Security: Fix CVEs and Vulnerability Mitigation Across Dependencies

.env.example

@@ -0,0 +1,23 @@
+# Copy this file to .env and fill in real values before running docker compose
+# .env is gitignored — never commit real secrets
+
+# PostgreSQL
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+
+# Elasticsearch
+ELASTIC_SEARCH_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+ELASTIC_SEARCH_USERNAME=elastic
+ELASTIC_SECURITY_ENABLED=false
+
+# MinIO file storage
+MINIO_ROOT_USER=CHANGE_ME_ADMIN_USER
+MINIO_ROOT_PASSWORD=CHANGE_ME_MIN_8_CHARS
+
+# Keycloak
+KEYCLOAK_ADMIN_USER=admin
+KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+KEYCLOAK_DEFAULT_USER_PASSWORD=CHANGE_ME_PASSWORD
+KEYCLOAK_SECRET=CHANGE_ME_SECRET
+KEYCLOAK_REALM=sunbird-rc
+KEYCLOAK_ADMIN_CLIENT_ID=admin-api
+KEYCLOAK_CLIENT_ID=registry-frontend

.github/workflows/maven.yml

@@ -44,6 +44,12 @@ jobs:
 #        limit-access-to-actor: true
     - name: Build and test
       run: make test
+    - name: Dump container logs on failure
+      if: failure()
+      run: |
+        docker-compose -f docker-compose-v1.yml logs --no-color registry keycloak db metrics clickhouse kafka || true
+        docker ps -a
+        docker inspect $(docker ps -aq) --format '{{.Name}} exit={{.State.ExitCode}} status={{.State.Status}}' 2>/dev/null || true
     - name: Check space after tests
       run: df -h
 #  test:

.gitignore

@@ -90,4 +90,9 @@ out
 db-data*
 vault-data
 es-data*
-keycloak-mobile*.jar
+keycloak-mobile*.jar
+
+# Environment secrets — never commit
+.env
+.env.local
+.env.*.local

Makefile

@@ -33,6 +33,7 @@ test: build
 	@docker-compose -f docker-compose-v1.yml --env-file test_environments/test_with_distributedDefManager_nativeSearch.env up -d db keycloak registry certificate-signer certificate-api redis
 	@echo "Starting the test" && sh build/wait_for_port.sh 8080
 	@echo "Starting the test" && sh build/wait_for_port.sh 8081
+	@echo "Waiting for Keycloak OIDC endpoint..." && curl --retry 30 --retry-delay 5 --retry-all-errors -sf -o /dev/null http://localhost:8080/auth/realms/sunbird-rc/.well-known/openid-configuration
 	@docker-compose -f docker-compose-v1.yml ps
 	@curl -v http://localhost:8081/health
 	@cd java/apitest && ../mvnw -Pe2e test
@@ -42,6 +43,8 @@ test: build
 	@docker-compose -f docker-compose-v1.yml --env-file test_environments/test_with_asyncCreate_events_notifications.env up -d db es clickhouse redis keycloak registry certificate-signer certificate-api kafka zookeeper notification-ms metrics
 	@echo "Starting the test" && sh build/wait_for_port.sh 8080
 	@echo "Starting the test" && sh build/wait_for_port.sh 8081
+	@echo "Waiting for Keycloak OIDC endpoint..." && curl --retry 30 --retry-delay 5 --retry-all-errors -sf -o /dev/null http://localhost:8080/auth/realms/sunbird-rc/.well-known/openid-configuration
+	@echo "Starting the test" && sh build/wait_for_port.sh 8070
 	@docker-compose -f docker-compose-v1.yml ps
 	@curl -v http://localhost:8081/health
 	@cd java/apitest && MODE=async ../mvnw -Pe2e test

build/wait_for_port.sh

@@ -2,11 +2,11 @@
 
 echo "Waiting service to launch on $1..."
 i=0
-while ! curl localhost:$1; do
+while ! curl -s --max-time 5 localhost:"$1"; do
   sleep 10
-  ((i=i+1))
-  if [[ $i -gt 60 ]]; then
-    echo "Failed to get the service in sane state!"
+  i=$((i+1))
+  if [ "$i" -gt 90 ]; then
+    echo "Failed to get the service on port $1 in sane state after $((i * 10))s!"
     exit 1;
   fi
 done

