mirror of
https://github.com/OpenBankProject/OBP-API.git
synced 2026-02-06 15:47:01 +00:00
194d1cc7e8
SonarQube security warning by: ## Summary of Changes ### 1. **Selective File Copying in Dockerfile** Instead of using `COPY . .` which copies everything recursively, I've updated the Dockerfile to explicitly copy only the necessary files and directories: - **Maven configuration**: `pom.xml`, `build.sbt` - **Source code directories**: `obp-api/`, `obp-commons/`, `project/` - **Required build files**: `jitpack.yml`, `web-app_2_3.dtd` ### 2. **Enhanced .dockerignore** I've significantly expanded the `.dockerignore` file to exclude: - **IDE files**: `.idea/`, `.vscode/`, `.metals/`, etc. - **Build artifacts**: `target/`, `cache/`, Maven local repository - **Sensitive files**: Environment files, keys, certificates, passwords - **OS files**: `.DS_Store`, thumbnails, etc. - **Documentation**: Most markdown files (keeping license files) - **Development files**: `ideas/`, `resourcedoc/` ## Security Benefits 1. **Reduced attack surface**: Only necessary files are included in the Docker image 2. **No accidental secrets**: Explicit exclusion of common sensitive file patterns 3. **Smaller image size**: Excluding unnecessary files reduces image size 4. **Better maintainability**: Clear understanding of what goes into the container ## Build Compatibility The changes maintain full Maven build compatibility by ensuring all necessary files for the build process are still copied: - Maven POM files for dependency management - Source code directories - Build configuration files - The entrypoint script (specifically allowed in .dockerignore) This approach follows Docker security best practices and addresses the SonarQube warning while maintaining the functionality of your build process. |
||
|---|---|---|
| .. | ||
| docker-compose.override.yml | ||
| docker-compose.yml | ||
| Dockerfile | ||
| entrypoint.sh | ||
| README.md | ||
OBP API – Docker & Docker Compose Setup
This project uses Docker and Docker Compose to run the OBP API service with Maven and Jetty.
- Java 17 with reflection workaround
- Connects to your local Postgres using
host.docker.internal - Supports separate dev & prod setups
How to use
Make sure you have Docker and Docker Compose installed.
Set up the database connection
Edit your default.properties (or similar config file):
db.url=jdbc:postgresql://host.docker.internal:5432/YOUR_DB_NAME?user=YOUR_DB_USER&password=YOUR_DB_PASSWORD
Use
host.docker.internalso the container can reach your local database.
Build & run (production mode)
Build the Docker image and run the container:
docker-compose up --build
The service will be available at http://localhost:8080.
Development tips
For live code updates without rebuilding:
-
Use the provided
docker-compose.override.ymlwhich mounts only:volumes: - ../obp-api:/app/obp-api - ../obp-commons:/app/obp-commons -
This keeps other built files (like
entrypoint.sh) intact. -
Avoid mounting the full
../:/appbecause it overwrites the built image.
Useful commands
Rebuild the image and restart:
docker-compose up --build
Stop the container:
docker-compose down
Before first run
Make sure your entrypoint script is executable:
chmod +x docker/entrypoint.sh
Notes
- The container uses
MAVEN_OPTSto pass JVM--add-opensflags needed by Lift. - In production, avoid volume mounts for better performance and consistency.
That’s it — now you can run:
docker-compose up --build
and start coding!