Merge pull request 'Update Repository Manager to 3.70.3-01' (#9) from 3.70.3-01 into master

Reviewed-on: #9

.drone.yml

@@ -0,0 +1,58 @@
+kind: pipeline
+type: docker
+name: nexus3_Build
+platform:
+  arch: arm64
+
+steps:
+- name: dryrun-nexus3-build
+  image: plugins/docker
+  settings:
+    repo:
+      from_secret: docker_repo
+    registry:
+      from_secret: docker_regst
+    dockerfile: Dockerfile.rh.ubi
+    insecure: true
+    auto_tag: true
+    dry_run: true
+    when:
+      branch:
+        exclude:
+        - master
+
+- name: docker-build-push
+  image: plugins/docker
+  settings:
+    repo:
+      from_secret: docker_repo
+    username:
+      from_secret: docker_user
+    password:
+      from_secret: docker_pass
+    registry:
+      from_secret: docker_regst
+    cache_from:
+      from_secret: docker_repo
+    dockerfile: Dockerfile
+    auto_tag: true
+    insecure: true
+    when:
+      event:
+      - push
+      - tag
+
+- name: send build notification
+  image: appleboy/drone-telegram
+  settings:
+    token:
+      from_secret: TELE_TOKEN
+    to:
+      from_secret : TELE_GID
+    message: "{{#success build.status}} ✅  Build #{{build.number}} of `{{repo.name}}` succeeded.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{else}} ❌  Build #{{build.number}} of `{{repo.name}}` failed.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{/success}}\n\n timecost: {{since build.started}}\n"
+    when:
+      branch:
+      - master
+      event:
+      - push
+      - tag

.github/workflows/docker-image.yml

@@ -0,0 +1,46 @@
+name: Docker Image CI
+
+on:
+    push:
+        branches: ['main']
+    pull_request:
+        branches: ['main']
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Determine Version
+              run: echo "NXRM_VERSION=$(grep release Dockerfile  | cut -d "=" -f2 | tr -d '" \')" >> $GITHUB_ENV
+
+            - run: echo "Building NXRM ${{ env.NXRM_VERSION }} for ARM"
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to Docker Hub
+              uses: docker/login-action@v3
+              with:
+                  username: ${{ secrets.REGISTRY_USERNAME }}
+                  password: ${{ secrets.REGISTRY_TOKEN }}
+
+            - name: Build and push Java 8
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: ./Dockerfile
+                  platforms: linux/arm64,linux/amd64
+                  push: true
+                  tags: sonatypecommunity/nexus3:latest , sonatypecommunity/nexus3:${{ env.NXRM_VERSION }}
+
+            - name: Build and push Java 11
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: ./Dockerfile.java11
+                  platforms: linux/arm64,linux/amd64
+                  push: true
+                  tags: sonatypecommunity/nexus3:${{ env.NXRM_VERSION }}-java11

.github/workflows/sync-upstream.yml

@@ -0,0 +1,17 @@
+name: Sync Fork
+
+on:
+  schedule:
+    - cron: '0 */5 * * *' # every 5 hours
+  workflow_dispatch: # on button click
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: tgymnich/fork-sync@v1.8
+        with:
+          token: ${{ secrets.PERSONAL_TOKEN }}
+          owner: sonatype
+          base: main
+          head: main

CONTRIBUTORS.md

@@ -1,6 +1,11 @@
 <!--
 
-	Copyright (c) 2016-present Sonatype, Inc.
+    Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+<!--
 
 	Licensed under the Apache License, Version 2.0 (the "License");
 	you may not use this file except in compliance with the License.
@@ -14,6 +19,8 @@
 	See the License for the specific language governing permissions and
 	limitations under the License.
 
+-->
+
 -->
 A lot of awesome people have contributed to this project! Here they are:
 

Dockerfile

@@ -1,5 +1,9 @@
-# Copyright (c) 2016-present Sonatype, Inc.
 #
+# Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+# Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+# "Sonatype" is a trademark of Sonatype, Inc.
+#
+
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -12,16 +16,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM registry.access.redhat.com/ubi8/ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal
 
-LABEL vendor=Sonatype \
-      maintainer="Sonatype <cloud-ops@sonatype.com>" \
+LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
+      vendor=Sonatype \
+      version="3.70.3-01" \
+      release="3.70.3" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
       com.sonatype.license="Apache License, Version 2.0" \
-      com.sonatype.name="Nexus Repository Manager base image"
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.20.1-01
-ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=fba9953e70e2d53262d2bd953e5fbab3e44cf2965467df14a665b0752de30e51
+ARG NEXUS_VERSION=3.70.3-01
+ARG JAVA_VERSION=java8
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=3b68afab87f83a91312c74856e2cd04c220782e99f2642d974e8c37d34af61e9
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -31,31 +53,44 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
+# Install Java & tar
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+    java-1.8.0-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
 
-ADD solo.json.erb /var/chef/solo.json.erb
+WORKDIR ${SONATYPE_DIR}
 
-# Install using chef-solo
-# Chef version locked to avoid needing to accept the EULA on behalf of whomever builds the image
-RUN yum install -y --disableplugin=subscription-manager hostname procps \
-    && curl -L https://www.getchef.com/chef/install.sh | bash -s -- -v 14.12.9 \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
-    && rm -rf /var/cache/yum \
-    && rm -rf /var/chef \
-    && yum clean all
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN microdnf remove -y shadow-utils
+#RUN microdnf remove -y gzip shadow-utils
 
 VOLUME ${NEXUS_DATA}
 
 EXPOSE 8081
 USER nexus
 
-ENV INSTALL4J_ADD_VM_PARAMS="-Xms1200m -Xmx1200m -XX:MaxDirectMemorySize=2g -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.alpine.java11

@@ -0,0 +1,92 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine
+
+LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
+      vendor=Sonatype \
+      version="3.70.1-02" \
+      release="3.70.1" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.70.1-02
+ARG JAVA_VERSION=java11
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=38c6f81d78c2f6ae461f491d9321d36e98ff2e19eee365270d9bc92377d36588
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='alpine'
+
+# Install Java & tar
+RUN apk add openjdk11 tar procps gzip curl shadow \
+    && apk cache clean \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+RUN apk del --no-cache openssl || true
+RUN apk update && apk add --no-cache openssl
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN apk del gzip shadow
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.alpine.java17

@@ -0,0 +1,92 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM alpine
+
+LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
+      vendor=Sonatype \
+      version="3.71.0-06" \
+      release="3.71.0" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.71.0-06
+ARG JAVA_VERSION=java17
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='alpine'
+
+# Install Java & tar
+RUN apk add openjdk17 tar procps gzip curl shadow \
+    && apk cache clean \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+RUN apk del --no-cache openssl || true
+RUN apk update && apk add --no-cache openssl
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN apk del gzip shadow
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.java11

@@ -0,0 +1,91 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
+      vendor=Sonatype \
+      version="3.70.1-02" \
+      release="3.70.1" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.70.1-02
+ARG JAVA_VERSION=java11
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=38c6f81d78c2f6ae461f491d9321d36e98ff2e19eee365270d9bc92377d36588
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='rh-docker'
+
+# Install Java & tar
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+    java-11-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+    && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN microdnf remove -y shadow-utils
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.java17

@@ -0,0 +1,91 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
+      vendor=Sonatype \
+      version="3.71.0-06" \
+      release="3.71.0" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.71.0-06
+ARG JAVA_VERSION=java17
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='rh-docker'
+
+# Install Java & tar
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-17-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+RUN microdnf remove -y gzip shadow-utils
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.centos

@@ -14,12 +14,11 @@
 
 FROM centos:centos7
 
-MAINTAINER Sonatype <cloud-ops@sonatype.com>
-
 LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
       vendor=Sonatype \
-      version="3.20.1-01" \
-      release="3.20.1" \
+      version="3.70.3-01" \
+      release="3.70.3" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -37,9 +36,10 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.20.1-01
-ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=fba9953e70e2d53262d2bd953e5fbab3e44cf2965467df14a665b0752de30e51
+ARG NEXUS_VERSION=3.70.3-01
+ARG JAVA_VERSION=java8
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=3b68afab87f83a91312c74856e2cd04c220782e99f2642d974e8c37d34af61e9
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -49,31 +49,52 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
-
-ADD solo.json.erb /var/chef/solo.json.erb
-
-# Install using chef-solo
-RUN curl -L https://www.getchef.com/chef/install.sh | bash \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --node_name nexus_repository_red_hat_docker_build \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rpm --rebuilddb \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
+# Install java & setup user
+RUN yum install -y java-1.8.0-openjdk-headless \
+    && yum clean all \
     && rm -rf /var/cache/yum \
-    && rm -rf /var/chef
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
 
 VOLUME ${NEXUS_DATA}
 
 EXPOSE 8081
 USER nexus
 
-ENV INSTALL4J_ADD_VM_PARAMS="-Xms1200m -Xmx1200m -XX:MaxDirectMemorySize=2g -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
 ENTRYPOINT ["/uid_entrypoint.sh"]
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.el

@@ -14,12 +14,11 @@
 
 FROM registry.access.redhat.com/rhel7/rhel
 
-MAINTAINER Sonatype <cloud-ops@sonatype.com>
-
 LABEL name="Nexus Repository Manager" \
+      maintainer="Sonatype <support@sonatype.com>" \
       vendor=Sonatype \
-      version="3.20.1-01" \
-      release="3.20.1" \
+      version="3.70.3-01" \
+      release="3.70.3" \
       url="https://sonatype.com" \
       summary="The Nexus Repository Manager server \
           with universal support for popular component formats." \
@@ -37,9 +36,10 @@ LABEL name="Nexus Repository Manager" \
       io.openshift.expose-services="8081:8081" \
       io.openshift.tags="Sonatype,Nexus,Repository Manager"
 
-ARG NEXUS_VERSION=3.20.1-01
-ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
-ARG NEXUS_DOWNLOAD_SHA256_HASH=fba9953e70e2d53262d2bd953e5fbab3e44cf2965467df14a665b0752de30e51
+ARG NEXUS_VERSION=3.70.3-01
+ARG JAVA_VERSION=java8
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=3b68afab87f83a91312c74856e2cd04c220782e99f2642d974e8c37d34af61e9
 
 # configure nexus runtime
 ENV SONATYPE_DIR=/opt/sonatype
@@ -49,31 +49,52 @@ ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
     SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
     DOCKER_TYPE='rh-docker'
 
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION="release-0.5.20190212-155606.d1afdfe"
-ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL="https://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gz"
-
-ADD solo.json.erb /var/chef/solo.json.erb
-
-# Install using chef-solo
-RUN curl -L https://www.getchef.com/chef/install.sh | bash \
-    && /opt/chef/embedded/bin/erb /var/chef/solo.json.erb > /var/chef/solo.json \
-    && chef-solo \
-       --node_name nexus_repository_red_hat_docker_build \
-       --recipe-url ${NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL} \
-       --json-attributes /var/chef/solo.json \
-    && rpm -qa *chef* | xargs rpm -e \
-    && rpm --rebuilddb \
-    && rm -rf /etc/chef \
-    && rm -rf /opt/chefdk \
+# Install java & setup user
+RUN yum install -y java-1.8.0-openjdk-headless \
+    && yum clean all \
     && rm -rf /var/cache/yum \
-    && rm -rf /var/chef
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
 
 VOLUME ${NEXUS_DATA}
 
 EXPOSE 8081
 USER nexus
 
-ENV INSTALL4J_ADD_VM_PARAMS="-Xms1200m -Xmx1200m -XX:MaxDirectMemorySize=2g -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
 
 ENTRYPOINT ["/uid_entrypoint.sh"]
-CMD ["sh", "-c", "${SONATYPE_DIR}/start-nexus-repository-manager.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.ubi

@@ -0,0 +1,104 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Nexus Repository Manager" \
+      vendor=Sonatype \
+      maintainer="Sonatype <support@sonatype.com>" \
+      version="3.70.3-01" \
+      release="3.70.3" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.70.3-01
+ARG JAVA_VERSION=java8
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=3b68afab87f83a91312c74856e2cd04c220782e99f2642d974e8c37d34af61e9
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='rh-docker'
+
+# Install java & setup user
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-1.8.0-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+# Cleanup
+RUN microdnf remove -y shadow-utils
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+ENTRYPOINT ["/uid_entrypoint.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.ubi.java11

@@ -0,0 +1,104 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Nexus Repository Manager" \
+      vendor=Sonatype \
+      maintainer="Sonatype <support@sonatype.com>" \
+      version="3.70.1-02" \
+      release="3.70.1" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.70.1-02
+ARG JAVA_VERSION=java11
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=38c6f81d78c2f6ae461f491d9321d36e98ff2e19eee365270d9bc92377d36588
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='rh-docker'
+
+# Install java & setup user
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-11-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-${JAVA_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+# Cleanup
+RUN microdnf remove -y gzip shadow-utils
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+ENTRYPOINT ["/uid_entrypoint.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Dockerfile.rh.ubi.java17

@@ -0,0 +1,103 @@
+# Copyright (c) 2016-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+LABEL name="Nexus Repository Manager" \
+      vendor=Sonatype \
+      maintainer="Sonatype <support@sonatype.com>" \
+      version="3.71.0-06" \
+      release="3.71.0" \
+      url="https://sonatype.com" \
+      summary="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      run="docker run -d --name NAME \
+          -p 8081:8081 \
+          IMAGE" \
+      stop="docker stop NAME" \
+      com.sonatype.license="Apache License, Version 2.0" \
+      com.sonatype.name="Nexus Repository Manager base image" \
+      io.k8s.description="The Nexus Repository Manager server \
+          with universal support for popular component formats." \
+      io.k8s.display-name="Nexus Repository Manager" \
+      io.openshift.expose-services="8081:8081" \
+      io.openshift.tags="Sonatype,Nexus,Repository Manager"
+
+ARG NEXUS_VERSION=3.71.0-06
+ARG NEXUS_DOWNLOAD_URL=https://download.sonatype.com/nexus/3/nexus-${NEXUS_VERSION}-unix.tar.gz
+ARG NEXUS_DOWNLOAD_SHA256_HASH=b025287558184677fc231035c9f5e5e6cc4bc1cafd76d13a06233a4ed09d08f6 
+
+# configure nexus runtime
+ENV SONATYPE_DIR=/opt/sonatype
+ENV NEXUS_HOME=${SONATYPE_DIR}/nexus \
+    NEXUS_DATA=/nexus-data \
+    NEXUS_CONTEXT='' \
+    SONATYPE_WORK=${SONATYPE_DIR}/sonatype-work \
+    DOCKER_TYPE='rh-docker'
+
+# Install java & setup user
+RUN microdnf update -y \
+    && microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
+          java-17-openjdk-headless tar procps shadow-utils gzip \
+    && microdnf clean all \
+    && groupadd --gid 200 -r nexus \
+    && useradd --uid 200 -r nexus -g nexus -s /bin/false -d /opt/sonatype/nexus -c 'Nexus Repository Manager user'
+
+# Red Hat Certified Container commands
+COPY rh-docker /
+RUN usermod -a -G root nexus \
+    && chmod -R 0755 /licenses \
+    && chmod 0755 /help.1 \
+    && chmod 0755 /uid_entrypoint.sh \
+    && chmod 0755 /uid_template.sh \
+    && bash /uid_template.sh \
+    && chmod 0664 /etc/passwd
+
+WORKDIR ${SONATYPE_DIR}
+
+# Download nexus & setup directories
+RUN curl -L ${NEXUS_DOWNLOAD_URL} --output nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && echo "${NEXUS_DOWNLOAD_SHA256_HASH} nexus-${NEXUS_VERSION}-unix.tar.gz" > nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && sha256sum -c nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && tar -xvf nexus-${NEXUS_VERSION}-unix.tar.gz \
+    && rm -f nexus-${NEXUS_VERSION}-unix.tar.gz nexus-${NEXUS_VERSION}-unix.tar.gz.sha256 \
+    && mv nexus-${NEXUS_VERSION} $NEXUS_HOME \
+    && chown -R nexus:nexus ${SONATYPE_WORK} \
+    && mv ${SONATYPE_WORK}/nexus3 ${NEXUS_DATA} \
+    && ln -s ${NEXUS_DATA} ${SONATYPE_WORK}/nexus3
+
+# Removing java memory settings from nexus.vmoptions since now we use INSTALL4J_ADD_VM_PARAMS
+RUN sed -i '/^-Xms/d;/^-Xmx/d;/^-XX:MaxDirectMemorySize/d' $NEXUS_HOME/bin/nexus.vmoptions
+
+# Legacy start script
+RUN echo "#!/bin/bash" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "cd /opt/sonatype/nexus" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && echo "exec ./bin/nexus run" >> ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && chmod a+x ${SONATYPE_DIR}/start-nexus-repository-manager.sh \
+   && sed -e '/^nexus-context/ s:$:${NEXUS_CONTEXT}:' -i ${NEXUS_HOME}/etc/nexus-default.properties
+
+# Cleanup
+RUN microdnf remove -y gzip shadow-utils
+
+VOLUME ${NEXUS_DATA}
+
+EXPOSE 8081
+USER nexus
+
+ENV INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs"
+
+ENTRYPOINT ["/uid_entrypoint.sh"]
+CMD ["/opt/sonatype/nexus/bin/nexus", "run"]

Jenkinsfile

@@ -1,26 +1,17 @@
 /*
  * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
- * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
  * "Sonatype" is a trademark of Sonatype, Inc.
  */
-@Library('ci-pipeline-library') _
+@Library(['private-pipeline-library', 'jenkins-shared']) _
 import com.sonatype.jenkins.pipeline.GitHub
 import com.sonatype.jenkins.pipeline.OsTools
-
-properties([
-  parameters([
-    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
-    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
-
-    string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'),
-  ])
-])
+import com.sonatype.jenkins.shared.Expectation
 
 node('ubuntu-zion') {
-  def commitId, commitDate, version, imageId, branch, dockerFileLocations
+  def commitId, commitDate, imageId, branch
   def organization = 'sonatype',
       gitHubRepository = 'docker-nexus3',
-      credentialsId = 'integrations-github-api',
       imageName = 'sonatype/nexus3',
       archiveName = 'docker-nexus3',
       dockerHubRepository = 'nexus3'
@@ -29,45 +20,24 @@ node('ubuntu-zion') {
   try {
     stage('Preparation') {
       deleteDir()
-      OsTools.runSafe(this, "docker system prune -a -f")
+      OsTools.runSafe(this, 'docker system prune -a -f')
 
       def checkoutDetails = checkout scm
 
-      dockerFileLocations = [
-        "${pwd()}/Dockerfile",
-        "${pwd()}/Dockerfile.rh.centos",
-        "${pwd()}/Dockerfile.rh.el"
-      ]
-
-      branch = checkoutDetails.GIT_BRANCH == 'origin/master' ? 'master' : checkoutDetails.GIT_BRANCH
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
       commitId = checkoutDetails.GIT_COMMIT
       commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
 
       OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
       OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
 
-      version = readVersion()
-
       def apiToken
-      withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
-                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
-        apiToken = env.GITHUB_API_PASSWORD
+     withCredentials([usernamePassword(credentialsId: 'jenkins-github',
+                                               usernameVariable: 'GITHUB_APP',
+                                               passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
+        apiToken = env.GITHUB_ACCESS_TOKEN
       }
       gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)
-
-      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
-        stage('Update Repository Manager Version') {
-          OsTools.runSafe(this, "git checkout ${branch}")
-          dockerFileLocations.each { updateRepositoryManagerVersion(it) }
-          version = getShortVersion(params.nexus_repository_manager_version)
-        }
-      }
-      if (params.nexus_repository_manager_cookbook_version) {
-        stage('Update Repository Manager Cookbook Version') {
-          OsTools.runSafe(this, "git checkout ${branch}")
-          dockerFileLocations.each { updateRepositoryCookbookVersion(it) }
-        }
-      }
     }
     stage('Build') {
       gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
@@ -85,149 +55,44 @@ node('ubuntu-zion') {
     stage('Test') {
       gitHub.statusUpdate commitId, 'pending', 'test', 'Tests are running'
 
