ALS-10615: Split docker build into build and application dockerfiles

[ramari16]

No description provided.

[dbmi-svc-checkmarx]

Checkmarx One – Scan Summary & Details – 997420a2-2f27-4dde-81d0-16f32112f5e0

New Issues (57)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2023-44487	Maven-io.netty:netty-codec-http2-4.1.94.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-24970	Maven-io.netty:netty-handler-4.1.94.Final	details Recommended version: 4.1.118.Final Description: Netty, an asynchronous, event-driven network application framework, has a vulnerability in version 4.1.91.Final through 4.1.117.Final and 4.2.0.Alp... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-41249	Maven-org.springframework:spring-core-6.2.8	details Recommended version: 6.2.11 Description: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2025-55163	Maven-io.netty:netty-codec-http2-4.1.94.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous, event-driven network application framework. Netty is vulnerable to the "MadeYouReset" DDoS attack. This is a logical vuln... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2025-55163	Maven-io.netty:netty-codec-http2-4.1.122.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous, event-driven network application framework. Netty is vulnerable to the "MadeYouReset" DDoS attack. This is a logical vuln... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2025-5805	Maven-io.netty:netty-codec-http-4.1.122.Final	details Recommended version: 4.1.129.Final Description: Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This iss... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2025-5805	Maven-io.netty:netty-codec-http-4.1.94.Final	details Recommended version: 4.1.129.Final Description: Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This iss... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2025-59250	Maven-com.microsoft.sqlserver:mssql-jdbc-8.2.2.jre11	details Recommended version: 10.2.4.jre11 Description: Improper input validation in JDBC Driver for SQL Server versions 0.2.0-SNAPSHOT.jre8-preview through 10.2.3.jre17, 11.2.0.jre8 through 11.2.3.jre18... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		Missing User Instruction	/Dockerfile: 3	details Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
10		Missing User Instruction	/Dockerfile: 13	details Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
11		CVE-2024-29025	Maven-io.netty:netty-codec-http-4.1.94.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for the rapid development of maintainable high-performance protocol servers & c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2024-47535	Maven-io.netty:netty-common-4.1.94.Final	details Recommended version: 4.1.108.Final-redhat-00002 Description: Netty is an asynchronous event-driven network application framework for rapidly developing maintainable high-performance protocol servers & clients... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
13		CVE-2025-11226	Maven-ch.qos.logback:logback-core-1.5.18	details Recommended version: 1.5.25 Description: Arbitrary Code Execution (ACE) vulnerability in conditional configuration file processing by QOS.CH logback-core versions through 1.5.18 in Java ap... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
14		CVE-2025-41242	Maven-org.springframework:spring-webmvc-6.2.8	details Recommended version: 6.2.10 Description: Spring Framework MVC applications version through 6.2.9 can be vulnerable to a Path Traversal Vulnerability, when deployed on a non-compliant Servl... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
15		CVE-2025-48924	Maven-org.apache.commons:commons-lang3-3.17.0	details Recommended version: 3.18.0 Description: Uncontrolled Recursion vulnerability in Apache Commons Lang. The methods `ClassUtils.getClass(...)` can `throwStackOverflowError` on very long inpu... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2025-58057	Maven-io.netty:netty-codec-http-4.1.122.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2025-58057	Maven-io.netty:netty-codec-4.1.94.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18		CVE-2025-58057	Maven-io.netty:netty-codec-http2-4.1.122.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2025-58057	Maven-io.netty:netty-codec-4.1.122.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2025-58057	Maven-io.netty:netty-codec-http-4.1.94.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2025-58057	Maven-io.netty:netty-codec-http2-4.1.94.Final	details Recommended version: 4.1.123.Final-redhat-00001 Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clien... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2025-67735	Maven-io.netty:netty-codec-http-4.1.94.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.x prior to 4.2.8.Final, the `io.ne... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2025-67735	Maven-io.netty:netty-codec-http-4.1.122.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.x prior to 4.2.8.Final, the `io.ne... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		Container Capabilities Unrestricted	/docker-compose-csv-loader.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec...
25		Container Capabilities Unrestricted	/docker-compose-variant-loader.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec...
26		Container Capabilities Unrestricted	/docker-compose-sql-loader.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec...
27		Container Capabilities Unrestricted	/docker-compose-variantmetadata-loader.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec...
28		Container Capabilities Unrestricted	/docker-compose-csv-dumper.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec...
29		Healthcheck Not Set	/docker-compose-variantmetadata-loader.yml: 3	details Check containers periodically to see if they are running properly.
30		Healthcheck Not Set	/docker-compose-csv-dumper.yml: 3	details Check containers periodically to see if they are running properly.
31		Healthcheck Not Set	/docker-compose-variant-loader.yml: 3	details Check containers periodically to see if they are running properly.
32		Healthcheck Not Set	/docker-compose-sql-loader.yml: 3	details Check containers periodically to see if they are running properly.
33		Healthcheck Not Set	/docker-compose-csv-loader.yml: 3	details Check containers periodically to see if they are running properly.
34		Memory Not Limited	/docker-compose-csv-loader.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ...
35		Memory Not Limited	/docker-compose-sql-loader.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ...
36		Memory Not Limited	/docker-compose-csv-dumper.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ...
37		Memory Not Limited	/docker-compose-variantmetadata-loader.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ...
38		Memory Not Limited	/docker-compose-variant-loader.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ...
39		Security Opt Not Set	/docker-compose-csv-dumper.yml: 3	details Attribute 'security_opt' should be defined.
40		Security Opt Not Set	/docker-compose-sql-loader.yml: 3	details Attribute 'security_opt' should be defined.
41		Security Opt Not Set	/docker-compose-variantmetadata-loader.yml: 3	details Attribute 'security_opt' should be defined.
42		Security Opt Not Set	/docker-compose-variant-loader.yml: 3	details Attribute 'security_opt' should be defined.
43		Security Opt Not Set	/docker-compose-csv-loader.yml: 3	details Attribute 'security_opt' should be defined.
44		Unpinned Package Version in Apk Add	/Dockerfile: 15	details Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
45		Yum install Without Version	/Dockerfile: 3	details Not specifying the package version can cause failures due to unanticipated changes in required packages
46		CVE-2025-58056	Maven-io.netty:netty-codec-http-4.1.94.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
47		CVE-2025-58056	Maven-io.netty:netty-codec-http-4.1.122.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
48		CVE-2026-1225	Maven-ch.qos.logback:logback-core-1.5.18	details Recommended version: 1.5.25 Description: ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attac... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
49		Cpus Not Limited	/docker-compose-variant-loader.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
50		Cpus Not Limited	/docker-compose-csv-loader.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
51		Cpus Not Limited	/docker-compose-sql-loader.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
52		Cpus Not Limited	/docker-compose-variantmetadata-loader.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
53		Cpus Not Limited	/docker-compose-csv-dumper.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
54		Healthcheck Instruction Missing	/Dockerfile: 3	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
55		Healthcheck Instruction Missing	/Dockerfile: 13	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
56		Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 19	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
57		Unpinned Actions Full Length Commit SHA	/label-checker.yml: 17	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR