# KollectAI CI — Java Builder Image
#
# Pre-baked build environment for backend + plugin CI jobs.
# Contains: Java 21, Maven 3.9.9, common dependencies, OWASP NVD database.
#
# Build:
#   docker build -t 192.168.1.72/kollect-tools/java-builder:latest ci/java-builder/
#
# Usage in CI:
#   container:
#     image: 192.168.1.72/kollect-tools/java-builder:latest

ARG JAVA_VERSION=21
FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy

ARG MAVEN_VERSION=3.9.14
ARG OWASP_DC_VERSION=12.1.0
# ─────────────────────────────────────────────────────────────────────
# System dependencies
# ─────────────────────────────────────────────────────────────────────
ARG NODE_MAJOR=24

RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        git \
        gnupg \
        jq \
        unzip \
    && mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
        > /etc/apt/sources.list.d/nodesource.list \
    && apt-get update && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# ─────────────────────────────────────────────────────────────────────
# Maven
# ─────────────────────────────────────────────────────────────────────
ENV MAVEN_HOME=/opt/maven
ENV PATH="${MAVEN_HOME}/bin:${PATH}"

RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
    | tar -xz -C /opt \
    && mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"

# ─────────────────────────────────────────────────────────────────────
# OWASP Dependency-Check — pre-download NVD database
#
# This is the single biggest CI time saver. The NVD database download
# takes 5-10 minutes on a cold cache. Pre-baking it into the image
# means audit jobs start with a warm database.
#
# Rebuild this image weekly to keep the NVD database fresh.
# ─────────────────────────────────────────────────────────────────────
ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data

RUN mkdir -p "${OWASP_DATA_DIR}" \
    && mvn org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
        -DdataDirectory="${OWASP_DATA_DIR}" \
        -q || true

# ─────────────────────────────────────────────────────────────────────
# ORAS CLI — for uploading artifacts to Harbor
# ─────────────────────────────────────────────────────────────────────
ARG ORAS_VERSION=1.2.2

RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin oras

WORKDIR /workspace

# Verify installation
RUN java -version && mvn -version && node --version && oras version && jq --version