Remove curl from folioci/alpine-jre-openjdk-11 folioci/alpine-jre-openjdk-17 java image.

Many java based modules use curl for their health check; they set this healthChkCmd in their Jenkinsfile:

Jenkins runs this command inside of the java container (containerHealthCheck.groovy, run healthcheck, builder healthcheck).

This requires that curl is installed inside of the java container. Currently we add curl to the java container: folio-java-docker/openjdk11/Dockerfile#L14

curl should be removed from this container and replaced by busybox wget or maven integration tests.

This has several advantages:

• It reduces the container size.

• It reduces the attack surface. curl's security history is worse then wget's: curl CVEs , wget CVEs. FOLIO's java container is based on Alpine, Alpine ships with BusyBox, a multi-call binary that contains wget with reduced number of options further reducing the attack surface.

• It reduces complexity and maintenance effort. To run a .jar file no curl is needed, containers should be as small as possible.

Module developers have several options:

• Remove the build health check from Jenkins file and move it into the maven integration test phase. This is the best option because it allows to add more smoke tests. Build and start the Docker container in maven integration test phase and test the health end point. Optionally add smoke tests to check that all libraries have been correctly assembled in the shaded uber fat jar. Examples: mod-eusage-reports ApiIT, mod-oai-pmh ModTenantAPIIT

• Switch from curl to wget in the healthChkCmd in the Jenkinsfile:

• If a module really needs the features that curl provides it may amend it's own Dockerfile:

  Best practice is to combine this with apk upgrade: