130 lines
7.0 KiB
Docker
130 lines
7.0 KiB
Docker
# KollectAI CI — Java Builder Image
|
|
#
|
|
# Pre-baked build environment for backend + plugin CI jobs.
|
|
# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD
|
|
# database, ORAS CLI, common dependencies.
|
|
#
|
|
# Build:
|
|
# docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/
|
|
#
|
|
# Usage in CI:
|
|
# container:
|
|
# image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest
|
|
#
|
|
# RUN order is cache-optimised: most stable / most expensive layers come
|
|
# first, most volatile / cheapest layers come last. Bumping a version
|
|
# only invalidates that layer and everything below it, so volatile pins
|
|
# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven
|
|
# downloads to re-run.
|
|
|
|
ARG JAVA_VERSION=25
|
|
FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# System dependencies + Node.js
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG NODE_MAJOR=24
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
gnupg \
|
|
jq \
|
|
unzip \
|
|
&& mkdir -p /etc/apt/keyrings \
|
|
&& curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
|
|
| gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
|
|
&& echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
|
|
> /etc/apt/sources.list.d/nodesource.list \
|
|
&& apt-get update && apt-get install -y --no-install-recommends nodejs \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# Maven
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG MAVEN_VERSION=3.9.15
|
|
ENV MAVEN_HOME=/opt/maven
|
|
ENV PATH="${MAVEN_HOME}/bin:${PATH}"
|
|
|
|
RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
|
|
| tar -xz -C /opt \
|
|
&& mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# OWASP Dependency-Check — pre-download NVD database
|
|
#
|
|
# This is the single biggest CI time saver. The NVD database download
|
|
# takes 5-10 minutes on a cold cache (with API key) or 20-30 min cold.
|
|
# Pre-baking it into the image means audit jobs start with a warm DB.
|
|
#
|
|
# Best-effort: if NVD is flaky and the update fails, the build still
|
|
# succeeds without a warm cache. Consumers (CI scan jobs) can detect
|
|
# this by checking for ${OWASP_DATA_DIR}/.warm — present means the
|
|
# pre-warm worked, missing means scans will need to download on demand.
|
|
#
|
|
# Rebuild this image weekly to keep the NVD database fresh.
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG OWASP_DC_VERSION=12.2.1
|
|
ARG NVD_API_KEY=""
|
|
ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
|
|
|
|
RUN if [ -n "${NVD_API_KEY}" ]; then \
|
|
echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
|
|
else \
|
|
echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
|
|
fi \
|
|
&& mkdir -p "${OWASP_DATA_DIR}" \
|
|
&& ( timeout 1800 mvn -B -ntp -N \
|
|
org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
|
|
-DdataDirectory="${OWASP_DATA_DIR}" \
|
|
-DnvdMaxRetryCount=30 \
|
|
-DnvdApiDelay=2000 \
|
|
${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
|
|
&& touch "${OWASP_DATA_DIR}/.warm" \
|
|
&& echo "NVD pre-warm: complete" \
|
|
|| echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
|
|
&& du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# ORAS CLI — for uploading artifacts to Harbor.
|
|
# Low-volatility static binary; placed before buf/pnpm so a bump here
|
|
# (rare) doesn't invalidate them.
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG ORAS_VERSION=1.3.2
|
|
|
|
RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
|
|
| tar -xz -C /usr/local/bin oras
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# buf CLI — single static binary used for `buf lint` in CI and pre-push
|
|
# parity. Backend Java codegen lives in the Maven build (protobuf-maven-
|
|
# plugin), not buf, so no protoc plugins are needed in this image.
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG BUF_VERSION=1.69.0
|
|
|
|
RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
|
|
-o /usr/local/bin/buf \
|
|
&& chmod +x /usr/local/bin/buf
|
|
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
# pnpm — via corepack (ships with Node.js).
|
|
# Last because it's the most volatile pin and corepack prepare is the
|
|
# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
|
|
# ─────────────────────────────────────────────────────────────────────
|
|
ARG PNPM_VERSION=11.0.1
|
|
|
|
RUN corepack enable \
|
|
&& corepack prepare "pnpm@${PNPM_VERSION}" --activate
|
|
|
|
WORKDIR /workspace
|
|
|
|
# Verify installation
|
|
RUN java -version \
|
|
&& mvn -version \
|
|
&& node --version \
|
|
&& pnpm --version \
|
|
&& buf --version \
|
|
&& oras version \
|
|
&& jq --version
|