docker-compose-v1.yml

@@ -27,7 +27,7 @@ services:
       timeout: 10s
       retries: 4
   db:
-    image: postgres
+    image: postgres:14
     volumes:
       - ./${DB_DIR-db-data}:/var/lib/postgresql/data
     ports:
@@ -113,6 +113,7 @@ services:
       - notification_url=${NOTIFICATION_URL-http://notification-ms:8765/notification-service/v1/notification}
     ports:
       - '8081:8081'
+    restart: on-failure
     depends_on:
       db:
         condition: service_healthy
@@ -127,6 +128,7 @@ services:
       interval: 30s
       timeout: 10s
       retries: 10
+      start_period: 60s
   keycloak:
     image: ghcr.io/sunbird-rc/sunbird-rc-keycloak:latest
     volumes:
@@ -148,6 +150,7 @@ services:
       interval: 30s
       timeout: 10s
       retries: 10
+      start_period: 60s
     ports:
       - '8080:8080'
       - '9990:9990'
@@ -243,14 +246,14 @@ services:
       kafka:
         condition: service_started
   zookeeper:
-    image: confluentinc/cp-zookeeper:latest
+    image: confluentinc/cp-zookeeper:7.6.1
     ports:
       - '2181:2181'
     environment:
       ZOOKEEPER_CLIENT_PORT: '2181'
       ZOOKEEPER_TICK_TIME: '2000'
   kafka:
-    image: confluentinc/cp-kafka:latest
+    image: confluentinc/cp-kafka:7.6.1
     depends_on:
       zookeeper:
         condition: service_started
@@ -259,6 +262,7 @@ services:
     environment:
       KAFKA_BROKER_ID: '1'
       KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
+      KAFKA_LISTENERS: 'INTERNAL://0.0.0.0:9092,OUTSIDE://0.0.0.0:9094'
       KAFKA_ADVERTISED_LISTENERS: 'INTERNAL://kafka:9092,OUTSIDE://localhost:9094'
       KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: 'INTERNAL:PLAINTEXT,OUTSIDE:PLAINTEXT'
       KAFKA_INTER_BROKER_LISTENER_NAME: 'INTERNAL'
@@ -275,6 +279,7 @@ services:
       interval: 30s
       timeout: 10s
       retries: 10
+      start_period: 30s
   public-key-service:
     image: ghcr.io/sunbird-rc/sunbird-rc-public-key-service
     environment:
@@ -330,11 +335,20 @@ services:
       REDIS_URL: redis:6379
     ports:
       - '8070:8070'
+    restart: on-failure
     depends_on:
       kafka:
         condition: service_healthy
       registry:
         condition: service_healthy
+      clickhouse:
+        condition: service_healthy
+    healthcheck:
+      test: ['CMD-SHELL', 'wget -nv -t1 --spider http://localhost:8070/health || exit 1']
+      interval: 15s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
   redis:
     image: redis:latest
     ports:
@@ -368,9 +382,11 @@ services:
     ports:
       - '9002:9000'
     healthcheck:
-      test:
-        wget --no-verbose --tries=1 --spider http://localhost:8123/ping || exit
-        1
+      test: ['CMD-SHELL', 'clickhouse-client --query "SELECT 1" 2>/dev/null | grep -q "^1"']
+      interval: 15s
+      timeout: 10s
+      retries: 20
+      start_period: 30s
   id-gen-service:
     image: ghcr.io/sunbird-rc/id-gen-service:${RELEASE_VERSION}
     ports:

docker-compose.override.yml

@@ -0,0 +1,39 @@
+version: '2.4'
+
+# Overrides for local development — all Java/Node V2 services use locally-built images
+services:
+  db:
+    image: postgres:14
+    ports: !reset
+      - '5433:5432'   # host port 5433 to avoid conflict with local postgres
+
+  registry:
+    image: sunbird-rc-core:local
+    environment:
+      - certificate_enabled=true
+
+  keycloak:
+    platform: linux/amd64
+
+  claim-ms:
+    image: sunbird-rc-claim-ms:local
+
+  # Node.js V2 services — built from services/* in this repo for linux/amd64
+  identity:
+    platform: linux/amd64
+    image: sunbird-rc-identity:local
+    environment:
+      # dedicated DB avoids Prisma P3005 conflict with the Java registry schema
+      - DATABASE_URL=postgres://postgres:${POSTGRES_PASSWORD}@db:5432/identity
+
+  credential-schema:
+    platform: linux/amd64
+    image: sunbird-rc-credential-schema:local
+    environment:
+      - DATABASE_URL=postgres://postgres:${POSTGRES_PASSWORD}@db:5432/credential_schema
+
+  credential:
+    platform: linux/amd64
+    image: sunbird-rc-credential:local
+    environment:
+      - DATABASE_URL=postgres://postgres:${POSTGRES_PASSWORD}@db:5432/credential

