build: Added java 21 build with maven and NVD libraries

ci/java-builder/Dockerfile

@@ -0,0 +1,65 @@
+# KollectAI CI — Java Builder Image
+#
+# Pre-baked build environment for backend + plugin CI jobs.
+# Contains: Java 21, Maven 3.9.9, common dependencies, OWASP NVD database.
+#
+# Build:
+#   docker build -t registry.kollect.biz/kollect-ci/java-builder:latest ci/java-builder/
+#
+# Usage in CI:
+#   container:
+#     image: registry.kollect.biz/kollect-ci/java-builder:latest
+
+ARG JAVA_VERSION=21
+FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy
+
+ARG MAVEN_VERSION=3.9.9
+ARG OWASP_DC_VERSION=12.1.1
+# ─────────────────────────────────────────────────────────────────────
+# System dependencies
+# ─────────────────────────────────────────────────────────────────────
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        curl \
+        git \
+        jq \
+        unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# ─────────────────────────────────────────────────────────────────────
+# Maven
+# ─────────────────────────────────────────────────────────────────────
+ENV MAVEN_HOME=/opt/maven
+ENV PATH="${MAVEN_HOME}/bin:${PATH}"
+
+RUN curl -fsSL "https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
+    | tar -xz -C /opt \
+    && mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"
+
+# ─────────────────────────────────────────────────────────────────────
+# OWASP Dependency-Check — pre-download NVD database
+#
+# This is the single biggest CI time saver. The NVD database download
+# takes 5-10 minutes on a cold cache. Pre-baking it into the image
+# means audit jobs start with a warm database.
+#
+# Rebuild this image weekly to keep the NVD database fresh.
+# ─────────────────────────────────────────────────────────────────────
+ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
+
+RUN mkdir -p "${OWASP_DATA_DIR}" \
+    && mvn org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
+        -DdataDirectory="${OWASP_DATA_DIR}" \
+        -q || true
+
+# ─────────────────────────────────────────────────────────────────────
+# ORAS CLI — for uploading artifacts to Harbor
+# ─────────────────────────────────────────────────────────────────────
+ARG ORAS_VERSION=1.2.2
+
+RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
+    | tar -xz -C /usr/local/bin oras
+
+WORKDIR /workspace
+
+# Verify installation
+RUN java -version && mvn -version && oras version && jq --version

ci/java-builder/README.md

@@ -0,0 +1,53 @@
+# Java Builder — CI Image
+
+Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs.
+
+## What's included
+
+- Java 21 (Eclipse Temurin)
+- Maven 3.9.9
+- Pre-cached Maven dependencies (Spring Boot, Flink, MyBatis, etc.)
+- Pre-installed `plugin-api` in local Maven repo
+- OWASP NVD database snapshot
+- ORAS CLI (Harbor artifact uploads)
+- git, jq, curl
+
+## Build
+
+```bash
+docker build -t registry.kollect.biz/kollect-ci/java-builder:latest ci/java-builder/
+docker push registry.kollect.biz/kollect-ci/java-builder:latest
+```
+
+### Build args
+
+| Arg | Default | Description |
+|-----|---------|-------------|
+| `MAVEN_VERSION` | `3.9.9` | Maven version |
+| `OWASP_DC_VERSION` | `12.1.1` | OWASP Dependency-Check version |
+| `ETL_BRANCH` | `001-ai-etl-platform` | Branch to fetch pom.xml files from |
+| `ORAS_VERSION` | `1.2.2` | ORAS CLI version |
+
+## Usage in CI
+
+```yaml
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container:
+      image: registry.kollect.biz/kollect-ci/java-builder:latest
+    steps:
+      - uses: actions/checkout@v6
+      - run: ./mvnw -f backend/etl/pom.xml test -Dgroups=unit -q
+```
+
+## Maintenance
+
+Rebuild weekly to keep the OWASP NVD database fresh:
+
+```bash
+docker build --no-cache -t registry.kollect.biz/kollect-ci/java-builder:latest ci/java-builder/
+docker push registry.kollect.biz/kollect-ci/java-builder:latest
+```
+
+When `pom.xml` files change (new dependencies), rebuild to update the cached deps layer.