CMSgov · nicholas-gates · Apr 1, 2026 · Apr 2, 2026 · Apr 3, 2026 · Apr 24, 2026
@@ -1,28 +1,20 @@
-FROM eclipse-temurin:21 AS builder
-
-ARG MAVEN_VERSION=3.9.6
-ARG USER_HOME_DIR="/root"
-ARG SHA=706f01b20dec0305a822ab614d51f32b07ee11d0218175e55450242e49d2156386483b506b3a4e8a03ac8611bae96395fd5eec15f50d3013d5deed6d1ee18224
-ARG BASE_URL=https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries
-
-RUN mkdir -p /usr/share/maven /usr/share/maven/ref \
-  && for i in 1 2 3; do \
-      echo "Attempt $i to download Maven..." && \
-      curl -fsSL --connect-timeout 300 --max-time 600 -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz && break || \
-      (echo "Download failed, attempt $i of 3" && sleep 10); \
-     done \
-  && echo "${SHA}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
-  && tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1 \
-  && rm -f /tmp/apache-maven.tar.gz \
-  && ln -s /usr/share/maven/bin/mvn /usr/bin/mvn
-
-ENV MAVEN_HOME /usr/share/maven
-ENV MAVEN_CONFIG "$USER_HOME_DIR/.m2"
-
-COPY mvn-entrypoint.sh /usr/local/bin/mvn-entrypoint.sh
-COPY settings-docker.xml /usr/share/maven/ref/
-
-# Copy src files needed for build
+# -----------------------------
+# Builder stage
+# -----------------------------
+# Uses the official Maven image with Eclipse Temurin Java 21 on Alpine.
+# This stage is only used to compile/package the application.
+# Maven and build tools stay in this stage and are not included in the final runtime image.
+FROM maven:3.9.15-eclipse-temurin-21-alpine AS builder
+
+# Set the application source directory inside the container.
+WORKDIR /usr/src/app
+
+# Copy custom Maven settings.
+# This is useful if the build depends on internal repositories, mirrors, credentials, or proxy config.
+COPY settings-docker.xml /usr/share/maven/ref/settings-docker.xml
+
+# Copy only the source files/modules needed for the Maven build.
+# Keeping this explicit avoids copying unnecessary files into the build context.
 COPY pom.xml /usr/src/app/
 COPY commons/ /usr/src/app/commons/
 COPY test-commons/ /usr/src/app/test-commons/
@@ -32,18 +24,54 @@ COPY rest-api/ /usr/src/app/rest-api/
 COPY generate/ /usr/src/app/generate/
 COPY test-coverage/ /usr/src/app/test-coverage/
 COPY tools/docker/docker-artifacts/ /usr/src/app/tools/docker/docker-artifacts/
-WORKDIR /usr/src/app/
 
-RUN /usr/local/bin/mvn-entrypoint.sh mvn install -Dmaven.test.skip -Djacoco.skip=true -Dskip.generate=true > /dev/null
+# Build the application.
+# -B runs Maven in batch mode for CI/CD.
+# -ntp disables Maven transfer progress logs.
+# -s uses the custom Maven settings file copied above.
+# Tests, JaCoCo, and generate steps are skipped because this Docker build only packages the runtime artifact.
+RUN mvn -B -ntp \
+    -s /usr/share/maven/ref/settings-docker.xml \
+    clean install \
+    -Dmaven.test.skip=true \
+    -Djacoco.skip=true \
+    -Dskip.generate=true > /dev/null
 
-# Final stage
-FROM eclipse-temurin:21-jre
 
-RUN mkdir -p /usr/src/run/
-COPY --from=builder /usr/src/app/tools/docker/docker-artifacts /usr/src/run/
-COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/
+# -----------------------------
+# Final runtime stage
+# -----------------------------
+# Uses a pinned Alpine-based Java 21 JRE image.
+# This avoids the Ubuntu-based OS package vulnerabilities reported by Snyk
+# while keeping the runtime image smaller and more reproducible.
+FROM eclipse-temurin:21.0.10_7-jre-alpine-3.23
 
