build: gradlew local couldn't use occmd in container

.env

-# exclude from git with:
+# task 1/3 exclude from git with:
 # git update-index --skip-worktree .env
 # revert:
 # git update-index --no-skip-worktree .env
@@ -7,9 +7,36 @@
 # git update-index --assume-unchanged .env
 # revert:
 # git update-index --no-assume-unchanged .env
-#
+
+# region: task 2/3 your personal configuration
 # e.g. oc000... from https://keycloak.opencode.de/auth/realms/osr/account/#/personal-info
 SECRET_OC_GL_USER=
 # https://gitlab.opencode.de/-/user_settings/personal_access_tokens
 # with read_api, read_user, read_repository, read_registry
 SECRET_OC_GL_APIKEY=
+
+# task 3/3 for bind mount you should set your personal uid/gid
+# get e.g. via: id -u
+LOCAL_USER_ID="1001"
+LOCAL_GROUP_ID="1001"
+# endregion:
+
+# probably you don't want to touch the following:
+# used for "local" profile + gradle run and run-container
+SPRING_PROFILES_ACTIVE=local
+OCCMD_PATH=tools/occmd/occmd-container.sh
+XDG_CONFIG_HOME=.tmp/app/.config/
+GIT_CLONE_TARGET_DIRECTORY=.tmp/app/git/
+host=127.0.0.1
+
+MANAGEMENT_PORT=4001
+PROJECT_IDS=1448,2991,1317,560,2188,2155,2149,2235
+CORS_ORIGIN=*
+PORT=4000
+DB_USER=sa
+DB_NAME=dataprovider
+DB_PORT=26257
+ADMIN_PASSWORD=01234567890123456789
+ADMIN_USERNAME=012345678901234567890123456789
+HMAC_KEY=012345678901234567890123456789
+API_KEY=012345678901234567890123456789

.gitignore

@@ -6,3 +6,5 @@ bin
 **/.DS_Store
 src/test/testResults/*
 app/backend/tools/db/cockroach-data
+**/.tmp
+**/*.log

app/backend/tools/occmd/Dockerfile

-FROM python:3.10
-
-# Keeps Python from generating .pyc files in the container
-ENV PYTHONDONTWRITEBYTECODE=1
-
-# Turns off buffering for easier container logging
-ENV PYTHONUNBUFFERED=1
-
-# Install dependencies needed to run OCCMD tool
-# file is needed by https://github.com/fkie-cad/fact_helper_file
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    git \
-    python3 \
-    python3-pip \
-    libmagic1 \
-    file && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN pip install --upgrade pip
-
-WORKDIR /app
-RUN git clone --depth 1 https://gitlab.opencode.de/opencode-analyzer/occmd-public /app
-RUN python -m pip install -r requirements.txt
-COPY occmdcfg.ini .
-
-# Optional: avoid cloning blacklist on each run
-WORKDIR /app/resources/checks/checked_in_binaries/blacklist
-RUN git clone \
---depth 1 \
-https://gitlab.opencode.de/opencode-analyzer/occmd-checked_in_binaries-blacklist \
-/app/resources/checks/checked_in_binaries/blacklist
-
-# Creates a non-root user with an explicit UID and adds permission to access the /app folder
-# For more info, please refer to https://aka.ms/vscode-docker-python-configure-containers
-RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app
-USER appuser
-
-# During debugging, this entry point will be overridden. For more information, please refer to https://aka.ms/vscode-docker-python-debug
-WORKDIR /app
-ENTRYPOINT ["/app/occmd"]
-CMD ["--help"]
\ No newline at end of file

app/backend/tools/occmd/occmd-container.sh

+#!/bin/bash
+
+set -euo pipefail
+script_folder=$(realpath "$(dirname "$0")")
+
+(
+  URL=${5}
+  cd "$script_folder" > /dev/null
+
+  # create debug file
+  DEBUG_FILE="occmd-container.sh.debug.log"
+  exec 5> "$DEBUG_FILE"
+  BASH_XTRACEFD="5"
+  set -x
+
+  cd ../../../../ > /dev/null
+  # free up port
+  docker compose down data-provider >&5 2>&5
+  # start occmd
+  docker compose --profile occmd up -d occmd >&5 2>&5
+  # run occmd
+  # all env variables are set in called script
+  docker exec -e OC_GL_URL="$URL" opencode-occmd-1 /app/scripts/occmd.sh "$@" #only this output is allowed to be visible
+) 2>&1 | tee "$script_folder/occmd-container.sh.log"

