SONAR-22581 docker image openshift hardening

10/community/Dockerfile

@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,17 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
-    useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +59,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

10/community/sonar.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGUzCCBDugAwIBAgIUYW5N+Lc/MZ4mGwcX4A7nRIi/5g4wDQYJKoZIhvcNAQEL
+BQAwgbgxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdl
+bmV2YTEUMBIGA1UECgwLU29uYXJTb3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJh
+c3RydWN0dXJlMSwwKgYDVQQDDCNTb25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5z
+cGVjdGlvbjEkMCIGCSqGSIb3DQEJARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMB4X
+DTIzMDgxNTE0MTIxMVoXDTMzMDgxMjE0MTIxMVowgbgxCzAJBgNVBAYTAkNIMQ8w
+DQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UECgwLU29uYXJT
+b3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJhc3RydWN0dXJlMSwwKgYDVQQDDCNT
+b25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5zcGVjdGlvbjEkMCIGCSqGSIb3DQEJ
+ARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEArEL8e2aSog7HumEbYCmk5Gu+P1l+fe5t4sU6Q+8iw91GH2ADFUpg
+NvlADwy3ec1eUj++bVNYA+4zl7skJ6rhnGuqvUmY/RX9joSHfT7rpugm+GdIVi/O
+loIiQFu3aTZjWuvPRNyMqaN+u/S0dNQmXavTk8lCS83JyWXeFkWclF3YaNHHbNOh
+otmMwhvzn3G+CjQ0VLFCOcy1cQJ6BS5eTyQoxSrRZmd4o0LlBhFt0fcE5+TRwoBN
+V9gyFKOPz9V6P7S40RgKQ1Vnx6sjJzP7RP55JQezu9q0u5IFgTfuBmpAPgkQ/P3E
+k1BfacNE9/Vmm6d7HhpqrEJBtN8lQNyTEciqtseUY0rAGD8Q4l/nKVWfsmbWIjuy
+lw+NmxQIR5eyHEz0AansuldxCNS/wPV26Z4mT8K5gIsRZrIHq9H2SRQ5cPZ80AQs
+Cpn0I2eb3YXUpV3g57otkqg+aJp2Mflx2tkEPDC61bY6FjWKFj0Y0z3UpBt8YaC0
+6szF8d4T03mtleEsKxVx+9my0FKjIs+8XS2vq0D8SVH0WMdtDYgdSS57NnRPZJGU
+SAkid9OnT0QFPG+qusqTqdmSnTogg+n2bpgH/mdoqnokpUVqOTEEKKuY2V1ECW2Q
+ZspD+KEmL47L+0P9S8DPpaYZnbDjr4/PSf05nfY+0upGufE7p2+J2HMCAwEAAaNT
+MFEwHQYDVR0OBBYEFCZCv0xQMi2R0Vwu+bJwzuaoSksAMB8GA1UdIwQYMBaAFCZC
+v0xQMi2R0Vwu+bJwzuaoSksAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAJwYPpr0yWuujLy3uipsC8MpYQekBo9CipY9jRy+V61GHbj9eIPfUHYu
+HqzgPOPufeg1mJ7mBkZZOURLQyB2jRiHcnOvQ8ZLMYFDvwPSF2HZ4QckSK+/lIl8
+tjLysB03QW52hywgSSNAcFKtofDa/fev/45ooS0yeMDp/8F8FcPaPwPMKmDyp4w3
+2+JdvWWoJOlNpBx7UmmRjfBbS8oKBHZz5neip8dQ0uF7lW6PNP8rf6qdFa8FbyKU
+BqfUz+lPGxPHz3KmVzvZu26DGPKigJTxip18prh5NzTpNIT1DsyVErI2rX1tjd+W
+hZ2ZdTFojTz40ChTHw6n80Wm3GDvyur5r1fGBZcG4YFW1RrgklJwEli7wQEQwWp3
+CWd4QXcVEtySnlwc4CUI8AxFSw74W9rHKoRu6X1rkK7jqAu5GJ9z7mc+Kd09RF6G
+ICegL3OoiwanEatuX20Y0tfUKwz8+JmAleTlZTPLAYYBzWskN3dmB/XGuM67ZgAd
+B/DD9iGPPoZeCPeqSVFzUnQwmQtu39EcTxQWogyiVoLBN9Nv6EJW2C5JcNhe7ILC
+4B5/418KuS7ZylVbNjMimvi8eFZQ2EmVuUZ7xrgPInZFA06M5fOzhkjTAdYfYDWE
+cF27SPFp9O/ZT5Q5UDMiYpJEQhQQ+4n/OME/KmdhRKvthOtlvOqT
+-----END CERTIFICATE-----

