Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bumped NDK version to 27 #1278

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Bumped NDK version to 27 #1278

wants to merge 3 commits into from

Conversation

jkurdek
Copy link
Member

@jkurdek jkurdek commented Dec 4, 2024

Updates the container to use LTS Android NDK. Should be merged just before the runtime changes PR: dotnet/runtime#110393

@jkoritzinsky
Copy link
Member

Can you remove the deletion of clang-tidy now that we're updating the NDK?

@jkurdek
Copy link
Member Author

jkurdek commented Dec 4, 2024

@jkoritzinsky should we also remove the deletion of python site packages? NDK 27 contains python 3.11

@jkoritzinsky
Copy link
Member

I'm not sure if we can remove the site packages deletion. If you try locally, can you run docker scout cves on the image and ensure it comes back clean? When I tried with NDK 27 the python version inside of the LLVM prebuild was still causing issues.

@jkurdek
Copy link
Member Author

jkurdek commented Dec 5, 2024

I checked - python site packages need to be removed. Also, even after removing site packages the output is not entirely clear. There are some vulnerabilities around pkg:npm/[email protected] and pkg:nuget/[email protected]. But I can see they are there even without the bump.

@jkoritzinsky
Copy link
Member

What's the path of the npm/cross-spawn one?

The System.Formats.Asn1 one isn't one I'm worried about (as that's one of our packages, the docker team knows how to fix that one).

@akoeplinger
Copy link
Member

npm/cross-spawn is coming from /usr/lib/node_modules/npm/node_modules/cross-spawn/package.json so from the upstream Azure Linux npm package.

The System.Formats.Asn1 is coming from /opt/microsoft/powershell/7/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json

@@ -27,8 +27,7 @@ RUN /usr/local/cmdline-tools/cmdline-tools/bin/sdkmanager --sdk_root="${ANDROID_

# We can't upgrade the NDK version as the runtime repo requires tooling that only exists up to NDK 23
# Remove all components of NDK 23 that are flagged by security scanners
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment should be updated since it doesn't apply anymore

@jkoritzinsky
Copy link
Member

In that case, I think both of those are "fine" in the sense that S360 hasn't flagged them for us to fix.

@akoeplinger
Copy link
Member

We could also remove the manual copying of Java since Azure Linux 3.0 now provides an out of the box package for msopenjdk-17 that we can install via tdnf

@jkurdek
Copy link
Member Author

jkurdek commented Dec 10, 2024

@akoeplinger if we remove Java copying here, what runtime changes would we have to implement?

@akoeplinger
Copy link
Member

none, we'd just install the msopenjdk-17 package instead of the COPY --from=mcr.microsoft.com/openjdk/jdk:17-mariner $JAVA_HOME $JAVA_HOME. I can send a PR later, it's just an optimization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants