1923 docker image build for 3.10 fails

[goekay]

PR Type

Bug fix

---

Description

• Reverted multi-stage Docker build to single-stage for Python 3.10 compatibility

• Removed non-root user and TLS protocol specification from Dockerfile

• Added health checks to docker-compose app service

• Simplified build command and runtime configuration

---

Diagram Walkthrough

flowchart LR
  A["Multi-stage Dockerfile<br/>with builder stage"] -->|Revert| B["Single-stage Dockerfile<br/>simplified build"]
  C["docker-compose<br/>without health checks"] -->|Add| D["docker-compose<br/>with app health checks"]
  B --> E["Removed non-root user<br/>and TLS config"]

Loading

File Walkthrough

	Relevant files
Bug fix	Dockerfile Revert multi-stage build to single-stage                                  Dockerfile Reverted from multi-stage (builder + runtime) to single-stage Docker build Removed non-root user creation and user switching logic Removed explicit TLS protocol specification from CMD Simplified build command by removing -Djdk.tls.client.protocols flag Changed runtime to use target/steve.war directly instead of copying from builder stage +5/-21
Enhancement	docker-compose.yml Add health checks to docker-compose app service                    docker-compose.yml Added comprehensive health check configuration to app service Configured health check to test /steve endpoint with 30s interval Set start_period to 60s for slow-starting applications Added start_interval of 5s for more frequent checks during startup Configured timeout of 10s and 5 retries for health check validation +7/-0

---

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Root user execution Description: Running the application as root user exposes the container to privilege escalation attacks if the application is compromised, as the removed non-root user configuration (appuser:appgroup) provided security isolation. Dockerfile [1-19] Referred Code FROM eclipse-temurin:21-jdk ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 WORKDIR /code # Copy relevant project files to the build stage ADD /src /code/src ADD /pom.xml /code/pom.xml ADD mvnw /code/mvnw ADD .mvn /code/.mvn # Build the app (requires a DB to be available) RUN ./mvnw clean package -Pdocker EXPOSE 8180 EXPOSE 8443 # Run the app (requires a DB to be available) CMD ["java", "-XX:MaxRAMPercentage=85", "-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3", "-jar", "target/steve.war"]
	Excessive runtime dependencies Description: Using full JDK (eclipse-temurin:21-jdk) instead of JRE in production increases attack surface by including compilation tools and libraries unnecessary for runtime, which were removed in the previous multi-stage build. Dockerfile [1-1] Referred Code FROM eclipse-temurin:21-jdk ENV LANG=C.UTF-8 LC_ALL=C.UTF-8
Ticket Compliance
🟡	🎫 #1923 🟢 Fix Docker image build failure on version 3.10 Resolve database connection error during Maven build (Communications link failure to mariadb:3306) ⚪ Address the issue where the container being built cannot access the database container Ensure the build process completes successfully without exit code 1
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Non-root User Removed: The removal of non-root user execution increases security risk by running the application as root in the container. Referred Code FROM eclipse-temurin:21-jdk ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 WORKDIR /code # Copy relevant project files to the build stage ADD /src /code/src ADD /pom.xml /code/pom.xml ADD mvnw /code/mvnw ADD .mvn /code/.mvn # Build the app (requires a DB to be available) RUN ./mvnw clean package -Pdocker EXPOSE 8180 EXPOSE 8443 # Run the app (requires a DB to be available) CMD ["java", "-XX:MaxRAMPercentage=85", "-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3", "-jar", "target/steve.war"] Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Decouple the image build from the database The image build process should not depend on a live database. Modify the Maven build to skip database migrations during the image build phase and instead configure the application to run them at startup. Examples: Dockerfile [13] RUN ./mvnw clean package -Pdocker Solution Walkthrough: Before: # Dockerfile ... WORKDIR /code ADD . /code # Build the app (requires a DB to be available) RUN ./mvnw clean package -Pdocker EXPOSE 8180 EXPOSE 8443 # Run the app (requires a DB to be available) CMD ["java", ..., "-jar", "target/steve.war"] After: # Dockerfile ... WORKDIR /code ADD . /code # Build the app without running DB migrations # (e.g., by disabling the flyway plugin for this profile) RUN ./mvnw clean package -Pdocker -Dflyway.enabled=false EXPOSE 8180 EXPOSE 8443 # Run the app, which will perform migrations on startup CMD ["java", ..., "-jar", "target/steve.war"] Suggestion importance[1-10]: 10 __ Why: This suggestion correctly identifies a critical architectural flaw—a build process dependent on a runtime service—that the PR works around but does not fix, and it proposes the standard, robust solution.	High
Security	Run as non-root user in multi-stage build Revert to a multi-stage Docker build to create a smaller, more secure runtime image and run the application as a non-root user to mitigate security risks. Dockerfile [1-19] -FROM eclipse-temurin:21-jdk +# Build stage +FROM eclipse-temurin:21-jdk AS builder ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 WORKDIR /code # Copy relevant project files to the build stage ADD /src /code/src ADD /pom.xml /code/pom.xml ADD mvnw /code/mvnw ADD .mvn /code/.mvn -# Build the app (requires a DB to be available) +# Build the app RUN ./mvnw clean package -Pdocker + +# Runtime stage +FROM eclipse-temurin:21-jre +ENV LANG=C.UTF-8 LC_ALL=C.UTF-8 + +# Create a non-root user and group +RUN groupadd --system appgroup && useradd --system --gid appgroup appuser + +WORKDIR /code + +# Copy only the built WAR from builder stage and set ownership +COPY --chown=appuser:appgroup --from=builder /code/target/steve.war ./steve.war EXPOSE 8180 EXPOSE 8443 -# Run the app (requires a DB to be available) -CMD ["java", "-XX:MaxRAMPercentage=85", "-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3", "-jar", "target/steve.war"] +# Switch to the non-root user +USER appuser +# Run the app +CMD ["java", "-XX:MaxRAMPercentage=85", "-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3", "-jar", "steve.war"] + Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that the PR introduces a security risk by running the application as the root user and regresses from Docker best practices by removing the multi-stage build, leading to larger, less secure images.	High
Learned best practice	Verify health check tool availability Ensure curl is installed in the container or use a shell-based health check that doesn't require external dependencies. The eclipse-temurin JDK/JRE images may not include curl by default. docker-compose.yml [36-42] healthcheck: - test: [ "CMD", "curl", "-f", "http://localhost:8180/steve" ] + test: [ "CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8180/steve || exit 1" ] interval: 30s timeout: 10s retries: 5 start_period: 60s start_interval: 5s [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Health check commands should verify that required dependencies (like curl) are available in the container, or use alternative methods that don't require external tools.	Low
More