-      def gemInstallDirectory = getGemInstallDirectory()
-      withEnv(["PATH+GEMS=${gemInstallDirectory}/bin"]) {
-        OsTools.runSafe(this, "gem install --user-install rspec")
-        OsTools.runSafe(this, "gem install --user-install serverspec")
-        OsTools.runSafe(this, "gem install --user-install docker-api")
-        OsTools.runSafe(this, "IMAGE_ID=${imageId} rspec --backtrace spec/Dockerfile_spec.rb")
-      }
+      validateExpectations([
+        new Expectation('Has user nexus in group nexus present',
+            'id', '-ng nexus', 'nexus'),
+        new Expectation('Has nexus user java process present',
+            'ps', '-e -o command,user | grep -q ^/usr/lib/jvm/java.*nexus$ | echo $?', '0')
+      ])
 
       if (currentBuild.result == 'FAILURE') {
         gitHub.statusUpdate commitId, 'failure', 'test', 'Tests failed'
         return
-      } else {
-        gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
       }
+
+      gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
     }
+
+    stage('Evaluate Policies') {
+      runEvaluation({ stage ->
+        nexusPolicyEvaluation(
+          iqStage: stage,
+          iqApplication: 'docker-nexus3',
+          iqScanPatterns: [[scanPattern: "container:${imageName}"]],
+          failBuildOnNetworkError: true,
+        )}, (branch == 'main') ? 'build' : 'develop')
+    }
+
     if (currentBuild.result == 'FAILURE') {
       return
     }
-    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha 
-          || params.nexus_repository_manager_cookbook_version) {
-      stage('Commit Automated Code Update') {
-        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'integrations-github-api',
-                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
-          def commitMessage = [
-            params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha ?
-                "Update Repository Manager to ${params.nexus_repository_manager_version}." : "",
-            params.nexus_repository_manager_cookbook_version ?
-                "Update Repository Manager Cookbook to ${params.nexus_repository_manager_cookbook_version}." : ""
-          ].findAll({ it }).join(' ')
-          OsTools.runSafe(this, """
-            git add .
-            git commit -m '${commitMessage}'
-            git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
-          """)
-        }
-      }
-    }
+
     stage('Archive') {
       dir('build/target') {
         OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
         archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
       }
     }
-    if (branch != 'master') {
-      return
-    }
-    input 'Push image and tags?'
-    stage('Push image') {
-      def dockerhubApiToken
-      withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'docker-hub-credentials',
-          usernameVariable: 'DOCKERHUB_API_USERNAME', passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
-        OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}")
-        OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
-        OsTools.runSafe(this, """
-          docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
-        """)
-        OsTools.runSafe(this, "docker push ${organization}/${dockerHubRepository}")
-
-        response = OsTools.runSafe(this, """
-          curl -X POST https://hub.docker.com/v2/users/login/ \
-            -H 'cache-control: no-cache' -H 'content-type: application/json' \
-            -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
-        """)
-        token = readJSON text: response
-        dockerhubApiToken = token.token
-
-        def readme = readFile file: 'README.md', encoding: 'UTF-8'
-        readme = readme.replaceAll("(?s)<!--.*?-->", "")
-        readme = readme.replace("\"", "\\\"")
-        readme = readme.replace("\n", "\\n")
-        response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
-            acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
-            requestBody: "{ \"full_description\": \"${readme}\" }",
-            url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"
-      }
-    }
-    stage('Push tags') {
-      withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentialsId,
-                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
-        OsTools.runSafe(this, "git tag ${version}")
-        OsTools.runSafe(this, """
-          git push \
-          https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
-            ${version}
-        """)
-      }
-      OsTools.runSafe(this, "git tag -d ${version}")
-    }
   } finally {
-    OsTools.runSafe(this, "docker logout")
-    OsTools.runSafe(this, "docker system prune -a -f")
-    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/master')
+    OsTools.runSafe(this, 'docker logout')
+    OsTools.runSafe(this, 'docker system prune -a -f')
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
   }
 }
-
-def readVersion() {
-  def content = readFile 'Dockerfile'
-  for (line in content.split('\n')) {
-    if (line.startsWith('ARG NEXUS_VERSION=')) {
-      return getShortVersion(line.substring(18))
-    }
-  }
-  error 'Could not determine version.'
-}
-
-def getShortVersion(version) {
-  return version.split('-')[0]
-}
-
-def getGemInstallDirectory() {
-  def content = OsTools.runSafe(this, "gem env")
-  for (line in content.split('\n')) {
-    if (line.startsWith('  - USER INSTALLATION DIRECTORY: ')) {
-      return line.substring(33)
-    }
-  }
-  error 'Could not determine user gem install directory.'
-}
-
-def updateRepositoryManagerVersion(dockerFileLocation) {
-  def dockerFile = readFile(file: dockerFileLocation)
-
-  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
-  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
-
-  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
-  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
-
-  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
-  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
-    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
-  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
-  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")
-
-  writeFile(file: dockerFileLocation, text: dockerFile)
-}
-
-def updateRepositoryCookbookVersion(dockerFileLocation) {
-  def dockerFile = readFile(file: dockerFileLocation)
-
-  def cookbookVersionRegex = /(ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=")(release-\d\.\d\.\d{8}\-\d{6}\.[a-z0-9]{7})(")/
-
-  dockerFile = dockerFile.replaceAll(cookbookVersionRegex, "\$1${params.nexus_repository_manager_cookbook_version}\$3")
-
-  writeFile(file: dockerFileLocation, text: dockerFile)
-}

Jenkinsfile-Internal-Release

@@ -0,0 +1,195 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+import com.sonatype.jenkins.pipeline.OsTools
+
+String OPENJDK17 = 'OpenJDK 17'
+List<String> javaVersions = [OPENJDK17]
+
+properties([
+    parameters([
+        string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
+        string(defaultValue: '', description: 'New Nexus Repository Manager URL (Optional)', name: 'nexus_repository_manager_url'),
+        choice(name: 'java_version', choices: javaVersions, description: 'Java version to run Nexus Repository Manager'),
+        booleanParam(defaultValue: false, description: 'Optional scan for policy violations', name: 'scan_for_policy_violations')
+    ])
+])
+
+node('ubuntu-zion') {
+  def commitId, commitDate, version, imageId, alpineImageId, branch
+  def imageName = 'sonatype/nexus3',
+      archiveName = 'docker-nexus3'
+
+  def JAVA_17 = 'java17'
+  def DOCKERFILE_JAVA_17 = 'Dockerfile.java17'
+  def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17'
+
+  def dockerfileMap = [
+    (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17]
+  ]
+  try {
+    stage('Preparation') {
+      deleteDir()
+      OsTools.runSafe(this, "docker system prune -a -f")
+
+      def checkoutDetails = checkout scm
+
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
+      commitId = checkoutDetails.GIT_COMMIT
+      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
+
+      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
+      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
+
+      version = readVersion()
+
+      if (params.nexus_repository_manager_version) {
+        stage('Update Repository Manager Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerfileMap[OPENJDK17].each { dockerfile ->
+            updateRepositoryManagerVersion("${pwd()}/${dockerfile}", JAVA_17)
+            }
+          version = getShortVersion(params.nexus_repository_manager_version)
+        }
+      }
+    }
+    def dockerfilePath = dockerfileMap[OPENJDK17][0]
+    def alpineDockerfilePath = dockerfileMap[OPENJDK17][1]
+
+    stage('Build UBI Image') {
+      def baseImage = extractBaseImage(dockerfilePath)
+      def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
+      def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
+      def baseImageReferenceStr = baseImageReference.getReference()
+      def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}")
+      imageId = hash.split(':')[1]
+    }
+    stage('Build Alpine Image') {
+      def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}")
+      alpineImageId = hash.split(':')[1]
+    }
+
+    if (params.scan_for_policy_violations) {
+      stage('Evaluate Policies') {
+        def imagesToScan = [
+          [name: 'docker-nexus3', image: imageName],
+          [name: 'docker-nexus3-alpine', image: "${imageName}-alpine"]
+        ]
+
+        imagesToScan.each { imageConfig ->
+        runEvaluation({ stage ->
+          def iqApplicationName = imageConfig.name
+          def imageToScan = imageConfig.image
+
+          nexusPolicyEvaluation(
+            iqStage: stage,
+            iqApplication: iqApplicationName,
+            iqScanPatterns: [[scanPattern: "container:${imageToScan}"]],
+            failBuildOnNetworkError: false,
+            )
+          }, 'release')
+        }
+      }
+    }
+    if (currentBuild.result == 'FAILURE') {
+      return
+    }
+    stage('Archive') {
+      dir('build/target') {
+        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
+        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
+      }
+    }
+    if (branch == 'main') {
+      stage('Push image to RSC') {
+        withSonatypeDockerRegistry() {
+          // Tag Images
+          sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}"
+          sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi"
+          sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-ubi"
+          sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine"
+          sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-alpine"
+
+          // Push Images
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-ubi"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-java17-alpine"
+        }
+      }
+    }
+  } finally {
+    OsTools.runSafe(this, "docker logout")
+    OsTools.runSafe(this, "docker system prune -a -f")
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
+  }
+}
+
+def readVersion() {
+  def content = readFile 'Dockerfile.java17'
+  for (line in content.split('\n')) {
+    if (line.startsWith('ARG NEXUS_VERSION=')) {
+      return getShortVersion(line.substring(18))
+    }
+  }
+  error 'Could not determine version.'
+}
+
+def getShortVersion(version) {
+  return version.split('-')[0]
+}
+
+def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
+  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
+
+  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
+  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
+
+  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
+  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
+      "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
+  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
+
+  def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/
+  def nexusUrl = params.nexus_repository_manager_url
+  if (params.nexus_repository_manager_url) {
+    dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}")
+  }
+  else {
+    // default URL
+    def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/
+    dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}")
+
+    def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}")
+    nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version)
+    nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion)
+  }
+  def sha = getSha(nexusUrl)
+
+  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def getSha(url) {
+  def sha = sh (
+      script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1",
+      returnStdout: true
+  ).trim()
+  return sha
+}
+
+def extractBaseImage(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+  def baseImageRegex = "FROM\\s+([^\\s]+)"
+  def usedImages = dockerFile =~ baseImageRegex
+
+  return usedImages[0][1]
+}

