security: distroless image, dependency overrides, fix CodeQL prototype pollution

- Dockerfile: switch runtime to gcr.io/distroless/java21-debian12:nonroot,
  build shadowJar; removes wget/tar/libssh/pam/gnupg/curl from image (Trivy CVEs)
- backend: force commons-lang3 (CVE-2025-48924) and Rhino 1.7.14.1 (CVE-2025-66453)
- design-system/build-tokens.js: use Object.create(null) and hasOwnProperty
  to satisfy CodeQL prototype-polluting function finding

Made-with: Cursor

Author: MaxLuxs

Dockerfile

@@ -38,33 +38,22 @@ ENV GRADLE_OPTS="-Xmx2048m -XX:MaxMetaspaceSize=512m"
 WORKDIR /app
 RUN chmod +x ./gradlew
 
-RUN ./gradlew :backend:installDist --no-daemon --stacktrace
+RUN ./gradlew :backend:installDist :backend:shadowJar --no-daemon --stacktrace
 
 RUN ./gradlew :frontend:jsBrowserDevelopmentWebpack --no-daemon
 
 ######################################
-# Runtime stage (Jammy: avoids Alpine libpng/gnutls CVEs in Trivy scan)
+# Runtime stage (distroless: no shell, wget, tar, libssh, pam, gnupg — reduces Trivy CVEs)
 ######################################
-FROM eclipse-temurin:21-jre-jammy
+FROM gcr.io/distroless/java21-debian12:nonroot
 
 WORKDIR /app
 
-# Runtime deps: tzdata, wget for HEALTHCHECK; create non-root user
-RUN apt-get update && apt-get install -y --no-install-recommends tzdata wget && \
-    groupadd -r appgroup && useradd -r -g appgroup appuser && \
-    rm -rf /var/lib/apt/lists/*
-
-# Copy built application from build stage
-COPY --from=build /app/backend/build/install/backend ./backend
+# Single fat JAR + static assets (no OS packages → no wget/tar/libssh/curl/gnupg CVEs)
+COPY --from=build /app/backend/build/libs/backend-*.jar ./backend.jar
 COPY --from=build /app/frontend/build/kotlin-webpack/js/developmentExecutable ./static
 
-# Set ownership
-RUN chown -R appuser:appgroup /app
-
-# Switch to non-root user
-USER appuser
-
-# Set default environment variables
+# Default environment variables
 ENV HOST=0.0.0.0
 ENV PORT=18000
 ENV FLAGENT_DB_DBDRIVER=sqlite3
@@ -76,11 +65,8 @@ ENV FLAGENT_ADMIN_EMAIL=admin@local
 ENV FLAGENT_ADMIN_PASSWORD=admin
 ENV FLAGENT_JWT_AUTH_SECRET=dev-secret-min-32-chars-required-for-jwt
 
-# Expose port
+# Expose port (health: use HTTP GET from orchestrator, e.g. k8s readinessProbe to /api/v1/health)
 EXPOSE 18000
 
-HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD wget --no-verbose --tries=1 --spider http://localhost:18000/api/v1/health || exit 1
-
-# Run the application
-CMD ["./backend/bin/backend"]
+# Distroless entrypoint is "java -jar"; CMD is the JAR path
+CMD ["/app/backend.jar"]

backend/build.gradle.kts

@@ -10,6 +10,14 @@ plugins {
     jacoco
 }
 
+// Force safe versions for transitive deps (CVEs)
+configurations.all {
+    resolutionStrategy {
+        force("org.apache.commons:commons-lang3:${libs.versions.commons.lang3.get()}") // CVE-2025-48924
+        force("org.mozilla:rhino:1.7.14.1") // CVE-2025-66453 (toFixed DoS); from swagger-parser -> json-schema-core
+    }
+}
+
 dependencyCheck {
     failBuildOnCVSS = 11f  // Don't fail on CVSS, only report
     failOnError = false    // Don't fail when NVD is unreachable (403, 429, etc.)

design-system/build-tokens.js

@@ -108,7 +108,7 @@ function setNested(obj, path, value) {
   for (let i = 0; i < parts.length - 1; i++) {
     const p = parts[i];
     if (PROTOTYPE_POLLUTION_KEYS.has(p)) return;
-    if (!(p in cur)) cur[p] = {};
+    if (!Object.prototype.hasOwnProperty.call(cur, p)) cur[p] = Object.create(null);
     cur = cur[p];
   }
   const last = parts[parts.length - 1];
@@ -117,7 +117,7 @@ function setNested(obj, path, value) {
 }
 
 function emitTypeScript(tokens) {
-  const flat = {};
+  const flat = Object.create(null);
   for (const [name, value] of walk(tokens)) {
     setNested(flat, name, value);
   }