Member-only story
Featured
Your Kotlin Server is Pwned
Over at Hakz, we set out to finalize templates for our Kotlin-based KTOR servers. To our surprise, we kept finding 11 vulnerabilities we couldn’t ditch. We made all sorts of changes to our API, and ultimately got to zero vulnerabilities. Here’s how we did it.
1. Avoid using Eclipse Temurin for runtime
Some of the KTOR templates I’ve seen online have Dockerfiles that look like this:
# This is BAD
FROM eclipse-temurin:22
RUN apt-get update -y
RUN mkdir ~/
COPY build/libs/*.jar app.jar
EXPOSE 8080
CMD ["java", "-jar", "app.jar"]As you can see, Temurin comes with Java, so it’s an easy button for a lot of developers. The only problem is that it also comes with a lot of vulnerabilities. Thank goodness for Google Cloud’s Artifact Registry — their vulnerability scanner is the only system that caught the issue.
When you use Eclipse Temurin, you add around 122 dependencies into your project, where a basic Alpine build uses just 52 dependencies (none of which are vulnerable). Most of the vulnerable dependencies aren’t even used at runtime, so there’s a lot of unnecessary bloat in the Temurin build.
What we ended up doing was making Alpine more useful.
# This is GOOD
FROM alpine:latest
RUN ALPINE_VER=$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | cut -d. -f1,2) && \
echo "https://dl-cdn.alpinelinux.org/alpine/v$ALPINE_VER/main" > /etc/apk/repositories && \
echo "https://dl-cdn.alpinelinux.org/alpine/v$ALPINE_VER/community" >> /etc/apk/repositories && \
echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update
RUN apk add openjdk22
COPY build/libs/*.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java","-jar","app.jar"]With this simple change, there are a couple improvements:
- Alpine can now access Java
- Our deployment size decreased from 240MB to 170MB
- Zero known vulnerabilities, even during runtime