Jenkinsfile-Internal-Release-OrientDB

@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+import com.sonatype.jenkins.pipeline.OsTools
+
+String OPENJDK8 = 'OpenJDK 8'
+String OPENJDK11 = 'OpenJDK 11'
+String OPENJDK17 = 'OpenJDK 17'
+List<String> javaVersions = [OPENJDK8, OPENJDK11, OPENJDK17]
+
+properties([
+    parameters([
+        string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
+        string(defaultValue: '', description: 'New Nexus Repository Manager URL (Optional)', name: 'nexus_repository_manager_url'),
+        choice(name: 'java_version', choices: javaVersions, description: 'Java version to run Nexus Repository Manager'),
+        booleanParam(defaultValue: false, description: 'Optional scan for policy violations', name: 'scan_for_policy_violations')
+    ])
+])
+
+node('ubuntu-zion') {
+  def commitId, commitDate, version, imageId, alpineImageId, branch
+  def imageName = 'sonatype/nexus3',
+      archiveName = 'docker-nexus3'
+
+  def JAVA_8 = 'java8'
+  def JAVA_11 = 'java11'
+  def JAVA_17 = 'java17'
+
+  def DOCKERFILE_JAVA_8 = 'Dockerfile'
+  def DOCKERFILE_JAVA_11 = 'Dockerfile.java11'
+  def DOCKERFILE_JAVA_17 = 'Dockerfile.java17'
+  def DOCKERFILE_ALPINE_JAVA_11 = 'Dockerfile.alpine.java11'
+  def DOCKERFILE_ALPINE_JAVA_17 = 'Dockerfile.alpine.java17'
+
+  def dockerfileMap = [
+    (OPENJDK8) : [DOCKERFILE_JAVA_8],
+    (OPENJDK11): [DOCKERFILE_JAVA_11, DOCKERFILE_ALPINE_JAVA_11],
+    (OPENJDK17): [DOCKERFILE_JAVA_17, DOCKERFILE_ALPINE_JAVA_17]
+  ]
+
+  try {
+    stage('Preparation') {
+      deleteDir()
+      OsTools.runSafe(this, "docker system prune -a -f")
+
+      def checkoutDetails = checkout scm
+
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
+      commitId = checkoutDetails.GIT_COMMIT
+      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
+
+      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
+      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
+
+      version = readVersion()
+
+      if (params.nexus_repository_manager_version) {
+        stage('Update Repository Manager Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerfileMap.each { javaVersion, dockerfiles ->
+            dockerfiles.each { dockerfile ->
+              updateRepositoryManagerVersion("${pwd()}/${dockerfile}", javaVersion)
+            }
+          }
+          version = getShortVersion(params.nexus_repository_manager_version)
+        }
+      }
+    }
+    def dockerfilePath = dockerfileMap[params.java_version][0]
+    def alpineDockerfilePath = params.java_version == OPENJDK8 ? null : dockerfileMap[params.java_version][1]
+
+    stage('Build UBI Image') {
+      def baseImage = extractBaseImage(dockerfilePath)
+      def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
+      def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
+      def baseImageReferenceStr = baseImageReference.getReference()
+      def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}")
+      imageId = hash.split(':')[1]
+    }
+    if (params.java_version != OPENJDK8) {
+      stage('Build Alpine Image') {
+        def hash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}")
+        alpineImageId = hash.split(':')[1]
+      }
+    }
+    if (params.scan_for_policy_violations) {
+      stage('Evaluate Policies') {
+        runEvaluation({ stage ->
+          def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine')
+          def iqApplicationName = isAlpine ? 'docker-nexus3-orientdb-alpine' : 'docker-nexus3-orientdb'
+          def imageToScan = isAlpine ? "${imageName}-alpine" : imageName
+
+          nexusPolicyEvaluation(
+            iqStage: stage,
+            iqApplication: iqApplicationName,
+            iqScanPatterns: [[scanPattern: "container:${imageToScan}"]],
+            failBuildOnNetworkError: true,
+          )
+        }, 'release')
+      }
+    }
+    if (currentBuild.result == 'FAILURE') {
+      return
+    }
+    stage('Archive') {
+      dir('build/target') {
+        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
+        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
+      }
+    }
+    stage('Push image to RSC') {
+      withSonatypeDockerRegistry() {
+        def javaVersionSuffixesMap = [
+            (OPENJDK8): JAVA_8,
+            (OPENJDK11): JAVA_11,
+            (OPENJDK17): JAVA_17
+        ]
+        def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version)
+
+        // Push UBI images
+        sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi"
+        sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-ubi"
+        if (params.java_version == OPENJDK8) {
+          sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-ubi"
+          // Create alias for the UBI image without the suffix
+          sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}"
+        }
+
+        // Push Alpine images
+        if (params.java_version != OPENJDK8) {
+          sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine"
+          sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-${javaVersionSuffix}-alpine"
+          if (params.java_version == OPENJDK11) {
+            sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/nexus3:${version}-alpine"
+          }
+        }
+      }
+    }
+  } finally {
+    OsTools.runSafe(this, "docker logout")
+    OsTools.runSafe(this, "docker system prune -a -f")
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
+  }
+}
+
+def readVersion() {
+  def content = readFile 'Dockerfile'
+  for (line in content.split('\n')) {
+    if (line.startsWith('ARG NEXUS_VERSION=')) {
+      return getShortVersion(line.substring(18))
+    }
+  }
+  error 'Could not determine version.'
+}
+
+def getShortVersion(version) {
+  return version.split('-')[0]
+}
+
+def updateRepositoryManagerVersion(dockerFileLocation, javaVersion) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
+  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
+
+  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
+  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
+
+  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
+  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
+      "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
+  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
+
+  def nexusUrlRegex = /(ARG NEXUS_DOWNLOAD_URL=)(.*)/
+  def nexusUrl = params.nexus_repository_manager_url
+  if (params.nexus_repository_manager_url) {
+    dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${params.nexus_repository_manager_url}")
+  }
+  else {
+    // default URL
+    def defaultUrl = /https:\/\/download-staging.sonatype.com\/nexus\/3\/nexus-\$\{NEXUS_VERSION\}-unix\.tar\.gz/
+    dockerFile = dockerFile.replaceAll(nexusUrlRegex, "\$1${defaultUrl}")
+
+    def normalizedUrl = "a".replaceAll(/./, "${defaultUrl}")
+    nexusUrl = normalizedUrl.replace("\${NEXUS_VERSION}", params.nexus_repository_manager_version)
+    nexusUrl = nexusUrl.replace("\${JAVA_VERSION}", javaVersion)
+  }
+  def sha = getSha(nexusUrl)
+
+  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${sha}")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def getSha(url) {
+  def sha = sh (
+      script: "curl -s -L ${url} | shasum -a 256 | cut -d' ' -f1",
+      returnStdout: true
+  ).trim()
+  return sha
+}
+
+def extractBaseImage(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+  def baseImageRegex = "FROM\\s+([^\\s]+)"
+  def usedImages = dockerFile =~ baseImageRegex
+
+  return usedImages[0][1]
+}

Jenkinsfile-PrismaCloud

@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) 2024-present Sonatype, Inc. All rights reserved.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+
+import com.sonatype.jenkins.pipeline.OsTools
+import groovy.json.JsonSlurper
+
+IQ_URL_BASE = "https://sonatype.sonatype.app/platform"
+REPO_BASE_URL = "https://repo.sonatype.com/service/rest"
+TARGET_REPO_NAME = "sonatype-sboms"
+CYCLONEDX_VERSION = "1.5"
+
+properties([
+    parameters([
+        string(name: 'BRANCH_TO_BUILD', defaultValue: '',
+            description: 'Branch the script will be loaded from'),
+        string(name: 'IMAGE_VERSION', defaultValue: '',
+            description: 'Version for the Docker image and NXRM. The result SBOMs will be tagged with this version.'),
+        string(name: 'UBI_IMAGE_TAG', defaultValue: '',
+            description: 'Tag of the UBI image to be scanned. Visit https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8')
+    ])
+])
+
+def getComponentSbom(String buildDir, String componentName, String componentVersion) {
+    def componentId = getComponentInfo(componentName).applications[0].id
+    withCredentials([usernamePassword(credentialsId: 'jenkins-saas-service-acct', usernameVariable: 'IQ_USER', passwordVariable: 'IQ_PASSWORD')]) {
+        def formats = ['spdx', 'cyclonedx']
+        formats.each { format ->
+            def urlPath = format == 'spdx' ? "spdx/${componentId}/stages/release?format=json" : "cycloneDx/${CYCLONEDX_VERSION}/${componentId}/stages/release"
+            sh "curl -s -L -u \$IQ_USER:\$IQ_PASSWORD -o '${buildDir}/${format}/${componentName}-${componentVersion}-${format}.json' -X GET -H 'Accept: application/json' '${IQ_URL_BASE}/api/v2/${urlPath}'"
+            sh "jq . ${buildDir}/${format}/${componentName}-${componentVersion}-${format}.json > ${buildDir}/${format}/${componentName}-${componentVersion}-${format}-formatted.json"
+            sh "mv ${buildDir}/${format}/${componentName}-${componentVersion}-${format}-formatted.json ${buildDir}/${format}/${componentName}-${componentVersion}-${format}.json"
+        }
+    }
+}
+
+def getComponentInfo(String componentName) {
+    def jsonSlurper = new JsonSlurper()
+    def response = null
+
+    withCredentials([
+        usernamePassword(
+            credentialsId: 'jenkins-saas-service-acct',
+            usernameVariable: 'IQ_USER',
+            passwordVariable: 'IQ_PASSWORD')
+    ]) {
+        def rawResponse = sh(returnStdout: true, script: "curl -s -u \$IQ_USER:\$IQ_PASSWORD -X GET '${IQ_URL_BASE}/api/v2/applications?publicId=${componentName}'")
+        response = jsonSlurper.parseText(rawResponse)
+    }
+    return response
+}
+
+def publishComponent(String buildDir, String componentName, String componentVersion) {
+    def publishCommand = """
+    curl -v -u \$NXRM_USER:\$NXRM_PASSWORD -X POST '${REPO_BASE_URL}/v1/components?repository=${TARGET_REPO_NAME}' \
+    -F 'raw.directory=/PrismaCloud/${componentName}/${componentVersion}/' \
+    -F 'raw.asset1=@${buildDir}/${componentName}-${componentVersion}-prisma-cloud-scan-results.json' \
+    -F 'raw.asset1.filename=${componentName}-${componentVersion}-prisma-cloud-scan-results.json'
+    """
+    withCredentials([
+        usernamePassword(
+            credentialsId: 'sonatype-sbom-deployer',
+            usernameVariable: 'NXRM_USER',
+            passwordVariable: 'NXRM_PASSWORD')
+    ]) {
+        sh(publishCommand)
+    }
+    // Publish the latest version tag
+    def latestPublishCommand = """
+    curl -v -u \$NXRM_USER:\$NXRM_PASSWORD -X POST '${REPO_BASE_URL}/v1/components?repository=${TARGET_REPO_NAME}' \
+    -F 'raw.directory=/PrismaCloud/${componentName}/latest/' \
+    -F 'raw.asset1=@${buildDir}/${componentName}-${componentVersion}-prisma-cloud-scan-results.json' \
+    -F 'raw.asset1.filename=${componentName}-latest-prisma-cloud-scan-results.json'
+    """
+    sh(latestPublishCommand)
+}
+
+def scanAndCopyResults(String image, String resultsFileName) {
+    prismaCloudScanImage(
+        ca: '',
+        cert: '',
+        dockerAddress: 'unix:///var/run/docker.sock',
+        ignoreImageBuildTime: true,
+        image: image,
+        key: '',
+        logLevel: 'debug',
+        podmanPath: '',
+        project: '',
+        resultsFile: "${env.buildDir}/${resultsFileName}"
+    )
+    sh "jq . ${env.buildDir}/${resultsFileName} > ${env.buildDir}/${resultsFileName}-formatted.json"
+    sh "mv ${env.buildDir}/${resultsFileName}-formatted.json ${env.buildDir}/${resultsFileName}"
+    sh "cp ${env.buildDir}/${resultsFileName} ${resultsFileName}"
+    sh "ls -la ${env.buildDir}"
+}
+
+pipeline {
+    agent any
+    environment {
+        buildDir = "./.sbom-build/job-${env.BUILD_NUMBER}"
+    }
+    stages {
+        stage('Checkout') {
+            steps {
+                git branch: params.BRANCH_TO_BUILD, url: 'https://github.com/sonatype/docker-nexus3.git'
+            }
+        }
+        stage('Build Image') {
+            steps {
+                script {
+                    runSafely("docker build -t docker-nexus3:${params.IMAGE_VERSION} .")
+                    // Tag the latest version
+                    runSafely("docker tag docker-nexus3:${params.IMAGE_VERSION} docker-nexus3:latest")
+                }
+            }
+        }
+        stage('Analyze Images with Prisma Cloud') {
+            steps {
+                script {
+                    sh "mkdir -p ${env.buildDir}/spdx && mkdir -p ${env.buildDir}/cyclonedx"
+                    echo "Analyzing docker-nexus3 image with Prisma Cloud"
+                    scanAndCopyResults("docker-nexus3:${params.IMAGE_VERSION}", "docker-nexus3-${params.IMAGE_VERSION}-prisma-cloud-scan-results.json")
+
+                    def ubiImage = "registry.access.redhat.com/ubi8/ubi-minimal:${params.UBI_IMAGE_TAG}"
+                    sh "docker pull ${ubiImage}"
+                    echo "Analyzing UBI image with Prisma Cloud"
+                    scanAndCopyResults(ubiImage, "ubi-minimal-${params.UBI_IMAGE_TAG}-prisma-cloud-scan-results.json")
+                }
+            }
+        }
+        stage('Publish Scan Results') {
+            steps {
+                script {
+                    publishComponent(env.buildDir, "docker-nexus3", params.IMAGE_VERSION)
+                    publishComponent(env.buildDir, "ubi-minimal", params.UBI_IMAGE_TAG)
+                }
+            }
+        }
+    }
+    post {
+        always {
+            prismaCloudPublish resultsFilePattern: "${env.buildDir}/docker-nexus3-${params.IMAGE_VERSION}-prisma-cloud-scan-results.json"
+            prismaCloudPublish resultsFilePattern: "${env.buildDir}/ubi-minimal-${params.UBI_IMAGE_TAG}-prisma-cloud-scan-results.json"
+
+            prismaCloudPublish resultsFilePattern: "docker-nexus3-${params.IMAGE_VERSION}-prisma-cloud-scan-results.json"
+            prismaCloudPublish resultsFilePattern: "ubi-minimal-${params.UBI_IMAGE_TAG}-prisma-cloud-scan-results.json"
+            archiveArtifacts artifacts: "docker-nexus3-${params.IMAGE_VERSION}-prisma-cloud-scan-results.json", fingerprint: true
+            archiveArtifacts artifacts: "ubi-minimal-${params.UBI_IMAGE_TAG}-prisma-cloud-scan-results.json", fingerprint: true
+
+            script {
+                OsTools.runSafe(this, "rm -rf '${env.buildDir}'")
+            }
+        }
+    }
+}