10/datacenter/app/Dockerfile

@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -25,7 +30,13 @@ ENV DOCKER_RUNNING="true" \
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -49,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
 

10/datacenter/app/sonar.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGUzCCBDugAwIBAgIUYW5N+Lc/MZ4mGwcX4A7nRIi/5g4wDQYJKoZIhvcNAQEL
+BQAwgbgxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdl
+bmV2YTEUMBIGA1UECgwLU29uYXJTb3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJh
+c3RydWN0dXJlMSwwKgYDVQQDDCNTb25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5z
+cGVjdGlvbjEkMCIGCSqGSIb3DQEJARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMB4X
+DTIzMDgxNTE0MTIxMVoXDTMzMDgxMjE0MTIxMVowgbgxCzAJBgNVBAYTAkNIMQ8w
+DQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UECgwLU29uYXJT
+b3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJhc3RydWN0dXJlMSwwKgYDVQQDDCNT
+b25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5zcGVjdGlvbjEkMCIGCSqGSIb3DQEJ
+ARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEArEL8e2aSog7HumEbYCmk5Gu+P1l+fe5t4sU6Q+8iw91GH2ADFUpg
+NvlADwy3ec1eUj++bVNYA+4zl7skJ6rhnGuqvUmY/RX9joSHfT7rpugm+GdIVi/O
+loIiQFu3aTZjWuvPRNyMqaN+u/S0dNQmXavTk8lCS83JyWXeFkWclF3YaNHHbNOh
+otmMwhvzn3G+CjQ0VLFCOcy1cQJ6BS5eTyQoxSrRZmd4o0LlBhFt0fcE5+TRwoBN
+V9gyFKOPz9V6P7S40RgKQ1Vnx6sjJzP7RP55JQezu9q0u5IFgTfuBmpAPgkQ/P3E
+k1BfacNE9/Vmm6d7HhpqrEJBtN8lQNyTEciqtseUY0rAGD8Q4l/nKVWfsmbWIjuy
+lw+NmxQIR5eyHEz0AansuldxCNS/wPV26Z4mT8K5gIsRZrIHq9H2SRQ5cPZ80AQs
+Cpn0I2eb3YXUpV3g57otkqg+aJp2Mflx2tkEPDC61bY6FjWKFj0Y0z3UpBt8YaC0
+6szF8d4T03mtleEsKxVx+9my0FKjIs+8XS2vq0D8SVH0WMdtDYgdSS57NnRPZJGU
+SAkid9OnT0QFPG+qusqTqdmSnTogg+n2bpgH/mdoqnokpUVqOTEEKKuY2V1ECW2Q
+ZspD+KEmL47L+0P9S8DPpaYZnbDjr4/PSf05nfY+0upGufE7p2+J2HMCAwEAAaNT
+MFEwHQYDVR0OBBYEFCZCv0xQMi2R0Vwu+bJwzuaoSksAMB8GA1UdIwQYMBaAFCZC
+v0xQMi2R0Vwu+bJwzuaoSksAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAJwYPpr0yWuujLy3uipsC8MpYQekBo9CipY9jRy+V61GHbj9eIPfUHYu
+HqzgPOPufeg1mJ7mBkZZOURLQyB2jRiHcnOvQ8ZLMYFDvwPSF2HZ4QckSK+/lIl8
+tjLysB03QW52hywgSSNAcFKtofDa/fev/45ooS0yeMDp/8F8FcPaPwPMKmDyp4w3
+2+JdvWWoJOlNpBx7UmmRjfBbS8oKBHZz5neip8dQ0uF7lW6PNP8rf6qdFa8FbyKU
+BqfUz+lPGxPHz3KmVzvZu26DGPKigJTxip18prh5NzTpNIT1DsyVErI2rX1tjd+W
+hZ2ZdTFojTz40ChTHw6n80Wm3GDvyur5r1fGBZcG4YFW1RrgklJwEli7wQEQwWp3
+CWd4QXcVEtySnlwc4CUI8AxFSw74W9rHKoRu6X1rkK7jqAu5GJ9z7mc+Kd09RF6G
+ICegL3OoiwanEatuX20Y0tfUKwz8+JmAleTlZTPLAYYBzWskN3dmB/XGuM67ZgAd
+B/DD9iGPPoZeCPeqSVFzUnQwmQtu39EcTxQWogyiVoLBN9Nv6EJW2C5JcNhe7ILC
+4B5/418KuS7ZylVbNjMimvi8eFZQ2EmVuUZ7xrgPInZFA06M5fOzhkjTAdYfYDWE
+cF27SPFp9O/ZT5Q5UDMiYpJEQhQQ+4n/OME/KmdhRKvthOtlvOqT
+-----END CERTIFICATE-----