+# Set the directory where the application will run.
 WORKDIR /usr/src/run/
 
+# Copy only the runtime artifacts from the builder stage.
+# This keeps Maven, source code, and build dependencies out of the final image.
+COPY --from=builder /usr/src/app/tools/docker/docker-artifacts /usr/src/run/
+COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/rest-api.jar
+
+# Prepare the startup script for the Alpine runtime.
+# 1. Remove Windows CRLF line endings if present.
+# 2. Replace a bash shebang with sh because Alpine includes /bin/sh by default,
+#    but does not include /bin/bash unless bash is installed separately.
+# 3. Make the script executable.
+# 4. Validate that the required runtime files exist during image build.
+#
+# We intentionally do not run "apk upgrade" here.
+# The runtime image is pinned, so OS package versions come from the selected base image.
+# This keeps builds more reproducible and avoids transient failures from Alpine package repos.
+RUN sed -i 's/\r$//' /usr/src/run/qppConverter.sh \
+    && sed -i '1s|^#!/bin/bash|#!/bin/sh|' /usr/src/run/qppConverter.sh \
+    && chmod +x /usr/src/run/qppConverter.sh \
+    && test -f /usr/src/run/rest-api.jar \
+    && test -f /usr/src/run/qppConverter.sh
+
+# Application listens on 8443.
 EXPOSE 8443
-CMD ["/usr/src/run/qppConverter.sh"]
+
+# Start the application using the existing startup script.
+CMD ["/usr/src/run/qppConverter.sh"]
@@ -1,21 +1,56 @@
-FROM maven:3.9.6-eclipse-temurin-21 AS builder
+# -----------------------------
+# Builder stage
+# -----------------------------
+# Uses Maven with Eclipse Temurin Java 21 on Alpine.
+# This stage builds the application jar only.
+FROM maven:3.9.15-eclipse-temurin-21-alpine AS builder
 
+# Copy the full project into the build container.
 COPY ./ /usr/src/app/
-WORKDIR /usr/src/app/
 
-RUN mvn install -Dmaven.test.skip -Djacoco.skip=true > /dev/null
+# Set project directory.
+WORKDIR /usr/src/app/
 
-# Final stage
-FROM eclipse-temurin:21-jre
+# Build the project and create the application jar.
+# -B = batch mode, useful for CI
+# -ntp = no transfer progress, cleaner logs
+# Tests and JaCoCo are skipped because this image only needs the built runtime jar.
+RUN mvn -B -ntp install \
+    -Dmaven.test.skip=true \
+    -Djacoco.skip=true \
+    -Dskip.generate=true > /dev/null
 
-RUN apt-get update && apt-get install -y dos2unix && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p /usr/src/run/
-COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/
-COPY --from=builder /usr/src/app/tools/docker/docker-test-artifacts/* /usr/src/run/
-RUN dos2unix /usr/src/run/qppConverterTest.sh
+# -----------------------------
+# Final runtime stage
+# -----------------------------
+# Uses a smaller Alpine-based Eclipse Temurin Java 21 JRE image.
+# This avoids the Ubuntu-based OS package vulnerabilities reported by Snyk.
+FROM eclipse-temurin:21.0.10_7-jre-alpine-3.23
 
+# Set the runtime directory.
 WORKDIR /usr/src/run/
 
+# Copy only the built jar from the builder stage.
+# This keeps Maven, source code, and build dependencies out of the final image.
+COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/rest-api.jar
+
+# Copy test runtime artifacts, including qppConverterTest.sh.
+COPY --from=builder /usr/src/app/tools/docker/docker-test-artifacts/ /usr/src/run/
+
+# Fix the startup script for Alpine runtime:
+# 1. Remove Windows CRLF line endings if present.
+# 2. Replace #!/bin/bash with #!/bin/sh because Alpine does not include bash by default.
+# 3. Make the script executable.
+# 4. Validate that the jar and startup script exist during image build.
+RUN sed -i 's/\r$//' /usr/src/run/qppConverterTest.sh \
+    && sed -i '1s|^#!/bin/bash|#!/bin/sh|' /usr/src/run/qppConverterTest.sh \
+    && chmod +x /usr/src/run/qppConverterTest.sh \
+    && test -f /usr/src/run/rest-api.jar \
+    && test -f /usr/src/run/qppConverterTest.sh
+
+# Application test container listens on 8080.
 EXPOSE 8080
-ENTRYPOINT ["/usr/src/run/qppConverterTest.sh"]
+
+# Start the test application using the startup script.
+ENTRYPOINT ["/usr/src/run/qppConverterTest.sh"]
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
 	<artifactId>acceptance-tests</artifactId>
 	<groupId>gov.cms.qpp.conversion</groupId>
-	<version>2026.03.31.01-RELEASE</version>
+	<version>2026.05.01.01-RELEASE</version>
 	<name>conversion-tests</name>
 	<packaging>jar</packaging>
 	<properties>
@@ -13,6 +13,12 @@
 	</properties>
 
