New Java Base packages

[spalatnik]

Our security scans reveal that

Name: openjdk-21-jre-base, Version: 21.0.5-r1
CVE-2025-21502, Severity: MEDIUM, Source: https://github.com/wolfi-dev/advisories/blob/main/openjdk-21.advisories.yaml
CVSS score: 4.8, CVSS exploitability score: 2.2
🩹 Fixed version: 21.0.6-r0

The advisory says the fix version is 21.0.6-r0 but there is no such package for the base(headless) package: https://pkgs.org/search/?q=openjdk-21-jre-base

Is it possible for you guys to build a new version of the base(headless) package to fix this vulnerability, or is the base package discontinued?

[xnox]

jre-base subpackages were removed from Wolfi on January 14 2025 and have not been updated since. If you pin or use those package names you are not receiving any updates to those. See:

• openjdk: Use JRE build for JRE subpackage #39422

To receive Java 21 with CVE SLA and support please consider purchasing https://images.chainguard.dev/directory/image/jdk/versions https://images.chainguard.dev/directory/image/jre/versions which are always up to date, provide version tags for all micro releases, and always contain correct package composition configuration.

[spalatnik]

Thank you for adding the ticket for context. Very helpful. I agree your paid images for JRE are great, but they don't have the minimal headless(base) versions which are smaller than the full JRE. We don't need all the dependencies of the full stack JRE so that's why we started using base. I am able to re-create the base by following the code in the ticket you shared, so I think we have a path forward for the minimal image. Many thanks.

[xnox]

@spalatnik the most optimal recommendation is to simply use the jdk image or package; then use jlink to create bespoke jre installation with selecting modules you want or need. Possibly as a catch all equivalent of jre-base, but also even smaller than that. This would allow you to drop shared library dependencies, and also java modules.

Note that security scanning will continue to work because all binaries have ELF note metadata, which persists even across jlink and can identify the jlinked JRE as originating from wolfi.