Jenkinsfile-Release

@@ -0,0 +1,312 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+import com.sonatype.jenkins.pipeline.GitHub
+import com.sonatype.jenkins.pipeline.OsTools
+import com.sonatype.jenkins.shared.Expectation
+
+String OPENJDK17 = 'OpenJDK 17'
+List<String> javaVersions = [OPENJDK17]
+properties([
+  parameters([
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'),
+    booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'),
+    booleanParam(defaultValue: false, description: 'Only update the latest tag', name: 'update_latest_only')
+  ])
+])
+
+node('ubuntu-zion') {
+  def commitId, commitDate, version, imageId, alpineImageId, branch
+  def organization = 'sonatype',
+      gitHubRepository = 'docker-nexus3',
+      credentialsId = 'jenkins-github',
+      imageName = 'sonatype/nexus3',
+      archiveName = 'docker-nexus3',
+      dockerHubRepository = 'nexus3'
+  GitHub gitHub
+
+  def JAVA_17 = 'java17'
+  dockerFileLocations = [
+    "${pwd()}/Dockerfile.java17",
+    "${pwd()}/Dockerfile.rh.ubi.java17",
+    "${pwd()}/Dockerfile.alpine.java17"
+  ]
+  try {
+    stage('Preparation') {
+      deleteDir()
+      OsTools.runSafe(this, "docker system prune -a -f")
+      def checkoutDetails = checkout scm
+
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
+      commitId = checkoutDetails.GIT_COMMIT
+      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
+
+      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
+      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
+
+      version = readVersion()
+
+      def apiToken
+      withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                        credentialsId: credentialsId,
+                        usernameVariable: 'GITHUB_API_USERNAME',
+                        passwordVariable: 'GITHUB_API_PASSWORD']]) {
+        apiToken = env.GITHUB_API_PASSWORD
+      }
+      gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)
+
+      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
+        stage('Update Repository Manager Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerFileLocations.each { updateRepositoryManagerVersion(it) }
+          version = getShortVersion(params.nexus_repository_manager_version)
+        }
+      }
+      if (params.nexus_repository_manager_cookbook_version) {
+        stage('Update Repository Manager Cookbook Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          dockerFileLocations.each { updateRepositoryCookbookVersion(it) }
+        }
+      }
+    }
+
+    stage('Build Images') {
+      gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
+      def dockerfilePath = 'Dockerfile.java17'
+      def baseImage = extractBaseImage(dockerfilePath)
+      def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
+      def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
+      def baseImageReferenceStr = baseImageReference.getReference()
+      def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}")
+      imageId = hash.split(':')[1]
+
+      // Build Alpine Image
+      def alpineDockerfilePath = 'Dockerfile.alpine.java17'
+      def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}")
+      alpineImageId = alpineHash.split(':')[1]
+
+      if (currentBuild.result == 'FAILURE') {
+        gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed'
+        return
+      } else {
+        gitHub.statusUpdate commitId, 'success', 'build', 'Build succeeded'
+      }
+    }
+
+    stage('Test') {
+      gitHub.statusUpdate commitId, 'pending', 'test', 'Tests are running'
+      validateExpectations([
+        new Expectation('Has user nexus in group nexus present',
+            'id', '-ng nexus', 'nexus'),
+        new Expectation('Has nexus user java process present',
+            'ps', '-e -o command,user | grep -q ^/usr/lib/jvm/java.*nexus$ | echo $?', '0')
+      ])
+      if (currentBuild.result == 'FAILURE') {
+        gitHub.statusUpdate commitId, 'failure', 'test', 'Tests failed'
+        return
+      } else {
+        gitHub.statusUpdate commitId, 'success', 'test', 'Tests succeeded'
+      }
+    }
+
+    stage('Evaluate Policies') {
+      def imagesToScan = [
+          [name: 'docker-nexus3', image: imageName],
+          [name: 'docker-nexus3-alpine', image: "${imageName}-alpine"]
+      ]
+
+      imagesToScan.each { imageConfig ->
+        runEvaluation({ stage ->
+          def iqApplicationName = imageConfig.name
+          def imageToScan = imageConfig.image
+
+          nexusPolicyEvaluation(
+            iqStage: stage,
+            iqApplication: iqApplicationName,
+            iqScanPatterns: [[scanPattern: "container:${imageToScan}"]],
+            failBuildOnNetworkError: true,
+          )
+        }, 'release')
+      }
+    }
+    if (currentBuild.result == 'FAILURE') {
+          return
+    }
+
+    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha
+          || params.nexus_repository_manager_cookbook_version) {
+      stage('Commit Automated Code Update') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'jenkins-github',
+                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          def commitMessage = [
+            params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha ?
+                "Update Repository Manager to ${params.nexus_repository_manager_version}." : "",
+            params.nexus_repository_manager_cookbook_version ?
+                "Update Repository Manager Cookbook to ${params.nexus_repository_manager_cookbook_version}." : ""
+          ].findAll({ it }).join(' ')
+
+          if (!params.update_latest_only) {
+            OsTools.runSafe(this, """
+              git add .
+              git commit -m '${commitMessage}'
+              git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
+            """)
+          }
+        }
+      }
+    }
+    stage('Archive') {
+      dir('build/target') {
+        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
+        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
+      }
+    }
+    if (branch == 'main' && !params.skip_push && !params.update_latest_only) {
+      input 'Push image and tags?'
+      stage('Push image') {
+        def dockerhubApiToken
+
+        withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                          credentialsId: 'docker-hub-credentials',
+                          usernameVariable: 'DOCKERHUB_API_USERNAME',
+                          passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
+
+          // Push UBI image
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}")
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-ubi")
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-java17-ubi")
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
+
+          // Push Alpine Image
+          OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine")
+          OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-java17-alpine")
+
+          OsTools.runSafe(this, """
+            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
+          """)
+
+          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
+
+          response = OsTools.runSafe(this, """
+            curl -X POST https://hub.docker.com/v2/users/login/ \
+              -H 'cache-control: no-cache' -H 'content-type: application/json' \
+              -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
+          """)
+          token = readJSON text: response
+          dockerhubApiToken = token.token
+
+          def readme = readFile file: 'README.md', encoding: 'UTF-8'
+          readme = readme.replaceAll("(?s)<!--.*?-->", "")
+          readme = readme.replace("\"", "\\\"")
+          readme = readme.replace("\n", "\\n")
+          response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
+              acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
+              requestBody: "{ \"full_description\": \"${readme}\" }",
+              url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"
+
+          // push to internal repos
+          withSonatypeDockerRegistry() {
+            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
+            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi"
+            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi"
+            sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine"
+            sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine"
+
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine"
+          }
+        }
+      }
+      stage('Push tags') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                          credentialsId: credentialsId,
+                          usernameVariable: 'GITHUB_API_USERNAME',
+                          passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "git tag ${version}")
+          OsTools.runSafe(this, """
+            git push \
+            https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
+              ${version}
+          """)
+        }
+        OsTools.runSafe(this, "git tag -d ${version}")
+      }
+    }
+    else if(params.update_latest_only) {
+      stage('Push tags') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                          credentialsId: 'docker-hub-credentials',
+                          usernameVariable: 'DOCKERHUB_API_USERNAME',
+                          passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
+          OsTools.runSafe(this, """
+            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
+          """)
+          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
+        }
+      }
+    }
+  } finally {
+    OsTools.runSafe(this, "docker logout")
+    OsTools.runSafe(this, "docker system prune -a -f")
+    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
+  }
+}
+
+def readVersion() {
+  def content = readFile 'Dockerfile.java17'
+  for (line in content.split('\n')) {
+    if (line.startsWith('ARG NEXUS_VERSION=')) {
+      return getShortVersion(line.substring(18))
+    }
+  }
+  error 'Could not determine version.'
+}
+
+def getShortVersion(version) {
+  return version.split('-')[0]
+}
+
+def updateRepositoryManagerVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
+  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
+
+  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
+  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
+
+  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
+  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
+    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
+  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
+  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def updateRepositoryCookbookVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def cookbookVersionRegex = /(ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=")(release-\d\.\d\.\d{8}\-\d{6}\.[a-z0-9]{7})(")/
+
+  dockerFile = dockerFile.replaceAll(cookbookVersionRegex, "\$1${params.nexus_repository_manager_cookbook_version}\$3")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def extractBaseImage (dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+  def baseImageRegex = "FROM\\s+([^\\s]+)"
+  def usedImages = dockerFile =~ baseImageRegex
+
+  return usedImages[0][1]
+}

