Java

The Problem If you run database migrations with Flyway inside Docker containers, you’ve probably noticed the steady stream of CVE findings from your vulnerability scanner. AWS ECR image scanning, Trivy, Grype — they all flag the same thing: dozens of OS-level vulnerabilities in the base image that have nothing to do with your migrations. The official Flyway Docker image is built on Debian with a full JDK installation. That means you’re shipping apt, bash, curl, openssl, hundreds of shared libraries, and an entire Linux userspace — all so you can run a Java process that connects to PostgreSQL and executes SQL files. Every one of those packages is a potential source of CVE findings, and most of them will never be patched in the Flyway image because Redgate doesn’t rebuild on every upstream security release. ...

You’re a software developer or an Operations person that is working with a Java application. Here are some questions for you. Do you have a WAR that you need to deploy? Do you know if it comes to you preconfigured or a blank slate? Do you know what happens if you deploy the WAR to an application server and not realize that it is preconfigured? I’ve now seen this many times and I’m here to get up on my soapbox and say something. Java was originally intended to be write once, run anywhere but I have repeatedly seen where the configuration is embedded within the WAR container. This embedding now renders the WAR file useless to run anywhere but the exact machine/platform/environment where the configuration is for. ...

When people have looked at my code, specifically my test code, one of the most common things they ask is why I test my getters and setters. They see this as a weird thing to do, but I tend to be a very paranoid defensive programmer, so I like to ensure that my getters and setters aren’t actually modifying anything. “That is paranoid, Scott” you proclaim, and try to enlighten me on all the code that doesn’t modify accessor methods. But I’ve been burned by this assumption often, and a simple and stupid unit test ensures that the code is adhering to my assumptions. It’s quick and painless. ...