Update Java expansion service to use distroless

[damccorm]

This will drive down the number of vulnerabilities in this container and the expansion container shouldn't be relying on other things here

---

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

[damccorm]

R: @chamikaramj

[github-actions]

Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control. If you'd like to restart, comment assign set of reviewers

[damccorm]

Failing workflow (windows java tests) is currently permared, likely an image issue

[chamikaramj]

LGTM. Thanks!

[Abacn]

the switch somehow introduced more vulneribility alerts

[damccorm]

the switch somehow introduced more vulneribility alerts

Looks like maybe they aren't keeping this image up to date then? https://pantheon.corp.google.com/artifacts/docker/distroless/us/gcr.io/java?e=13802955&mods=-ai_platform_fake_service

[Abacn]

gcr.io/distroless/java:11 appears to use old system and java versions. There are multiple vulneribilities come from OS and openjdk. The original gcr repository does not have vulnerability scan enabled. However, doing a pull then push to a repo that enabled vulnerability scan indeed reports multiple vulneribilities:

gcr.io/google.com/clouddfe/yathu/distroless/java:11

[damccorm]

gcr.io/distroless/java:11 appears to use old system and java versions. There are multiple vulneribilities come from OS and openjdk. The original gcr repository does not have vulnerability scan enabled. However, doing a pull then push to a repo that enabled vulnerability scan indeed reports multiple vulneribilities:

gcr.io/google.com/clouddfe/yathu/distroless/java:11

Yeah, agreed - I'm going to revert here, seems like this is not a viable path unless we upgrade our java version (not sure if that will help or not)

[Abacn]

it appears the repo has renamed to gcr.io/distroless/java11. The latest one has fewer vulnerabilities:

[damccorm]

it appears the repo has renamed to gcr.io/distroless/java11. The latest one has fewer vulnerabilities:

I'm still inclined to revert since I think that is still worse than our current base