build(gradle): bump gradlew and Dockerfile to fix vulnerabilities

abhisheksr01 · abhisheksr01 · commit 0a3a362d53bf · 2025-09-13T18:10:43.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,55 @@
 # Stage 1: Build the jar
-FROM gradle:8.12-jdk21 AS build
-# Copy source code into the container and set the ownership to 'gradle' user
+FROM gradle:8.14.3-jdk21-jammy AS build
+
+# Update system packages
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy source code and build
 COPY --chown=gradle:gradle . /home/gradle/src
 WORKDIR /home/gradle/src
 RUN gradle build -x test --no-daemon
 
 # Stage 2: Production image
-FROM openjdk:21-slim AS production
+FROM openjdk:21-slim-bookworm AS production
 EXPOSE 8080
 
-# Create a non-root user and group (using 'appuser' as an example)
-RUN groupadd -r appgroup && useradd -r -g appgroup -m appuser
+# Update system packages and install fixed versions
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+        libc6 \
+        util-linux \
+    && apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create non-root user with fixed UID/GID
+RUN groupadd -r appgroup -g 10001 && \
+    useradd -r -g appgroup -u 10001 appuser && \
+    mkdir /app && \
+    chown 10001:10001 /app
+
+# Copy jar with specific name
+COPY --from=build --chown=10001:10001 /home/gradle/src/build/libs/*.jar /app/companieshouse.jar
 
-# Create the /app directory and set permissions
-RUN mkdir /app && chown appuser:appgroup /app
+WORKDIR /app
+USER 10001
 
-# Copy the jar file from the build stage into the production image
-COPY --from=build /home/gradle/src/build/libs/*.jar /app/companieshouse-*.jar
+# Security-focused Java options
+ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom \
+    -Djava.awt.headless=true \
+    -Dfile.encoding=UTF-8 \
+    -XX:+ExitOnOutOfMemoryError \
+    -XX:+UseContainerSupport \
+    -XX:MaxRAMPercentage=75.0 \
+    -Dspring.profiles.active=production \
+    -Dserver.tomcat.accesslog.enabled=true"
 
-# Change to non-root user
-USER appuser
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s \
+    CMD curl -f http://localhost:8080/companieshouse/actuator/health || exit 1
 
-# Set the entrypoint to run the Java application
-ENTRYPOINT ["java", "-jar", "/app/companieshouse-*.jar"]
+# Use specific jar name in entrypoint
+ENTRYPOINT ["java", "-jar", "/app/companieshouse.jar"]
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
