2025-11-27 14:42:03 +00:00
|
|
|
# Configuration files - exclude potentially sensitive props but allow templates and default configs
|
2023-05-03 08:12:30 +00:00
|
|
|
obp-api/src/main/resources/props/*
|
2023-05-02 15:24:14 +00:00
|
|
|
!obp-api/src/main/resources/props/sample.props.template
|
feature/Copying recursively might inadvertently add sensitive data to the container.
SonarQube security warning by:
## Summary of Changes
### 1. **Selective File Copying in Dockerfile**
Instead of using `COPY . .` which copies everything recursively, I've updated the Dockerfile to explicitly copy only the necessary files and directories:
- **Maven configuration**: `pom.xml`, `build.sbt`
- **Source code directories**: `obp-api/`, `obp-commons/`, `project/`
- **Required build files**: `jitpack.yml`, `web-app_2_3.dtd`
### 2. **Enhanced .dockerignore**
I've significantly expanded the `.dockerignore` file to exclude:
- **IDE files**: `.idea/`, `.vscode/`, `.metals/`, etc.
- **Build artifacts**: `target/`, `cache/`, Maven local repository
- **Sensitive files**: Environment files, keys, certificates, passwords
- **OS files**: `.DS_Store`, thumbnails, etc.
- **Documentation**: Most markdown files (keeping license files)
- **Development files**: `ideas/`, `resourcedoc/`
## Security Benefits
1. **Reduced attack surface**: Only necessary files are included in the Docker image
2. **No accidental secrets**: Explicit exclusion of common sensitive file patterns
3. **Smaller image size**: Excluding unnecessary files reduces image size
4. **Better maintainability**: Clear understanding of what goes into the container
## Build Compatibility
The changes maintain full Maven build compatibility by ensuring all necessary files for the build process are still copied:
- Maven POM files for dependency management
- Source code directories
- Build configuration files
- The entrypoint script (specifically allowed in .dockerignore)
This approach follows Docker security best practices and addresses the SonarQube warning while maintaining the functionality of your build process.
2025-11-27 13:21:54 +00:00
|
|
|
!obp-api/src/main/resources/props/test.default.props.template
|
2025-11-27 14:42:03 +00:00
|
|
|
!obp-api/src/main/resources/props/test.default.props
|
|
|
|
|
!obp-api/src/main/resources/props/default.props
|
|
|
|
|
!obp-api/src/main/resources/props/development.default.props
|
feature/Copying recursively might inadvertently add sensitive data to the container.
SonarQube security warning by:
## Summary of Changes
### 1. **Selective File Copying in Dockerfile**
Instead of using `COPY . .` which copies everything recursively, I've updated the Dockerfile to explicitly copy only the necessary files and directories:
- **Maven configuration**: `pom.xml`, `build.sbt`
- **Source code directories**: `obp-api/`, `obp-commons/`, `project/`
- **Required build files**: `jitpack.yml`, `web-app_2_3.dtd`
### 2. **Enhanced .dockerignore**
I've significantly expanded the `.dockerignore` file to exclude:
- **IDE files**: `.idea/`, `.vscode/`, `.metals/`, etc.
- **Build artifacts**: `target/`, `cache/`, Maven local repository
- **Sensitive files**: Environment files, keys, certificates, passwords
- **OS files**: `.DS_Store`, thumbnails, etc.
- **Documentation**: Most markdown files (keeping license files)
- **Development files**: `ideas/`, `resourcedoc/`
## Security Benefits
1. **Reduced attack surface**: Only necessary files are included in the Docker image
2. **No accidental secrets**: Explicit exclusion of common sensitive file patterns
3. **Smaller image size**: Excluding unnecessary files reduces image size
4. **Better maintainability**: Clear understanding of what goes into the container
## Build Compatibility
The changes maintain full Maven build compatibility by ensuring all necessary files for the build process are still copied:
- Maven POM files for dependency management
- Source code directories
- Build configuration files
- The entrypoint script (specifically allowed in .dockerignore)
This approach follows Docker security best practices and addresses the SonarQube warning while maintaining the functionality of your build process.
