KollectTools
/
Docker-Images
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

build: increase owasp build timeout

main
Fadhli Azhari 2026-04-30 17:59:05 +08:00
parent 16ebcec7ef
commit 5c526822b8
1 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ci/java-builder/Dockerfile
View File

@ -55,8 +55,13 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
# OWASP Dependency-Check — pre-download NVD database # OWASP Dependency-Check — pre-download NVD database
# #
# This is the single biggest CI time saver. The NVD database download # This is the single biggest CI time saver. The NVD database download
# takes 5-10 minutes on a cold cache. Pre-baking it into the image # takes 5-10 minutes on a cold cache (with API key) or 20-30 min cold.
# means audit jobs start with a warm database. # Pre-baking it into the image means audit jobs start with a warm DB.
#
# Best-effort: if NVD is flaky and the update fails, the build still
# succeeds without a warm cache. Consumers (CI scan jobs) can detect
# this by checking for ${OWASP_DATA_DIR}/.warm — present means the
# pre-warm worked, missing means scans will need to download on demand.
# #
# Rebuild this image weekly to keep the NVD database fresh. # Rebuild this image weekly to keep the NVD database fresh.
# ───────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────
@ -67,14 +72,19 @@ ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
RUN if [ -n "${NVD_API_KEY}" ]; then \ RUN if [ -n "${NVD_API_KEY}" ]; then \
echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \ echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
else \ else \
echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s, expect ~30+ min"; \ echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
fi \ fi \
&& mkdir -p "${OWASP_DATA_DIR}" \ && mkdir -p "${OWASP_DATA_DIR}" \
&& timeout 3600 mvn -B -ntp -N \ && ( timeout 1800 mvn -B -ntp -N \
org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \ org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
-DdataDirectory="${OWASP_DATA_DIR}" \ -DdataDirectory="${OWASP_DATA_DIR}" \
-DnvdMaxRetryCount=30 \
-DnvdApiDelay=2000 \
${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \ ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
&& du -sh "${OWASP_DATA_DIR}" && touch "${OWASP_DATA_DIR}/.warm" \
&& echo "NVD pre-warm: complete" \
|| echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
&& du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true
# ───────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────
# ORAS CLI — for uploading artifacts to Harbor. # ORAS CLI — for uploading artifacts to Harbor.