Hi @jclausen / @bdw429s According to HackMyCF, the current version of Java which we are using with Commandbox (11.0.14.1) has a security update available Looking at https://adoptium.net/temurin/releases, latest release of Java 11 is jdk-11.0.15+10 Within our build we have updated to use the following command:

box server java install openjdk11_jre_x64_linux_hotspot_jdk-11.0.15+10 --setDefault

this gives the following:

#11 13.96  × | Installing package [java:openjdk11_jre_x64_linux_hotspot_jdk-11.0.15+10:lockVersion]
#11 13.96    | Installing [openjdk11_jre_x64_linux_hotspot_jdk-11.0.15+10]
#11 13.96    | Java version:              openjdk11
#11 13.96    | Java type:                 jre
#11 13.96    | Java arch:                 x64
#11 13.96    | Java os:                   linux
#11 13.96    | Java jvm-implementation:   hotspot
#11 13.96    | Java release:              jdk-11.0.15+10
#11 13.96    | Hitting the AdoptOpenJDK API to find your download.
#11 13.96    | <https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%29?page_size>
#11 13.96    | =1000&release_type=ga&vendor=adoptopenjdk&project=jdk&heap_size=normal
#11 13.96    | &jvm_impl=hotspot&os=linux&architecture=x64&image_type=jre
#11 13.96    | This specific Java version doesn't seem to exist.  Valid [openjdk11] r
#11 13.96    | eleases are [jdk-11.0.14.1+1, jdk-11.0.14+9, jdk-11.0.13+8, jdk-11.0.1
#11 13.96    | 2+7, jdk-11.0.11+9, jdk-11.0.10+9, jdk-11.0.9.1+1, jdk-11.0.9+11.1, jd
#11 13.96    | k-11.0.9+11, jdk-11.0.8+10].
#11 13.97 ERROR (5.4.2+00453)
#11 13.97 
#11 13.97 This specific Java version doesn't seem to exist.  Valid [openjdk11] releases are [jdk-11.0.14.1+1, jdk-11.0.14+9, jdk-11.0.13+8, jdk-11.0.12+7, jdk-11.0.11+9, jdk-11.0.10+9, jdk-11.0.9.1+1, jdk-11.0.9+11.1, jdk-11.0.9+11, jdk-11.0.8+10].

Looking at this, CommandBox is attempting to identify available java versions from https://api.adoptopenjdk.net/ If you go to https://api.adoptopenjdk.net/ then you see the following message:

AdoptOpenJDK has moved, the blue download button will take you to the new location.

(blue button links to the adoptium link above) If I understand correctly, it would appear that the functionality for

box server java install

needs to be updated in order to get any releases subsequent to jdk-11.0.14.1+1 Is that something which is in the pipeline (and if so, when)? If not, is there an alternate approach which can be safely used in the meantime to include and get box to use later java version? we are using docker with our image with the base image using official docker image as follows:

FROM ortussolutions/commandbox:3.4.5

@danlance The bleeding edge of CommandBox has already been moved over to the new Adoptium API a few months back

Ah ok - yeah we are still running 5.3.7 for most our servers, sue to significant incompatibility issues with 5.3.8 for one of the apps we are running

Honestly, I think you're going about this wrong if you're using this in docker

?

CommandBox's feature to download JREs is a great way to test or use differnt Java versions for local dev, a CI server, or even maybe a long-lived prod VM with lots of hard drive space

@bdw429s @danlance I am on PTO right now, but I can try to retrigger a build and bump the patch version tonight.

@jclausen that would be absolutely very much appreciated if it is possible… typically this java security alert comes out right when we are running final test scripts prior to a relatively time sensitive and complex migration - Sod’s law…

@danlance I was able to do what I needed to from my phone. When this build completes, the JDK will be updated: https://github.com/Ortus-Solutions/docker-commandbox/actions/runs/2241265381

In related new-- Lucee 5.3.9 just went gold a few minutes ago

Ah cool - I presume we can still use previous versions of Lucee with that?

You can always start a server with whatever version of Lucee or Adobe you choose.

Ah ok - so if we use anything other than default, we will have 2 copies of Lucee I presume?

Depends

We definitely need to look at updating our build process - as our current builds can not be described as small… We are currently relying on processing of environment variables on each instance at run time - so we have CB in our prod builds… which are somewhat massive - they work… but instance startup time can be an issue for autoscaling in high traffic situations… …I just need to get some available client budget for fixing something which already works…

Well, some people choose flexibility over size

We already have fixed builds per environment for one of the larger apps, dues to dependencies on an infrastructure level… so moving some of the config back to the build server… is not out of the question… one of our larger images is 2.15GB… and takes 10 minutes before it can handle traffic (including spawning a new host server) Not all of that is docker related… app itself takes a while to load - but at least 6 minutes from when server is up to when app is up

holy cow, that's a lot 😉

and that is warmed up as well

Which may not be a big issue in reality if you have the time and bandwidth

Lucee

Good 🙂

Only time it has been an issue is during DOS with enough traffic to overwhelm 4 instances… tatking them down faster than they could be spawned

I couldn't add the tag from my phone and it is a different build. I will when I get back in front of a keyboard. You can just use :latest for now.

still on old java version

Hmm. That means that adoptopenjdk hasn’t even published that version yet

yeah - its only available from https://adoptium.net/temurin/releases

@jclausen It would appear update 15 is on the new adoptium API, but not on the deprecated adopt api yet

@danlance The new containers just released today will get you back on the JDK upgrade path

Thanks @jclausen - much appreciated 🙂