Using Spring Boot's cloud native buildpack functionality to create a docker image., the /workspace directory in the image will have files with permissions that come from the building system's file system.

For example, if the build process creates a file at ./build/generated-resources/static/favicon.ico that is world writable (chmod 666), then that file will be world writable in the bootBuildImage produced docker image at /workspace/BOOT-INF/classes/static/favicon.ico. This can be done by running umask 0000 before running ./gradlew bootBuildImage.

No files under /workspace should world writable. World writable files are a violation of recommendations from the CIS Benchmarks and other security standards, example documentation: https://www.tenable.com/audits/items/CIS_SUSE_Linux_Enterprise_Workstation_11_v2.1.0_L1.audit:ffc7b53d7c43ea8da23cd2e6aa9e19c3

When bootBuildImage adds the files to the docker image, it should unset the world writable permission.

Comment From: wilkinsona

Thanks for the suggestion. The use of the workspace directory is governed by Cloud Native Buildpacks. A change in bootBuildImage wouldn’t help other clients such as pack so I don’t think it’s the right approach. If a change is to be made it would be better done within the buildpacks so that all clients provide a consistent experience. If you want to pursue this, I would start by discussing it with the CNB community.

Comment From: candrews

If you want to pursue this, I would start by discussing it with the CNB community.

I can't figure out what project(s) to start with, so I've asked that question at https://github.com/buildpacks/community/discussions/229

If you (or anyone else) can point me in the right direction in terms of the project/tool to which I should contribute, I'd be more than happy to figure out how to make this fix and submit a PR.

Thank you again!

Comment From: wilkinsona

FWIW, I would have started with GitHub discussions or Slack so I think you're already in the right place. I'm not sure where in the CNB landscape the change would have to be made, perhaps the lifecycle but that's not much more than a guess.