Jenkinsfile-Release-OrientDB

@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+import com.sonatype.jenkins.pipeline.GitHub
+import com.sonatype.jenkins.pipeline.OsTools
+import com.sonatype.jenkins.shared.Expectation
+
+String OPENJDK8 = 'OpenJDK 8'
+String OPENJDK11 = 'OpenJDK 11'
+String OPENJDK17 = 'OpenJDK 17'
+List<String> javaVersions = [OPENJDK8, OPENJDK11, OPENJDK17]
+
+properties([
+  parameters([
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
+    string(defaultValue: '', description: 'New Nexus Repository Manager Cookbook Version', name: 'nexus_repository_manager_cookbook_version'),
+    choice(name: 'java_version', choices: javaVersions, description: 'Java version to run Nexus Repository Manager'),
+    booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'),
+  ])
+])
+
+node('ubuntu-zion') {
+  def commitId, commitDate, version, branch, dockerFileLocations, dockerJava11FileLocations, dockerJava17FileLocations
+  def organization = 'sonatype',
+      gitHubRepository = 'docker-nexus3',
+      credentialsId = 'jenkins-github',
+      imageName = 'sonatype/nexus3',
+      archiveName = 'docker-nexus3',
+      dockerHubRepository = 'nexus3'
+  GitHub gitHub
+
+  def JAVA_8 = 'java8'
+  def JAVA_11 = 'java11'
+  def JAVA_17 = 'java17'
+  def alpineDockerfilePath
+
+  try {
+    stage('Preparation') {
+      deleteDir()
+      OsTools.runSafe(this, "docker system prune -a -f")
+
+      def checkoutDetails = checkout scm
+
+      dockerFileLocations = [
+        "${pwd()}/Dockerfile",
+        "${pwd()}/Dockerfile.rh.centos",
+        "${pwd()}/Dockerfile.rh.el",
+        "${pwd()}/Dockerfile.rh.ubi"
+      ]
+
+      dockerJava11FileLocations = [
+          "${pwd()}/Dockerfile.java11",
+          "${pwd()}/Dockerfile.rh.ubi.java11",
+          "${pwd()}/Dockerfile.alpine.java11"
+      ]
+
+      dockerJava17FileLocations = [
+          "${pwd()}/Dockerfile.java17",
+          "${pwd()}/Dockerfile.rh.ubi.java17",
+          "${pwd()}/Dockerfile.alpine.java17"
+      ]
+
+      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
+      commitId = checkoutDetails.GIT_COMMIT
+      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")
+
+      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
+      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')
+
+      version = readVersion()
+
+      def apiToken
+      withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                        credentialsId: credentialsId,
+                        usernameVariable: 'GITHUB_API_USERNAME',
+                        passwordVariable: 'GITHUB_API_PASSWORD']]) {
+        apiToken = env.GITHUB_API_PASSWORD
+      }
+      gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)
+
+      def dockerfileLocationsMap = [
+          (OPENJDK8): dockerFileLocations,
+          (OPENJDK11): dockerJava11FileLocations,
+          (OPENJDK17): dockerJava17FileLocations
+      ]
+      def chosenDockerfileLocations = dockerfileLocationsMap.get(params.java_version)
+
+      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
+        stage('Update Repository Manager Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          chosenDockerfileLocations.each { updateRepositoryManagerVersion(it) }
+          version = getShortVersion(params.nexus_repository_manager_version)
+        }
+      }
+      if (params.nexus_repository_manager_cookbook_version) {
+        stage('Update Repository Manager Cookbook Version') {
+          OsTools.runSafe(this, "git checkout ${branch}")
+          chosenDockerfileLocations.each { updateRepositoryCookbookVersion(it) }
+        }
+      }
+    }
+    stage('Build') {
+      gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
+      def dockerfilesMap = [
+          (OPENJDK8): 'Dockerfile',
+          (OPENJDK11): 'Dockerfile.java11',
+          (OPENJDK17): 'Dockerfile.java17'
+      ]
+      def dockerfilePath = dockerfilesMap.get(params.java_version)
+      def baseImage = extractBaseImage(dockerfilePath)
+      def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
+      def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
+      def baseImageReferenceStr = baseImageReference.getReference()
+      OsTools.runSafe(this, "docker build --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}")
+
+
+      // Build Alpine Image if not Java 8
+      if (params.java_version != OPENJDK8) {
+        alpineDockerfilePath = dockerfilePath.replace("Dockerfile", "Dockerfile.alpine")
+        OsTools.runSafe(this, "docker build --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}")
+      }
+
+      if (currentBuild.result == 'FAILURE') {
+        gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed'
+        return
+      } else {
+        gitHub.statusUpdate commitId, 'success', 'build', 'Build succeeded'
+      }
+    }
+    stage('Evaluate Policies') {
+      runEvaluation({ stage ->
+        def isAlpine = alpineDockerfilePath != null && alpineDockerfilePath.contains('alpine')
+        def iqApplicationName = isAlpine ? 'docker-nexus3-alpine' : 'docker-nexus3'
+        def imageToScan = isAlpine ? "${imageName}-alpine" : imageName
+
+        nexusPolicyEvaluation(
+          iqStage: stage,
+          iqApplication: iqApplicationName,
+          iqScanPatterns: [[scanPattern: "container:${imageToScan}"]],
+          failBuildOnNetworkError: true,
+        )
+      }, 'release')
+    }
+
+    if (currentBuild.result == 'FAILURE') {
+      return
+    }
+    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha
+          || params.nexus_repository_manager_cookbook_version) {
+      stage('Commit Automated Code Update') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'jenkins-github',
+                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          def commitMessage = [
+            params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha ?
+                "Update Repository Manager to ${params.nexus_repository_manager_version}." : "",
+            params.nexus_repository_manager_cookbook_version ?
+                "Update Repository Manager Cookbook to ${params.nexus_repository_manager_cookbook_version}." : ""
+          ].findAll({ it }).join(' ')
+
+
+            OsTools.runSafe(this, """
+              git add .
+              git commit -m '${commitMessage}'
+              git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
+            """)
+
+        }
+      }
+    }
+    stage('Archive') {
+      dir('build/target') {
+        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
+        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
+      }
+    }
+    if (!params.skip_push) {
+      input 'Push image and tags?'
+      stage('Push image') {
+        def dockerhubApiToken
+
+        withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                          credentialsId: 'docker-hub-credentials',
+                          usernameVariable: 'DOCKERHUB_API_USERNAME',
+                          passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
+          def javaVersionSuffixesMap = [
+              (OPENJDK8): JAVA_8,
+              (OPENJDK11): JAVA_11,
+              (OPENJDK17): JAVA_17
+          ]
+          def javaVersionSuffix = javaVersionSuffixesMap.get(params.java_version)
+
+          // Push UBI image
+          OsTools.runSafe(this, "docker tag ${imageName} ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-ubi")
+          if (params.java_version == OPENJDK8) {
+            OsTools.runSafe(this, "docker tag ${imageName} ${organization}/${dockerHubRepository}:${version}-ubi")
+            OsTools.runSafe(this, "docker tag ${imageName} ${organization}/${dockerHubRepository}:${version}")
+          }
+
+          OsTools.runSafe(this, """
+            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
+          """)
+
+          def dockerPushCmdsMap = [
+              (OPENJDK8): "docker push ${organization}/${dockerHubRepository}",
+              (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-ubi",
+              (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-ubi"
+          ]
+          def dockerPushCmd = dockerPushCmdsMap.get(params.java_version)
+
+          OsTools.runSafe(this, dockerPushCmd)
+
+          // Push Alpine image if not Java 8
+          if (params.java_version != OPENJDK8) {
+            OsTools.runSafe(this, "docker tag ${imageName}-alpine ${organization}/${dockerHubRepository}:${version}-${javaVersionSuffix}-alpine")
+            if (params.java_version == OPENJDK11) {
+              OsTools.runSafe(this, "docker tag ${imageName}-alpine ${organization}/${dockerHubRepository}:${version}-alpine")
+            }
+
+            def alpineDockerPushCmdsMap = [
+                (OPENJDK11): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_11}-alpine",
+                (OPENJDK17): "docker push ${organization}/${dockerHubRepository}:${version}-${JAVA_17}-alpine"
+            ]
+            def alpineDockerPushCmd = alpineDockerPushCmdsMap.get(params.java_version)
+
+            OsTools.runSafe(this, alpineDockerPushCmd)
+          }
+
+          response = OsTools.runSafe(this, """
+            curl -X POST https://hub.docker.com/v2/users/login/ \
+              -H 'cache-control: no-cache' -H 'content-type: application/json' \
+              -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
+          """)
+          token = readJSON text: response
+          dockerhubApiToken = token.token
+
+          def readme = readFile file: 'README.md', encoding: 'UTF-8'
+          readme = readme.replaceAll("(?s)<!--.*?-->", "")
+          readme = readme.replace("\"", "\\\"")
+          readme = readme.replace("\n", "\\n")
+          response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
+              acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
+              requestBody: "{ \"full_description\": \"${readme}\" }",
+              url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"
+
+          // push to internal repos
+          withSonatypeDockerRegistry() {
+            sh "docker tag ${imageName} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-${javaVersionSuffix}"
+            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-${javaVersionSuffix}"
+
+            if (params.java_version == OPENJDK8) {
+              sh "docker tag ${imageName} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
+              sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
+            }
+          }
+        }
+      }
+      stage('Push tags') {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding',
+                          credentialsId: credentialsId,
+                          usernameVariable: 'GITHUB_API_USERNAME',
+                          passwordVariable: 'GITHUB_API_PASSWORD']]) {
+          OsTools.runSafe(this, "git tag ${version}")
+          OsTools.runSafe(this, """
+            git push \
+            https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
+              ${version}
+          """)
+        }
+        OsTools.runSafe(this, "git tag -d ${version}")
+      }
+    }
+  } finally {
+    OsTools.runSafe(this, "docker logout")
+    OsTools.runSafe(this, "docker system prune -a -f")
+  }
+}
+
+def readVersion() {
+  def content = readFile 'Dockerfile'
+  for (line in content.split('\n')) {
+    if (line.startsWith('ARG NEXUS_VERSION=')) {
+      return getShortVersion(line.substring(18))
+    }
+  }
+  error 'Could not determine version.'
+}
+
+def getShortVersion(version) {
+  return version.split('-')[0]
+}
+
+def updateRepositoryManagerVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
+  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/
+
+  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
+  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/
+
+  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
+  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
+    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
+  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
+  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def updateRepositoryCookbookVersion(dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+
+  def cookbookVersionRegex = /(ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=")(release-\d\.\d\.\d{8}\-\d{6}\.[a-z0-9]{7})(")/
+
+  dockerFile = dockerFile.replaceAll(cookbookVersionRegex, "\$1${params.nexus_repository_manager_cookbook_version}\$3")
+
+  writeFile(file: dockerFileLocation, text: dockerFile)
+}
+
+def extractBaseImage (dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+  def baseImageRegex = "FROM\\s+([^\\s]+)"
+  def usedImages = dockerFile =~ baseImageRegex
+
+  return usedImages[0][1]
+}

