Enhanced Docker security: Upgraded base image and dependencies

[AnirbanB13]

Hi Amitabh,

Thank you for your support with Trainwithcommunity and creating this awesome project repo. I've added another DevSecOps part to the Dockerfile using Trivy to scan the existing Dockerfile and fixing the Critical vulnerabilities

This PR addresses critical security vulnerabilities and fixes MySQL database connectivity issues in the Dockerized Spring Boot application.

Key Changes

✅ Updated Dockerfile
• Upgraded to eclipse-temurin:17-jre-alpine for better security.
• Added apk update && apk upgrade --no-cache to remove OS-level vulnerabilities.
• Ensured the application runs as a non-root user for security.

Screnshoot of the Dockerfile scan after the fix was applied!

I hope you'll find this fix meaningful and Merge this pull request I've created.

Thanks & Regards,
Anirban

Summary by CodeRabbit

• Chores
  • Optimized the container build and deployment process with updated base images.
  • Improved dependency caching to streamline builds.
  • Enhanced container security by applying system package updates and switching to a non-root execution mode.
  • Modified the application startup command for improved security.

[coderabbitai]

Walkthrough

The Dockerfile has been updated for both the build and deployment stages. In the build stage, the Maven base image is upgraded and configured to cache dependencies locally. In the deployment stage, the base image is updated, system packages are refreshed to mitigate vulnerabilities, and a non-root user is created. Additional modifications include setting the working directory, adjusting the location of the JAR file, and enhancing the entrypoint command with a Java security option.

Changes

File

Change Summary

Dockerfile

Build Stage: Base image updated from maven:3.8.3-openjdk-17 to maven:3.9.6-eclipse-temurin-17; added the -Dmaven.repo.local=/app/.m2/repository flag for local dependency caching. Deployment Stage: Base image changed from openjdk:17-alpine to eclipse-temurin:17-jre-alpine; system packages are updated with apk update && apk upgrade --no-cache; a non-root user (appuser) is created; working directory set to /app; JAR file copied to /app/bankapp.jar; entrypoint command modified to include -Djava.security.egd=file:/dev/./urandom.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Build as Build Stage (Maven)
    participant Deploy as Deployment Container
    participant App as Application

    Dev->>Build: Trigger Docker build using updated Maven image
    Build->>Build: Compile and package application jar (with local Maven cache)
    Build->>Deploy: Pass the packaged jar to deployment stage
    note right of Deploy: Update system packages\nCreate non-root user (appuser)\nSet working directory to /app
    Deploy->>App: Copy jar to /app/bankapp.jar and execute with security option
    App-->>Deploy: Application running

Loading

Poem

I'm a rabbit with a hop and a code burst,
Docker dreams guide me to security first.
Maven builds and alpine charms,
Non-root leaps keep systems from harms.
In every line, my joy's dispersed! 🐇

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cffede8 and 370e5e3.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🔇 Additional comments (11)

Dockerfile (11)

6-6: Updated Maven Base Image
The new base image maven:3.9.6-eclipse-temurin-17 ensures you are using an up-to-date JDK and Maven version. Please double-check that all Maven plugins and build tools are fully compatible with the Eclipse Temurin distribution.

---

8-9: Working Directory Setup in Builder Stage
Setting the working directory to /app is clear and consistent. This helps to manage relative paths during the Maven build.

---

11-15: Source Copy and Maven Build with Caching
The COPY . /app followed by the Maven build command with the local repository flag (-Dmaven.repo.local=/app/.m2/repository) is an effective technique for caching dependencies, improving subsequent build times. Ensure that your build environment does not inadvertently cache any outdated artifacts.

---

22-23: Updated Deployment Base Image
Switching to FROM eclipse-temurin:17-jre-alpine as deployer is a solid security improvement compared to the previous OpenJDK Alpine image. Confirm that all runtime dependencies are supported by this image.

---

25-26: System Package Updates for Security
Running apk update && apk upgrade --no-cache is a prudent step to patch known vulnerabilities in the underlying OS packages. Just be mindful of any side effects if packages get upgraded that might affect runtime compatibility.

---

29-30: Enforcing Non-Root Execution
Creating a non-root user (appuser) via the addgroup and adduser commands and switching to this user significantly improves container security. This follows security best practices for Docker containers.

---

32-33: Working Directory Setup in Deployment Stage
Re-establishing the working directory in the deployer stage with WORKDIR /app ensures that subsequent commands run in the correct context.

---

35-36: Copying the Built JAR File
Copying the JAR file from the builder stage using the wildcard (/app/target/*.jar) to a fixed location at /app/bankapp.jar simplifies deployment. Verify that your build process always produces a single JAR or adjust this command if multiple artifacts might be generated.

---

38-39: Port Exposure Confirmation
Exposing port 8080 is standard for many Spring Boot applications. Ensure that your runtime and orchestrator settings (e.g., Kubernetes or Docker Compose) map this port correctly.

---

41-42: Enhanced Entrypoint with Security Option
Adding the JVM argument -Djava.security.egd=file:/dev/./urandom in the ENTRYPOINT improves startup times by ensuring a faster entropy source. This is an effective security and performance enhancement.

---

1-43: Overall Dockerfile Security Enhancement
The multi-stage build is well implemented, separating the build process from the runtime environment. Upgrading the base images, updating OS packages, and enforcing non-root execution are all commendable changes that strengthen the container’s security posture. Excellent work on addressing the reported vulnerabilities.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.