build.gradle.kts

@@ -21,6 +21,17 @@ tasks.register("run") {
     group = "OpenCoDE"
     description = "Runs the dataprovider against the database, you should be sure database is running."
     dependsOn(gradle.includedBuild("app").task(":backend:bootRun"))
+
+    // check if db is started and reports healthy
+    doFirst {
+        val checkHealthCmd = "docker inspect --format='{{.State.Health.Status}}' opencode-db-1"
+        val process = Runtime.getRuntime().exec(checkHealthCmd)
+        val healthStatus = process.inputStream.bufferedReader().readText().trim()
+
+        if (healthStatus != "healthy") {
+            throw GradleException("Database container 'opencode-db-1' is not healthy. Please start db first via run-db task. Current db status: \"$healthStatus\" (empty = no db started)")
+        }
+    }
 }
 
 tasks.register<Exec>("run-container") {

docker-compose.yml

@@ -12,27 +12,40 @@ services:
         image: data-provider
         build:
             context: .
+            args:
+                - UID=${LOCAL_USER_ID}
+                - GID=${LOCAL_GROUP_ID}
         environment:
+            - SPRING_PROFILES_ACTIVE=local
             - OCCMD_PATH=/app/scripts/occmd.sh
-            - OC_GL_USER=${SECRET_OC_GL_USER}
-            - OC_GL_APIKEY=${SECRET_OC_GL_APIKEY}
             - XDG_CONFIG_HOME=/app/.config/
             - GIT_CLONE_TARGET_DIRECTORY=/app/git/
-            - MANAGEMENT_PORT=4001
-            - PROJECT_IDS=1448,2991,1317,560,2188,2155,2149,2235 # occmd-public, Covid19 fraud detection, Opendesk, Helm chart, e2e tests
-            - CORS_ORIGIN=* # Must be without quotes i.e. allow everything: * | originally https://sec-kpi.opencode.de
-
-            - PORT=4000
             - host=db
-            - DB_USER=sa
-            - DB_NAME=dataprovider
-            - DB_PORT=26257
 
-            - ADMIN_PASSWORD=01234567890123456789
-            - ADMIN_USERNAME=012345678901234567890123456789
-            - HMAC_KEY=012345678901234567890123456789
-            - API_KEY=012345678901234567890123456789
+            - OC_GL_USER=${SECRET_OC_GL_USER}
+            - OC_GL_APIKEY=${SECRET_OC_GL_APIKEY}
 
-            - SPRING_PROFILES_ACTIVE=local
+            - MANAGEMENT_PORT=${MANAGEMENT_PORT}
+            - PROJECT_IDS=${PROJECT_IDS} # occmd-public, Covid19 fraud detection, Opendesk, Helm chart, e2e tests
+            - CORS_ORIGIN=${CORS_ORIGIN} # Must be without quotes i.e. allow everything: * | originally https://sec-kpi.opencode.de
+            - PORT=${PORT}
+            - DB_USER=${DB_USER}
+            - DB_NAME=${DB_NAME}
+            - DB_PORT=${DB_PORT}
+            - ADMIN_PASSWORD=${ADMIN_PASSWORD}
+            - ADMIN_USERNAME=${ADMIN_USERNAME}
+            - HMAC_KEY=${HMAC_KEY}
+            - API_KEY=${API_KEY}
         ports:
-            - 4000:4000
+            - ${PORT}:${PORT}
+    occmd:
+        profiles: [occmd]
+        image: data-provider
+        entrypoint: ["tail", "-f", "/dev/null"]
+        environment:
+            - OC_GL_USER=${SECRET_OC_GL_USER}
+            - OC_GL_APIKEY=${SECRET_OC_GL_APIKEY}
+        volumes:
+            - type: bind
+              source: app/backend/.tmp
+              target: /occmd/.tmp/