     <dependencies>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.21.2</version>
+        </dependency>
+
         <dependency>
             <groupId>io.cucumber</groupId>
             <artifactId>cucumber-java</artifactId>
@@ -30,7 +36,7 @@
         <dependency>
             <groupId>org.seleniumhq.selenium</groupId>
             <artifactId>selenium-java</artifactId>
-            <version>4.14.0</version>
+            <version>4.14.1</version>
         </dependency>
 
         <dependency>
@@ -43,7 +49,7 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
-            <version>6.1.21</version>
+            <version>6.2.18</version>
         </dependency>
 
         <dependency>

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>gov.cms.qpp.conversion</groupId>
 		<artifactId>qpp-conversion-tool-parent</artifactId>
-		<version>2026.03.31.01-RELEASE</version>
+		<version>2026.05.01.01-RELEASE</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
@@ -68,6 +68,12 @@
 	</build>
 
 	<dependencies>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+			<version>2.21.2</version>
+		</dependency>
+
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-classic</artifactId>

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>gov.cms.qpp.conversion</groupId>
 		<artifactId>qpp-conversion-tool-parent</artifactId>
-		<version>2026.03.31.01-RELEASE</version>
+		<version>2026.05.01.01-RELEASE</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>gov.cms.qpp.conversion</groupId>
 		<artifactId>qpp-conversion-tool-parent</artifactId>
-		<version>2026.03.31.01-RELEASE</version>
+		<version>2026.05.01.01-RELEASE</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
@@ -69,6 +69,12 @@
 	</profiles>
 
 	<dependencies>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+			<version>2.21.2</version>
+		</dependency>
+
 		<dependency>
 			<groupId>com.google.code.findbugs</groupId>
 			<artifactId>annotations</artifactId>

@@ -3,6 +3,7 @@
 import static com.google.common.truth.Truth.assertThat;
 
 import com.jayway.jsonpath.TypeRef;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -69,6 +70,11 @@ void setUp() {
 		MeasureConfigs.initMeasureConfigs(MeasureConfigs.TEST_MEASURE_DATA);
 	}
 
+	@AfterEach
+	void tearDown() {
+		MeasureConfigs.initMeasureConfigs(MeasureConfigs.DEFAULT_MEASURE_DATA_FILE_NAME);
+	}
+
 	@Test
 	void testMeasureIdIsEncoded() {
 		executeInternalEncode();

@@ -6,7 +6,7 @@
 
 	<groupId>gov.cms.qpp.conversion</groupId>
 	<artifactId>generateRaceCpcPlus</artifactId>
-	<version>2026.03.31.01-RELEASE</version>
+	<version>2026.05.01.01-RELEASE</version>
 	<name>generate-race-cpcplus</name>
 	<packaging>jar</packaging>
 
@@ -56,6 +56,11 @@
 	</build>
 
 	<dependencies>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+			<version>2.21.2</version>
+		</dependency>
 		<dependency>
 			<groupId>org.jdom</groupId>
 			<artifactId>jdom2</artifactId>

@@ -5,7 +5,7 @@
 	<parent>
 		<artifactId>qpp-conversion-tool-parent</artifactId>
 		<groupId>gov.cms.qpp.conversion</groupId>
-		<version>2026.03.31.01-RELEASE</version>
+		<version>2026.05.01.01-RELEASE</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
@@ -57,6 +57,12 @@
 	</build>
 
 	<dependencies>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+			<version>2.21.2</version>
+		</dependency>
+
 		<!-- runtime/plugin deps -->
 		<dependency>
 			<groupId>com.github.spullara.mustache.java</groupId>