10/datacenter/search/Dockerfile

@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -22,10 +27,19 @@ ENV DOCKER_RUNNING="true" \
     SONAR_CLUSTER_NODE_TYPE="search" \
     SONAR_CLUSTER_ENABLED="true"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu iproute2; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -49,7 +63,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip curl; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
 

10/datacenter/search/sonar.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGUzCCBDugAwIBAgIUYW5N+Lc/MZ4mGwcX4A7nRIi/5g4wDQYJKoZIhvcNAQEL
+BQAwgbgxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdl
+bmV2YTEUMBIGA1UECgwLU29uYXJTb3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJh
+c3RydWN0dXJlMSwwKgYDVQQDDCNTb25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5z
+cGVjdGlvbjEkMCIGCSqGSIb3DQEJARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMB4X
+DTIzMDgxNTE0MTIxMVoXDTMzMDgxMjE0MTIxMVowgbgxCzAJBgNVBAYTAkNIMQ8w
+DQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UECgwLU29uYXJT
+b3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJhc3RydWN0dXJlMSwwKgYDVQQDDCNT
+b25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5zcGVjdGlvbjEkMCIGCSqGSIb3DQEJ
+ARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEArEL8e2aSog7HumEbYCmk5Gu+P1l+fe5t4sU6Q+8iw91GH2ADFUpg
+NvlADwy3ec1eUj++bVNYA+4zl7skJ6rhnGuqvUmY/RX9joSHfT7rpugm+GdIVi/O
+loIiQFu3aTZjWuvPRNyMqaN+u/S0dNQmXavTk8lCS83JyWXeFkWclF3YaNHHbNOh
+otmMwhvzn3G+CjQ0VLFCOcy1cQJ6BS5eTyQoxSrRZmd4o0LlBhFt0fcE5+TRwoBN
+V9gyFKOPz9V6P7S40RgKQ1Vnx6sjJzP7RP55JQezu9q0u5IFgTfuBmpAPgkQ/P3E
+k1BfacNE9/Vmm6d7HhpqrEJBtN8lQNyTEciqtseUY0rAGD8Q4l/nKVWfsmbWIjuy
+lw+NmxQIR5eyHEz0AansuldxCNS/wPV26Z4mT8K5gIsRZrIHq9H2SRQ5cPZ80AQs
+Cpn0I2eb3YXUpV3g57otkqg+aJp2Mflx2tkEPDC61bY6FjWKFj0Y0z3UpBt8YaC0
+6szF8d4T03mtleEsKxVx+9my0FKjIs+8XS2vq0D8SVH0WMdtDYgdSS57NnRPZJGU
+SAkid9OnT0QFPG+qusqTqdmSnTogg+n2bpgH/mdoqnokpUVqOTEEKKuY2V1ECW2Q
+ZspD+KEmL47L+0P9S8DPpaYZnbDjr4/PSf05nfY+0upGufE7p2+J2HMCAwEAAaNT
+MFEwHQYDVR0OBBYEFCZCv0xQMi2R0Vwu+bJwzuaoSksAMB8GA1UdIwQYMBaAFCZC
+v0xQMi2R0Vwu+bJwzuaoSksAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAJwYPpr0yWuujLy3uipsC8MpYQekBo9CipY9jRy+V61GHbj9eIPfUHYu
+HqzgPOPufeg1mJ7mBkZZOURLQyB2jRiHcnOvQ8ZLMYFDvwPSF2HZ4QckSK+/lIl8
+tjLysB03QW52hywgSSNAcFKtofDa/fev/45ooS0yeMDp/8F8FcPaPwPMKmDyp4w3
+2+JdvWWoJOlNpBx7UmmRjfBbS8oKBHZz5neip8dQ0uF7lW6PNP8rf6qdFa8FbyKU
+BqfUz+lPGxPHz3KmVzvZu26DGPKigJTxip18prh5NzTpNIT1DsyVErI2rX1tjd+W
+hZ2ZdTFojTz40ChTHw6n80Wm3GDvyur5r1fGBZcG4YFW1RrgklJwEli7wQEQwWp3
+CWd4QXcVEtySnlwc4CUI8AxFSw74W9rHKoRu6X1rkK7jqAu5GJ9z7mc+Kd09RF6G
+ICegL3OoiwanEatuX20Y0tfUKwz8+JmAleTlZTPLAYYBzWskN3dmB/XGuM67ZgAd
+B/DD9iGPPoZeCPeqSVFzUnQwmQtu39EcTxQWogyiVoLBN9Nv6EJW2C5JcNhe7ILC
+4B5/418KuS7ZylVbNjMimvi8eFZQ2EmVuUZ7xrgPInZFA06M5fOzhkjTAdYfYDWE
+cF27SPFp9O/ZT5Q5UDMiYpJEQhQQ+4n/OME/KmdhRKvthOtlvOqT
+-----END CERTIFICATE-----