2025-11-27 13:21:54 +00:00
|
|
|
|
|
|
|
|
# IDE and editor files
|
|
|
|
|
.idea/
|
|
|
|
|
.vscode/
|
|
|
|
|
.metals/
|
|
|
|
|
.bloop/
|
|
|
|
|
.run/
|
|
|
|
|
.zed/
|
|
|
|
|
zed/
|
|
|
|
|
|
|
|
|
|
# Build artifacts and caches
|
|
|
|
|
target/
|
|
|
|
|
cache/
|
|
|
|
|
~/.m2/
|
|
|
|
|
|
|
|
|
|
# Git and version control
|
|
|
|
|
.git/
|
|
|
|
|
.gitignore
|
|
|
|
|
|
|
|
|
|
# Environment and secret files
|
|
|
|
|
.env
|
|
|
|
|
.env.*
|
|
|
|
|
*.key
|
|
|
|
|
*.pem
|
|
|
|
|
*.p12
|
|
|
|
|
*.jks
|
|
|
|
|
*secret*
|
|
|
|
|
*password*
|
|
|
|
|
|
|
|
|
|
# OS generated files
|
|
|
|
|
.DS_Store
|
|
|
|
|
.DS_Store?
|
|
|
|
|
._*
|
|
|
|
|
.Spotlight-V100
|
|
|
|
|
.Trashes
|
|
|
|
|
ehthumbs.db
|
|
|
|
|
Thumbs.db
|
|
|
|
|
|
|
|
|
|
# Log files
|
|
|
|
|
*.log
|
|
|
|
|
logs/
|
|
|
|
|
|
|
|
|
|
# Temporary files
|
|
|
|
|
*.tmp
|
|
|
|
|
*.temp
|
|
|
|
|
*.swp
|
|
|
|
|
*.swo
|
|
|
|
|
*~
|
|
|
|
|
|
|
|
|
|
# Documentation and non-essential files (keep essential ones)
|
|
|
|
|
README.md
|
|
|
|
|
*.md
|
|
|
|
|
!NOTICE
|
|
|
|
|
!GNU_AFFERO_GPL_V3_19_Nov_1997.txt
|
|
|
|
|
!Harmony_Individual_Contributor_Assignment_Agreement.txt
|
|
|
|
|
|
|
|
|
|
# Docker files themselves (avoid recursive copies)
|
|
|
|
|
Dockerfile
|
2025-11-27 14:42:03 +00:00
|
|
|
development/docker/
|
|
|
|
|
!development/docker/entrypoint.sh
|
feature/Copying recursively might inadvertently add sensitive data to the container.
SonarQube security warning by:
## Summary of Changes
### 1. **Selective File Copying in Dockerfile**
Instead of using `COPY . .` which copies everything recursively, I've updated the Dockerfile to explicitly copy only the necessary files and directories:
- **Maven configuration**: `pom.xml`, `build.sbt`
- **Source code directories**: `obp-api/`, `obp-commons/`, `project/`
- **Required build files**: `jitpack.yml`, `web-app_2_3.dtd`
### 2. **Enhanced .dockerignore**
I've significantly expanded the `.dockerignore` file to exclude:
- **IDE files**: `.idea/`, `.vscode/`, `.metals/`, etc.
- **Build artifacts**: `target/`, `cache/`, Maven local repository
- **Sensitive files**: Environment files, keys, certificates, passwords
- **OS files**: `.DS_Store`, thumbnails, etc.
- **Documentation**: Most markdown files (keeping license files)
- **Development files**: `ideas/`, `resourcedoc/`
## Security Benefits
1. **Reduced attack surface**: Only necessary files are included in the Docker image
2. **No accidental secrets**: Explicit exclusion of common sensitive file patterns
3. **Smaller image size**: Excluding unnecessary files reduces image size
4. **Better maintainability**: Clear understanding of what goes into the container
## Build Compatibility
The changes maintain full Maven build compatibility by ensuring all necessary files for the build process are still copied:
- Maven POM files for dependency management
- Source code directories
- Build configuration files
- The entrypoint script (specifically allowed in .dockerignore)
This approach follows Docker security best practices and addresses the SonarQube warning while maintaining the functionality of your build process.
2025-11-27 13:21:54 +00:00
|
|
|
|
|
|
|
|
# Test and development files
|
|
|
|
|
ideas/
|
|
|
|
|
resourcedoc/
|