build(java): reorder build stage to better cache OWASP library

ci/java-builder/Dockerfile

@@ -16,31 +16,26 @@
 # only invalidates that layer and everything below it, so volatile pins
 # (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
 # downloads to re-run.
+#
+# The apt installs are deliberately split in two: a minimal set
+# (ca-certificates + curl) lands above OWASP so the NVD pre-warm can
+# fetch Maven, and everything else (Node.js, ssh, git, jq, …) lands
+# BELOW OWASP. Adding/removing those packages then leaves the ~5GB NVD
+# layer untouched, instead of invalidating it and triggering a full
+# re-download as happened in 292de2f when ssh tools were added above.
 
 ARG JAVA_VERSION=25
 FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy
 
 # ─────────────────────────────────────────────────────────────────────
-# System dependencies + Node.js
+# Minimal system deps required to fetch Maven and run the OWASP NVD
+# pre-warm. Keep this list small — every package added here invalidates
+# the OWASP layer below. Everything else is installed in a second apt
+# layer further down.
 # ─────────────────────────────────────────────────────────────────────
-ARG NODE_MAJOR=24
-
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        git \
-        gnupg \
-        jq \
-        unzip \
-        openssl \
-        openssh-client \
-        sshpass \
-    && mkdir -p /etc/apt/keyrings \
-    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
-        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
-    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
-        > /etc/apt/sources.list.d/nodesource.list \
-    && apt-get update && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/*
 
 # ─────────────────────────────────────────────────────────────────────
@@ -92,6 +87,30 @@ RUN echo "NVD_REFRESH=${NVD_REFRESH}" \
        || echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
     && du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true
 
+# ─────────────────────────────────────────────────────────────────────
+# Remaining system deps + Node.js
+#
+# Placed below OWASP on purpose: bumping Node major or adding/removing
+# tooling (ssh, git, jq, …) must NOT invalidate the NVD layer above.
+# ─────────────────────────────────────────────────────────────────────
+ARG NODE_MAJOR=24
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        git \
+        gnupg \
+        jq \
+        unzip \
+        openssl \
+        openssh-client \
+        sshpass \
+    && mkdir -p /etc/apt/keyrings \
+    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
+        > /etc/apt/sources.list.d/nodesource.list \
+    && apt-get update && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
 # ─────────────────────────────────────────────────────────────────────
 # ORAS CLI — for uploading artifacts to Harbor.
 # Low-volatility static binary; placed before buf/pnpm so a bump here