Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Releases: taha2samy/java_buildpack_wolfi

v1.0.1: Integrated Dynamic Memory Calculator & FIPS Hardening

Choose a tag to compare

@taha2samy taha2samy released this 05 Jun 14:17

We are excited to release v1.0.1, which introduces a major architectural upgrade: a native dynamic memory calculator running during the container startup phase via exec.d. This feature brings full parity with Paketo's memory calculation behavior while strictly preserving FIPS 140-3 cryptographic modules.

What's New in v1.0.1?

Integrated Dynamic Memory Calculator

  • Developed and compiled a dedicated java-memory-calculator utility using PyInstaller.
  • Automatically executes during the CNB launch phase (exec.d).
  • Dynamically reads the container's active cgroups memory limits (such as -m 512m or -m 1024m).
  • Calculates and injects exact JVM heap values (-Xmx and -Xms), eliminating the legacy -XX:MaxRAMPercentage fallback configs.

Full JDK Mode FIPS Hardening

  • Ported BouncyCastle FIPS libraries, truststore conversions (BCFKS), and security provider constraints to the JDK runtime mode (BP_JVM_TYPE=JDK).
  • Full parity of observability options (NMT, JMX, Debugging, JFR) across both JDK and JRE runtime phases.

Build Toolchain & System Fixes

  • Resolved PyInstaller compilation issues inside the secure Wolfi builder image by installing build-base and posix-libc-utils (providing ldd and GCC d

Hardened FIPS Java Buildpack v1.0.0

Choose a tag to compare

@taha2samy taha2samy released this 29 May 21:41

Hardened FIPS Java Buildpack v1.0.0

We are pleased to announce the first official release of the Hardened FIPS Java Buildpack (v1.0.0). This buildpack provides a highly secure Java Runtime Environment (JRE) designed for enterprise environments requiring strict FIPS 140-3 compliance, built on top of the hardened, minimal-vulnerability Wolfi OS (Distroless-style) base.

Key Features & Hardening

  • FIPS 140-3 Compliance: Enforces BouncyCastle FIPS (bc-fips, bcutil-fips, bctls-fips) as the primary security providers and disables non-approved cryptographic algorithms inside java.security.
  • Minimal Attack Surface: Built on Chainguard's wolfi-base with zero known High/Critical vulnerabilities (CVEs) and stripped of shells (bash/sh) and development tools at runtime.
  • Non-Root Execution: Automatically configures container execution under a restricted, non-root user (USER 1001).
  • Multi-Architecture Support: Fully compatible with both linux/amd64 and linux/arm64 platforms.
  • Enterprise Observability: Integrated support for Datadog, Azure Application Insights, Google Stackdriver, Java Memory Assistant, and Jattach.

Quick Start: Spring Boot Application Example

This example demonstrates how to package, compile, and run a Spring Boot 3.x web application using this custom FIPS builder.

1. Build the Spring Boot App

From your local terminal or CI/CD pipeline, run the pack command to build your application:

pack build my-fips-app \
  --path ./3-sample-app \
  --builder ghcr.io/taha2samy/java-fips-builder:latest \
  --env BP_JVM_TYPE=JRE \
  --env BP_JVM_VERSION=21

💡 Pro-Tip (Java Version Detection):
The buildpack includes an automatic detection mechanism that reads your Java version directly from your pom.xml or build.gradle configuration. However, in complex, custom, or multi-module projects, this auto-detection can sometimes fail or fallback unexpectedly. For guaranteed stability, we highly recommend explicitly declaring your target Java version using the --env BP_JVM_VERSION=<version> flag (e.g., 21, 17, 11).

2. Run the Container

Start the containerized application. The JVM will automatically start in FIPS approved-only mode:

docker run -it --rm \
  -p 8080:8080 \
  -m 512m \
  my-fips-app

3. Verify FIPS Compliance

Our Spring Boot demo contains a security test endpoint (/test-fips) that attempts to generate an insecure 1024-bit RSA key (which is forbidden in FIPS Approved Mode).

Open your browser and navigate to:
http://localhost:8080/test-fips

Expected FIPS Enforcement Output:

SUCCESS: FIPS is strictly enforced. System blocked insecure RSA-1024 key generation. Error Type: FipsUnapprovedOperationError

If the JVM successfully blocks the weak key generation, your deployment is officially FIPS-secured.