10/developer/Dockerfile

@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

10/developer/sonar.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGUzCCBDugAwIBAgIUYW5N+Lc/MZ4mGwcX4A7nRIi/5g4wDQYJKoZIhvcNAQEL
+BQAwgbgxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdl
+bmV2YTEUMBIGA1UECgwLU29uYXJTb3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJh
+c3RydWN0dXJlMSwwKgYDVQQDDCNTb25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5z
+cGVjdGlvbjEkMCIGCSqGSIb3DQEJARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMB4X
+DTIzMDgxNTE0MTIxMVoXDTMzMDgxMjE0MTIxMVowgbgxCzAJBgNVBAYTAkNIMQ8w
+DQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UECgwLU29uYXJT
+b3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJhc3RydWN0dXJlMSwwKgYDVQQDDCNT
+b25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5zcGVjdGlvbjEkMCIGCSqGSIb3DQEJ
+ARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEArEL8e2aSog7HumEbYCmk5Gu+P1l+fe5t4sU6Q+8iw91GH2ADFUpg
+NvlADwy3ec1eUj++bVNYA+4zl7skJ6rhnGuqvUmY/RX9joSHfT7rpugm+GdIVi/O
+loIiQFu3aTZjWuvPRNyMqaN+u/S0dNQmXavTk8lCS83JyWXeFkWclF3YaNHHbNOh
+otmMwhvzn3G+CjQ0VLFCOcy1cQJ6BS5eTyQoxSrRZmd4o0LlBhFt0fcE5+TRwoBN
+V9gyFKOPz9V6P7S40RgKQ1Vnx6sjJzP7RP55JQezu9q0u5IFgTfuBmpAPgkQ/P3E
+k1BfacNE9/Vmm6d7HhpqrEJBtN8lQNyTEciqtseUY0rAGD8Q4l/nKVWfsmbWIjuy
+lw+NmxQIR5eyHEz0AansuldxCNS/wPV26Z4mT8K5gIsRZrIHq9H2SRQ5cPZ80AQs
+Cpn0I2eb3YXUpV3g57otkqg+aJp2Mflx2tkEPDC61bY6FjWKFj0Y0z3UpBt8YaC0
+6szF8d4T03mtleEsKxVx+9my0FKjIs+8XS2vq0D8SVH0WMdtDYgdSS57NnRPZJGU
+SAkid9OnT0QFPG+qusqTqdmSnTogg+n2bpgH/mdoqnokpUVqOTEEKKuY2V1ECW2Q
+ZspD+KEmL47L+0P9S8DPpaYZnbDjr4/PSf05nfY+0upGufE7p2+J2HMCAwEAAaNT
+MFEwHQYDVR0OBBYEFCZCv0xQMi2R0Vwu+bJwzuaoSksAMB8GA1UdIwQYMBaAFCZC
+v0xQMi2R0Vwu+bJwzuaoSksAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAJwYPpr0yWuujLy3uipsC8MpYQekBo9CipY9jRy+V61GHbj9eIPfUHYu
