- Removed obsolete files (including Log4j) from Docker context (#220)
-
- The final Docker image size was shrunken by ~ 48% (from 160.5 MB to 82.7 MB)
Explanation
This Log4j issue is not a security concern.
For DynamoDB testing, soketi uses DynamoDbLocal. This server comes with additional files for it, including Log4j, which recently has been exposed to have an RCE vulnerability. DynamoDBLocal uses Log4j, that is committed to the repo so it could work starting it.
Docker seems to be adding these files, but later on, it removes them in the process of building the final Docker image. However, they still can be tracked in the Docker image layers' trace.
To avoid false positives from automatic RCE checkers, they are removed from being added in the context entirely. With the current fixes, they should be ignored and not take part in the Docker build context, alongside other obsolete files like the benchmark folder, thus lowering the final Docker image too.