resolves CVE-2024-52046 as requested in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The build.sh usage/help text still refers to JDK_VERSION—please update it to mention JDK_RELEASE_NAME so the flags and logs stay consistent.
• The temurin_jdk_link function signature and body no longer match (it no longer queries the API)—consider simplifying its parameters or renaming the function to avoid confusion.
• In the jdk-download stage you’ve switched to dnf, but UBI10 micro supports microdnf; consider using microdnf there to keep the image lean.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The build.sh usage/help text still refers to JDK_VERSION—please update it to mention JDK_RELEASE_NAME so the flags and logs stay consistent.
- The temurin_jdk_link function signature and body no longer match (it no longer queries the API)—consider simplifying its parameters or renaming the function to avoid confusion.
- In the jdk-download stage you’ve switched to dnf, but UBI10 micro supports microdnf; consider using microdnf there to keep the image lean.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[wendigo]

@mosabua ptal :)

[oneonestar]

Look like the scanners don't like *-minimal.
Will it be better to use ubi directly for runtime, instead of copy & overwrite a bunch of libs from from ubi to ubi-micro?

[wendigo]

@oneonestar the copy is the way you add packages to micro which lacks package manager