docker-compose.yml

@@ -21,8 +21,6 @@ services:
           'curl',
           '-f',
           'localhost:9200/_cluster/health',
-          '--header',
-          'Authorization: Basic ZWxhc3RpYzpEa0llZFBQU0Ni',
         ]
       interval: 30s
       timeout: 10s
@@ -36,7 +34,7 @@ services:
     environment:
       - POSTGRES_DB=registry
       - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
     healthcheck:
       test: ['CMD-SHELL', 'pg_isready -U postgres']
       interval: 10s
@@ -50,7 +48,7 @@ services:
     environment:
       - connectionInfo_uri=jdbc:postgresql://db:5432/registry
       - connectionInfo_username=postgres
-      - connectionInfo_password=postgres
+      - connectionInfo_password=${POSTGRES_PASSWORD}
       - encryption_enabled=${ENCRYPTION_ENABLED-false}
       - encryption_health_check_url=http://encryption-service:8013/health
       - encryption_uri=http://encryption-service:8013/crypto/v1/_encrypt
@@ -112,11 +110,11 @@ services:
       - sunbird_keycloak_user_set_password=true
       - filestorage_enabled=${FILESSTORAGE_ENABLED-false}
       - filestorage_connection_url=http://file-storage:9000
-      - filestorage_access_key=admin
-      - filestorage_secret_key=12345678
+      - filestorage_access_key=${MINIO_ROOT_USER}
+      - filestorage_secret_key=${MINIO_ROOT_PASSWORD}
       - filestorage_bucket_key=issuance
       - registry_base_apis_enable=false
-      - sunbird_keycloak_user_password=abcd@123
+      - sunbird_keycloak_user_password=${KEYCLOAK_DEFAULT_USER_PASSWORD}
       - logging.level.root=INFO
       - enable_external_templates=true
       - async_enabled=${ASYNC_ENABLED-false}
@@ -133,7 +131,7 @@ services:
       - notification_enabled=${NOTIFICATION_ENABLED-false}
       - notification_url=${NOTIFICATION_URL-http://notification-ms:8765/notification-service/v1/notification}
     ports:
-      - '8081:8081'
+      - '8091:8081'
     depends_on:
       db:
         condition: service_healthy
@@ -159,9 +157,9 @@ services:
       - DB_PORT=5432
       - DB_DATABASE=registry
       - DB_USER=postgres
-      - DB_PASSWORD=postgres
-      - KEYCLOAK_USER=${KEYCLOAK_ADMIN_USER-admin}
-      - KEYCLOAK_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD-admin}
+      - DB_PASSWORD=${POSTGRES_PASSWORD}
+      - KEYCLOAK_USER=${KEYCLOAK_ADMIN_USER}
+      - KEYCLOAK_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
       - KEYCLOAK_IMPORT=/opt/jboss/keycloak/imports/realm-export.json
       - PROXY_ADDRESS_FORWARDING=true
     healthcheck:
@@ -180,7 +178,7 @@ services:
     environment:
       - connectionInfo_uri=jdbc:postgresql://db:5432/registry
       - connectionInfo_username=postgres
-      - connectionInfo_password=postgres
+      - connectionInfo_password=${POSTGRES_PASSWORD}
       - sunbirdrc_url=http://registry:8081
     ports:
       - '8082:8082'
@@ -299,8 +297,8 @@ services:
     volumes:
       - ${HOME}/minio/data:/data
     environment:
-      - MINIO_ROOT_USER=admin
-      - MINIO_ROOT_PASSWORD=12345678
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
     command: server --address 0.0.0.0:9000 --console-address 0.0.0.0:9001 /data
     ports:
       - '9000:9000'