+HqzgPOPufeg1mJ7mBkZZOURLQyB2jRiHcnOvQ8ZLMYFDvwPSF2HZ4QckSK+/lIl8
+tjLysB03QW52hywgSSNAcFKtofDa/fev/45ooS0yeMDp/8F8FcPaPwPMKmDyp4w3
+2+JdvWWoJOlNpBx7UmmRjfBbS8oKBHZz5neip8dQ0uF7lW6PNP8rf6qdFa8FbyKU
+BqfUz+lPGxPHz3KmVzvZu26DGPKigJTxip18prh5NzTpNIT1DsyVErI2rX1tjd+W
+hZ2ZdTFojTz40ChTHw6n80Wm3GDvyur5r1fGBZcG4YFW1RrgklJwEli7wQEQwWp3
+CWd4QXcVEtySnlwc4CUI8AxFSw74W9rHKoRu6X1rkK7jqAu5GJ9z7mc+Kd09RF6G
+ICegL3OoiwanEatuX20Y0tfUKwz8+JmAleTlZTPLAYYBzWskN3dmB/XGuM67ZgAd
+B/DD9iGPPoZeCPeqSVFzUnQwmQtu39EcTxQWogyiVoLBN9Nv6EJW2C5JcNhe7ILC
+4B5/418KuS7ZylVbNjMimvi8eFZQ2EmVuUZ7xrgPInZFA06M5fOzhkjTAdYfYDWE
+cF27SPFp9O/ZT5Q5UDMiYpJEQhQQ+4n/OME/KmdhRKvthOtlvOqT
+-----END CERTIFICATE-----

10/enterprise/Dockerfile

@@ -1,5 +1,10 @@
 FROM eclipse-temurin:17-jre-jammy
 
+LABEL io.k8s.description="SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
 LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
 
 ENV LANG='en_US.UTF-8' \
@@ -20,10 +25,18 @@ ENV DOCKER_RUNNING="true" \
     SQ_LOGS_DIR="/opt/sonarqube/logs" \
     SQ_TEMP_DIR="/opt/sonarqube/temp"
 
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
 RUN set -eux; \
     useradd --system --uid 1000 --gid 0 sonarqube; \
     apt-get update; \
-    apt-get --no-install-recommends -y install gnupg unzip curl bash fonts-dejavu; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
     echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
     sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
     # pub   2048R/D26468DE 2015-05-25
@@ -47,7 +60,10 @@ RUN set -eux; \
     chmod -R 550 ${SONARQUBE_HOME}; \
     chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
     apt-get remove -y gnupg unzip; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*; \
+    apt-get clean;
+
+VOLUME ["${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"]
 
 COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
 

10/enterprise/sonar.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGUzCCBDugAwIBAgIUYW5N+Lc/MZ4mGwcX4A7nRIi/5g4wDQYJKoZIhvcNAQEL
+BQAwgbgxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdl
+bmV2YTEUMBIGA1UECgwLU29uYXJTb3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJh
+c3RydWN0dXJlMSwwKgYDVQQDDCNTb25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5z
+cGVjdGlvbjEkMCIGCSqGSIb3DQEJARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMB4X
+DTIzMDgxNTE0MTIxMVoXDTMzMDgxMjE0MTIxMVowgbgxCzAJBgNVBAYTAkNIMQ8w
+DQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UECgwLU29uYXJT
+b3VyY2UxHTAbBgNVBAsMFElUT3BzIEluZnJhc3RydWN0dXJlMSwwKgYDVQQDDCNT
+b25hci1GR1QtRlctVExTLVRyYWZmaWMtSW5zcGVjdGlvbjEkMCIGCSqGSIb3DQEJ
+ARYVaW5mcmFAc29uYXJzb3VyY2UuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEArEL8e2aSog7HumEbYCmk5Gu+P1l+fe5t4sU6Q+8iw91GH2ADFUpg
+NvlADwy3ec1eUj++bVNYA+4zl7skJ6rhnGuqvUmY/RX9joSHfT7rpugm+GdIVi/O
+loIiQFu3aTZjWuvPRNyMqaN+u/S0dNQmXavTk8lCS83JyWXeFkWclF3YaNHHbNOh
+otmMwhvzn3G+CjQ0VLFCOcy1cQJ6BS5eTyQoxSrRZmd4o0LlBhFt0fcE5+TRwoBN
+V9gyFKOPz9V6P7S40RgKQ1Vnx6sjJzP7RP55JQezu9q0u5IFgTfuBmpAPgkQ/P3E
+k1BfacNE9/Vmm6d7HhpqrEJBtN8lQNyTEciqtseUY0rAGD8Q4l/nKVWfsmbWIjuy
+lw+NmxQIR5eyHEz0AansuldxCNS/wPV26Z4mT8K5gIsRZrIHq9H2SRQ5cPZ80AQs
+Cpn0I2eb3YXUpV3g57otkqg+aJp2Mflx2tkEPDC61bY6FjWKFj0Y0z3UpBt8YaC0
+6szF8d4T03mtleEsKxVx+9my0FKjIs+8XS2vq0D8SVH0WMdtDYgdSS57NnRPZJGU
+SAkid9OnT0QFPG+qusqTqdmSnTogg+n2bpgH/mdoqnokpUVqOTEEKKuY2V1ECW2Q
+ZspD+KEmL47L+0P9S8DPpaYZnbDjr4/PSf05nfY+0upGufE7p2+J2HMCAwEAAaNT
+MFEwHQYDVR0OBBYEFCZCv0xQMi2R0Vwu+bJwzuaoSksAMB8GA1UdIwQYMBaAFCZC
+v0xQMi2R0Vwu+bJwzuaoSksAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBAJwYPpr0yWuujLy3uipsC8MpYQekBo9CipY9jRy+V61GHbj9eIPfUHYu
+HqzgPOPufeg1mJ7mBkZZOURLQyB2jRiHcnOvQ8ZLMYFDvwPSF2HZ4QckSK+/lIl8
+tjLysB03QW52hywgSSNAcFKtofDa/fev/45ooS0yeMDp/8F8FcPaPwPMKmDyp4w3
+2+JdvWWoJOlNpBx7UmmRjfBbS8oKBHZz5neip8dQ0uF7lW6PNP8rf6qdFa8FbyKU
+BqfUz+lPGxPHz3KmVzvZu26DGPKigJTxip18prh5NzTpNIT1DsyVErI2rX1tjd+W
+hZ2ZdTFojTz40ChTHw6n80Wm3GDvyur5r1fGBZcG4YFW1RrgklJwEli7wQEQwWp3
+CWd4QXcVEtySnlwc4CUI8AxFSw74W9rHKoRu6X1rkK7jqAu5GJ9z7mc+Kd09RF6G
+ICegL3OoiwanEatuX20Y0tfUKwz8+JmAleTlZTPLAYYBzWskN3dmB/XGuM67ZgAd
+B/DD9iGPPoZeCPeqSVFzUnQwmQtu39EcTxQWogyiVoLBN9Nv6EJW2C5JcNhe7ILC
+4B5/418KuS7ZylVbNjMimvi8eFZQ2EmVuUZ7xrgPInZFA06M5fOzhkjTAdYfYDWE
+cF27SPFp9O/ZT5Q5UDMiYpJEQhQQ+4n/OME/KmdhRKvthOtlvOqT
+-----END CERTIFICATE-----