Image Builder "update-linux" component is not upgrading all packages on Ubuntu

Question

I'm trying to use Image Builder to create a custom Ubuntu image with parent Ubuntu 22.04 LTS 2023-12-07. I'm making use of the `update-linux` build component, which underneath invokes the [UpdateOS][1] action in order to update _**all**_ packages is the OS:

> Updates Linux by installing all available updates via the UpdateOS action module.

However, after creating the image I still get vulnerabilities after the scan:

![Enter image description here](/media/postImages/original/IMAypOEXl_RVCjLdJpZJtvtw)

When I investigate, some packages were not upgraded:

```
The following NEW packages will be installed:
  linux-aws-6.2-headers-6.2.0-1018 linux-headers-6.2.0-1018-aws linux-image-6.2.0-1018-aws
  linux-modules-6.2.0-1018-aws
The following packages will be upgraded:
  linux-aws linux-headers-aws linux-image-aws
```

Why is UpdateOS not upgrading these packages, and why I can't find any documentation about this and logs are not saying what is happening?

Is this because these packages upgrade the Kernel? Again.. where is this documented?

[1]: https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-action-modules.html#action-modules-updateos

Answer

I can't answer why it doesn't do it but I can share what I have done to workaround this issue.
In my pipeline, I created a component that runs apt update && apt upgrade -y

```
name: Upgradeall  
description: updates and upgrades the instance
schemaVersion: 1.0

phases:
  - name: build
    steps:
      - name: UpdateAll
        action: ExecuteBash
        inputs:
          commands:
            - sudo apt-get update
            - sudo apt-get upgrade -y
```

Image Builder "update-linux" component is not upgrading all packages on Ubuntu

Relevant content