Skip to content

fix: migrate openapi Dockerfile from Docker to UBI #947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mergify merged 1 commit into from
Mar 18, 2026
Merged

fix: migrate openapi Dockerfile from Docker to UBI #947

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 8 additions & 9 deletions components/ambient-api-server/Dockerfile.openapi
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,18 @@
FROM docker.io/openapitools/openapi-generator-cli:v7.16.0
FROM registry.access.redhat.com/ubi9/ubi:9.7
Copy link
Contributor

@ktdreyer ktdreyer Mar 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
FROM registry.access.redhat.com/ubi9/ubi:9.7
FROM registry.access.redhat.com/ubi9:latest


RUN apt-get update
RUN apt-get install -y make sudo git golang-1.21
# Install Java (to run openapi-generator), Go (for gofmt), and git
RUN dnf install -y java-17-openjdk-headless go-toolset git && dnf clean all
Copy link
Contributor

@ktdreyer ktdreyer Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
RUN dnf install -y java-17-openjdk-headless go-toolset git && dnf clean all
RUN dnf install -y java-17-openjdk-headless go-toolset git-core && dnf clean all


# Download openapi-generator-cli JAR
RUN curl -L -o /usr/local/bin/openapi-generator-cli.jar \
https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.16.0/openapi-generator-cli-7.16.0.jar
Comment on lines +7 to +8
Copy link

@coderabbitai coderabbitai bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read its full content
fd -t f "Dockerfile.openapi" --exec cat -n {}

Repository: ambient-code/platform

Length of output: 963

🏁 Script executed:

# Also search for any checksum or SHA references in the same directory
rg -A 5 -B 5 "openapi-generator" components/ambient-api-server/ 2>/dev/null || echo "No matches found"

Repository: ambient-code/platform

Length of output: 22302

🏁 Script executed:

# Check git history to see if there were related changes
git log --oneline --all -- "components/ambient-api-server/Dockerfile.openapi" 2>/dev/null | head -20

Repository: ambient-code/platform

Length of output: 249

Harden the JAR download with fail-fast and integrity verification

On lines 7–8, curl -L without the -f flag can silently save HTTP error pages, and the downloaded JAR is executed without checksum validation. This creates a supply-chain risk.

Proposed fix 
+ARG OPENAPI_GENERATOR_VERSION=7.16.0
+ARG OPENAPI_GENERATOR_SHA512=<pin-from-maven-central>
 # Download openapi-generator-cli JAR
-RUN curl -L -o /usr/local/bin/openapi-generator-cli.jar \
-    https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.16.0/openapi-generator-cli-7.16.0.jar
+RUN curl -fsSL -o /tmp/openapi-generator-cli.jar \
+    "https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/${OPENAPI_GENERATOR_VERSION}/openapi-generator-cli-${OPENAPI_GENERATOR_VERSION}.jar" \
+ && echo "${OPENAPI_GENERATOR_SHA512}  /tmp/openapi-generator-cli.jar" | sha512sum -c - \
+ && mv /tmp/openapi-generator-cli.jar /usr/local/bin/openapi-generator-cli.jar
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@components/ambient-api-server/Dockerfile.openapi` around lines 7 - 8, The RUN
that downloads openapi-generator-cli.jar uses curl -L which can silently save
HTTP error pages and doesn't verify integrity; update the RUN that writes
/usr/local/bin/openapi-generator-cli.jar to use curl --fail --show-error
--location (and ideally --retry) so it fails fast on HTTP errors, then download
the corresponding checksum (e.g., openapi-generator-cli-7.16.0.jar.sha256 or
.sha256sum) from the same Maven coordinates and verify the JAR with sha256sum -c
(or perform an explicit sha256sum comparison) before installing/making
executable; ensure the build exits if the checksum verification fails so
openapi-generator-cli.jar is only used when integrity is confirmed.

Copy link
Contributor

@ktdreyer ktdreyer Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed


RUN mkdir -p /local
COPY . /local

ENV PATH="/ambient/bin:/usr/lib/go-1.21/bin/:${PATH}"
ENV GOPATH="/ambient"
ENV GOBIN /usr/lib/go-1.21/bin/
ENV CGO_ENABLED=0

WORKDIR /local

RUN bash /usr/local/bin/docker-entrypoint.sh generate -i /local/openapi/openapi.yaml -g go -o /local/pkg/api/openapi
RUN java -jar /usr/local/bin/openapi-generator-cli.jar generate -i /local/openapi/openapi.yaml -g go -o /local/pkg/api/openapi
RUN rm /local/pkg/api/openapi/go.mod /local/pkg/api/openapi/go.sum
RUN rm -rf /local/pkg/api/openapi/test
RUN rm -rf /local/pkg/api/openapi/git_push.sh
Expand Down
Loading