Jenkinsfile-sbom-release

@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 2011-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+
+import groovy.json.JsonSlurper
+import groovy.json.JsonBuilder
+
+IQ_URL_BASE = "https://sonatype.sonatype.app/platform"
+REPO_BASE_URL = "https://repo.sonatype.com/service/rest"
+TARGET_REPO_NAME = "sonatype-sboms"
+SBOM_DEPLOYER_CREDENTIALS = "sonatype-sbom-deployer"
+REDHAT_SBOM_REPO_URL_BASE = "https://access.redhat.com/security/data/sbom/beta"
+REDHAT_CONTAINER_API_URL_BASE = "https://catalog.redhat.com/api/containers/v1"
+CYCLONEDX_VERSION = "1.5"
+SPDXMERGE_VERSION_TAG = "v0.2.0"
+NEXUS3_REPORT_BY_TAG = [
+  "^(\\d+\\.\\d+\\.\\d+)(-java\\d+)?-alpine\$" : "docker-nexus3-alpine",
+  "^(\\d+\\.\\d+\\.\\d+)(-java\\d+)?(-ubi)?\$" : "docker-nexus3"
+]
+DOCKER_NEXUS_IMAGE_NAME = "docker-all.repo.sonatype.com/sonatype/nexus3"
+DEFAULT_NEXUS3_REPORT = "docker-nexus3"
+
+properties([
+    parameters([
+        string(name: 'docker_nexus3_tag', defaultValue: '',
+            description: 'NXRM Docker image tag. The result SBOMs will be tagged with this version.')
+    ])
+])
+
+def getComponentSbom(String buildDir, String componentName, String componentVersion) {
+    def componentId = getComponentInfo(componentName).applications[0].id
+    withCredentials([usernamePassword(credentialsId: 'jenkins-saas-service-acct', usernameVariable: 'IQ_USER', passwordVariable: 'IQ_PASSWORD')]) {
+        def formats = ['spdx', 'cyclonedx']
+        formats.each { format ->
+            def urlPath = format == 'spdx' ? "spdx/${componentId}/stages/release?format=json" : "cycloneDx/${CYCLONEDX_VERSION}/${componentId}/stages/release"
+            sh "curl -s -L -u \$IQ_USER:\$IQ_PASSWORD -o '${buildDir}/${format}/${componentName}-${componentVersion}-${format}.json' -X GET -H 'Accept: application/json' '${IQ_URL_BASE}/api/v2/${urlPath}'"
+        }
+    }
+}
+
+def getUbiImageSbom(String buildDir, String ubiMinimalName, String ubiMinimalVersion) {
+  // Get ubi-minimal SBOM (as RedHat SBOM repo is still in beta, this has to be optional)
+  def httpStatus = sh(
+      script: "curl -s -w \"%{http_code}\" \
+              -X GET ${REDHAT_SBOM_REPO_URL_BASE}/spdx/${ubiMinimalName}.json.bz2 \
+              -o '${buildDir}/spdx/ubi-minimal-${ubiMinimalVersion}.json.bz2'",
+      returnStdout: true)
+
+  if (!"200".equals(httpStatus)) {
+    echo """ Error ${httpStatus}: Could not load UBI minimal SBOM version ${ubiMinimalVersion}.
+        This could happen because RedHat SBOM repo is still in beta. UBI SBOM will be skipped.
+        Please visit https://access.redhat.com/security/data for further information.
+        """
+
+    sh "rm '${buildDir}/spdx/ubi-minimal-${ubiMinimalVersion}.json.bz2'"
+
+    return false
+  } else {
+    sh "(cd ${buildDir}/spdx && bzip2 -d 'ubi-minimal-${ubiMinimalVersion}.json.bz2')"
+    return true
+  }
+}
+
+def getComponentInfo(String componentName) {
+  def jsonSlurper = new JsonSlurper()
+  def response = null
+
+  withCredentials([
+      usernamePassword(
+          credentialsId: 'jenkins-saas-service-acct',
+          usernameVariable: 'IQ_USER',
+          passwordVariable: 'IQ_PASSWORD')
+  ]) {
+    def rawResponse = sh(returnStdout: true, script: "curl -s -u \$IQ_USER:\$IQ_PASSWORD -X GET '${IQ_URL_BASE}/api/v2/applications?publicId=${componentName}'")
+    response = jsonSlurper.parseText(rawResponse)
+  }
+}
+
+def publishComponentSbom(String buildDir, String componentName, String componentVersion, boolean cyclonedxAvailable = true) {
+  def publishCommand = "curl -v -s -w 'Status: %{http_code}' -u \$NXRM_USER:\$NXRM_PASSWORD -X POST '${REPO_BASE_URL}/v1/components?repository=${TARGET_REPO_NAME}' \
+    -F 'raw.directory=/${componentName}/${componentVersion}/' \
+    -F 'raw.asset1=@${buildDir}/spdx/${componentName}-${componentVersion}-spdx.json' \
+    -F 'raw.asset1.filename=${componentName}-${componentVersion}-spdx.json'"
+  
+  if (cyclonedxAvailable) {
+    publishCommand = "${publishCommand} \
+      -F 'raw.asset2=@${buildDir}/cyclonedx/${componentName}-${componentVersion}-cyclonedx.json' \
+      -F 'raw.asset2.filename=${componentName}-${componentVersion}-cyclonedx.json'"
+  }
+
+  withCredentials([
+      usernamePassword(
+          credentialsId: SBOM_DEPLOYER_CREDENTIALS,
+          usernameVariable: 'NXRM_USER',
+          passwordVariable: 'NXRM_PASSWORD')
+  ]) {
+    def publishStatus = sh(script: publishCommand, returnStdout: true).trim()
+
+    if( !(publishStatus ==~ "Status: 2\\d\\d") ) {
+      error "Could not publish SBOM of component ${componentName}:${componentVersion}"
+    }
+  }
+}
+
+def mergeSpdxComponents(String buildDir, String finalComponentName, String finalComponentVersion, String finalNamespace) {
+  def pythonEnvDir = "${buildDir}/.spdxmerge"
+
+  sh """#!/bin/bash
+        if ! [ -d "${buildDir}/SPDXMerge" ]; then
+          git clone --branch '${SPDXMERGE_VERSION_TAG}' https://github.com/philips-software/SPDXMerge.git '${buildDir}/SPDXMerge'
+        fi
+      """
+
+  sh """#!/bin/bash
+    if mkdir -p '${pythonEnvDir}' && python3 -m venv '${pythonEnvDir}' && ls '${pythonEnvDir}' && . '${pythonEnvDir}/bin/activate'; then
+      if python3 -m pip install -r '${buildDir}/SPDXMerge/requirements.txt' \
+          && python3 -m pip install setuptools \
+          && python3 '${buildDir}/SPDXMerge/spdxmerge/SPDXMerge.py' --docpath '${buildDir}/spdx' --outpath '${buildDir}/' \
+              --name "docker-nexus3-aggregate" --mergetype "1" --author "Sonatype Inc." --email "support@sonatype.com" \
+              --docnamespace "${finalNamespace}" \
+              --filetype J \
+          && mv '${buildDir}/merged-SBoM-deep.json' '${buildDir}/spdx/${finalComponentName}-${finalComponentVersion}-spdx.json'; then
+        echo 'Merge completed!'
+      else
+      echo 'Merge failed!'
+        FAILED=1
+      fi
+
+      deactivate
+    fi
+
+    exit \${FAILED:-0}
+    """
+}
+
+def getNexusReportName(String tag) {
+  for(entry in NEXUS3_REPORT_BY_TAG) {
+    if(tag ==~ entry.key) {
+      return entry.value
+    }
+  }
+  return DEFAULT_NEXUS3_REPORT
+}
+
+def dockerInspectLabel(String image, String tag, String label) {
+  sh(script: "docker inspect ${image}:${tag} | jq -r '.[0].Config.Labels[\"${label}\"]'", returnStdout: true).trim()
+}
+
+dockerizedRunPipeline(
+    skipVulnerabilityScan: true,
+    pathToDockerfile: "./build-images/Dockerfile.sbom-deployer",
+    prepare: {
+      withSonatypeDockerRegistry() {
+        sh "docker pull ${DOCKER_NEXUS_IMAGE_NAME}:${params.docker_nexus3_tag}"
+
+        def baseImageRef = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "base-image-ref")
+        
+        env['imageTag'] = params.docker_nexus3_tag
+        env['nexusVersion'] = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "version")
+        env['dockerImageVersion'] = dockerInspectLabel(DOCKER_NEXUS_IMAGE_NAME, params.docker_nexus3_tag, "release")
+        env['ubiImageId'] = baseImageRef.contains("image=") ? baseImageRef.split("image=")[1] : ""
+      }
+    },
+    run: {
+      def buildDir = "./.sbom-build/job-${env.BUILD_NUMBER}/v${env.imageTag}"
+      def jsonSlurper = new JsonSlurper()
+      def nexusReportName = getNexusReportName(env.imageTag)
+
+      // Download SBOMs
+      sh "mkdir -p ${buildDir}/spdx && mkdir -p ${buildDir}/cyclonedx"
+
+      // Get nexus-internal SBOM
+      getComponentSbom(buildDir, "nexus-internal", env.nexusVersion)
+      // Get nxrm-db-migrator SBOM
+      getComponentSbom(buildDir, "nxrm-db-migrator", env.nexusVersion)
+      // Get we SBOM
+      getComponentSbom(buildDir, nexusReportName, env.dockerImageVersion)
+
+      // Get UBI Minimal SBOM
+      boolean ubiSbomAvailable = env.ubiImageId?.trim() ? true : false
+      def ubiImageName = ubiSbomAvailable ? sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \
+          | jq -r '.brew.build' \
+          | sed -En 's/(ubi[0-9]+-minimal)-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1-\\2/p'",
+          returnStdout: true).trim() : ""
+      def ubiImageVersion = ubiSbomAvailable ? sh(script: "curl -s -X 'GET' '${REDHAT_CONTAINER_API_URL_BASE}/images/id/${env.ubiImageId}' -H 'accept: application/json' \
+          | jq -r '.brew.build' \
+          | sed -En 's/ubi[0-9]+-minimal-container-([0-9]+\\.[0-9]+-[0-9]+\\.?[0-9]*)/\\1/p'",
+          returnStdout: true).trim() : ""
+      ubiSbomAvailable = ubiSbomAvailable ? getUbiImageSbom(buildDir, ubiImageName, ubiImageVersion) : false
+
+      sh "echo 'Available SPDX SBOMS' && ls ${buildDir}/spdx"
+      sh "echo 'Available CycloneDx SBOMS' && ls ${buildDir}/cyclonedx"
+
+      // Merge supported sboms
+      def dockerImageNamespace = sh(script: "cat ${buildDir}/spdx/${nexusReportName}-${env.dockerImageVersion}-spdx.json | jq -r '.documentNamespace'", returnStdout: true).trim()
+      mergeSpdxComponents(buildDir, "${nexusReportName}-aggregate", env.dockerImageVersion, dockerImageNamespace)
+
+      // Publish SBOMs
+      if (ubiSbomAvailable) {
+        publishComponent(buildDir, "ubi-minimal", ubiImageVersion, false)
+      }
+      publishComponentSbom(buildDir, "nexus-internal", env.nexusVersion)
+      publishComponentSbom(buildDir, "nxrm-db-migrator", env.nexusVersion)
+      publishComponentSbom(buildDir, nexusReportName, env.dockerImageVersion)
+      publishComponentSbom(buildDir, "${nexusReportName}-aggregate", env.dockerImageVersion, false)
+
+      sh "rm -rf '${buildDir}'"
+    }
+)

Jenkinsfile.rh

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared']) _
+
+properties([
+  parameters([
+    string(name: 'version', description: 'Version tag to apply to the image, like 3.41.0-ubi-1.'),
+  ]),
+])
+
+node('ubuntu-zion') {
+  try {
+    stage('Preparation') {
+      deleteDir()
+      checkout scm
+      sh 'docker system prune -a -f'
+      sh '''
+        wget -q -O preflight \
+          https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.9.4/preflight-linux-amd64
+        chmod 755 preflight
+      '''
+    }
+    stage('Build') {
+      withCredentials([
+        usernamePassword(
+            credentialsId: 'red-hat-quay-nexus-repository-manager',
+            usernameVariable: 'REGISTRY_LOGIN',
+            passwordVariable: 'REGISTRY_PASSWORD'),
+        string(
+            credentialsId: 'red-hat-api-token',
+            variable: 'API_TOKEN')
+      ]) {
+        def dockerfilePath = 'Dockerfile.rh.ubi.java17'
+
+        def baseImage = extractBaseImage(dockerfilePath)
+        def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
+        def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
+        def baseImageReferenceStr = baseImageReference.getReference()
+
+        def buildRedhatImageShCmd = 'PATH="$PATH:." VERSION=$version ' +
+            "DOCKERFILE='${dockerfilePath}' " +
+            "BASE_IMG_REF='${baseImageReferenceStr}' " +
+            './build_red_hat_image.sh'
+        sh buildRedhatImageShCmd
+      }
+    }
+  } finally {
+    sh 'docker logout'
+    sh 'docker system prune -a -f'
+    sh 'git clean -f && git reset --hard origin/main'
+  }
+}
+
+def extractBaseImage (dockerFileLocation) {
+  def dockerFile = readFile(file: dockerFileLocation)
+  def baseImageRegex = "FROM\\s+([^\\s]+)"
+  def usedImages = dockerFile =~ baseImageRegex
+  return usedImages[0][1]
+}

README.md

@@ -1,7 +1,11 @@
 <!--
 
-  Copyright (c) 2016-present Sonatype, Inc.
+    Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
 
+-->
+<!-- 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
@@ -15,16 +19,15 @@
   limitations under the License.
 
 -->
-
-# Sonatype Nexus3 Docker: sonatype/nexus3
+# Sonatype Nexus Repository Docker: sonatype/nexus3
 
 [![Join the chat at https://gitter.im/sonatype/nexus-developers](https://badges.gitter.im/sonatype/nexus-developers.svg)](https://gitter.im/sonatype/nexus-developers?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
-A Dockerfile for Sonatype Nexus Repository Manager 3, starting with 3.18 the image is based on the [Red Hat Universal Base Image](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image) while earlier versions used CentOS.
+A Dockerfile for Sonatype Nexus Repository 3, starting with 3.18 the image is based on the [Red Hat Universal Base Image](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image) while earlier versions used CentOS.
 
 * [Contribution Guidlines](#contribution-guidelines)
 * [Running](#running)
-* [Building the Nexus Repository Manager image](#building-the-nexus-repository-manager-image)
+* [Building the Sonatype Nexus Repository image](#building-the-nexus-repository-manager-image)
 * [Chef Solo for Runtime and Application](#chef-solo-for-runtime-and-application)
 * [Testing the Dockerfile](#testing-the-dockerfile)
 * [Red Hat Certified Image](#red-hat-certified-image)
@@ -34,7 +37,7 @@ A Dockerfile for Sonatype Nexus Repository Manager 3, starting with 3.18 the ima
 
 ## Contribution Guidelines
 
-Go read [our contribution guidelines](https://github.com/sonatype/docker-nexus3/blob/master/.github/CONTRIBUTING.md) to get a bit more familiar with how
+Go read [our contribution guidelines](https://github.com/sonatype/docker-nexus3/blob/main/.github/CONTRIBUTING.md) to get a bit more familiar with how
 we would like things to flow.
 
 ## Running
@@ -45,15 +48,22 @@ To run, binding the exposed port 8081 to the host, use:
 $ docker run -d -p 8081:8081 --name nexus sonatype/nexus3
 ```
 
+When stopping, be sure to allow sufficient time for the databases to fully shut down.  
+
+```
+docker stop --time=120 <CONTAINER_NAME>
+```
+
+
 To test:
 
 ```
 $ curl http://localhost:8081/
 ```
 
-## Building the Nexus Repository Manager image
+## Building the Sonatype Nexus Repository image
 
-To build a docker image from the Docker file you can use this command:
+To build a docker image from the [Dockerfile](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile) you can use this command:
 
 ```
 $ docker build --rm=true --tag=sonatype/nexus3 .
@@ -61,9 +71,9 @@ $ docker build --rm=true --tag=sonatype/nexus3 .
 
 The following optional variables can be used when building the image:
 
-- NEXUS_VERSION: Version of the Nexus Repository Manager
-- NEXUS_DOWNLOAD_URL: Download URL for Nexus Repository, alternative to using `NEXUS_VERSION` to download from Sonatype
-- NEXUS_DOWNLOAD_SHA256_HASH: Sha256 checksum for the downloaded Nexus Repository Manager archive. Required if `NEXUS_VERSION`
+- NEXUS_VERSION: Version of the Sonatype Nexus Repository
+- NEXUS_DOWNLOAD_URL: Download URL for Sonatype Nexus Repository, alternative to using `NEXUS_VERSION` to download from Sonatype
+- NEXUS_DOWNLOAD_SHA256_HASH: Sha256 checksum for the downloaded Sonatype Nexus Repository archive. Required if `NEXUS_VERSION`
  or `NEXUS_DOWNLOAD_URL` is provided
 
 ## Chef Solo for Runtime and Application
@@ -81,16 +91,33 @@ We are using `rspec` as the test framework. `serverspec` provides a docker backe
 
 ## Red Hat Certified Image
 
-A Red Hat certified container image can be created using `Dockerfile.rh.el` which is built to be compliant with Red Hat certification.
+A Red Hat certified container image can be created using [Dockerfile.rh.ubi](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.ubi) which is built to be compliant with Red Hat certification.
 The image includes additional meta data to comform with Kubernetes and OpenShift standards, a directory with the
 licenses applicable to the software and a man file for help on how to use the software. It also uses an ENTRYPOINT
-script the ensure the running user has access to the appropriate permissions for OpenShift 'restricted' SCC. In addition to the
-Red Hat Enterprise Linux image, `Dockerfile.rh.centos` provides the same additions but with a CentOS base.
+script the ensure the running user has access to the appropriate permissions for OpenShift 'restricted' SCC. 
 
 The Red Hat certified container image is available from the 
 [Red Hat Container Catalog](https://access.redhat.com/containers/#/registry.connect.redhat.com/sonatype/nexus-repository-manager)
 and qualified accounts can pull it from registry.connect.redhat.com.
 
+## Other Red Hat Images
+
+In addition to the Universal Base Image, we can build images based on:
+* Red Hat Enterprise Linux: [Dockerfile.rh.el](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.el)
+* CentOS: [Dockerfile.rh.centos](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.rh.centos)
+
+## Alpine Image
+
+An Alpine-based container image can be created using [Dockerfile.alpine.java11](https://github.com/sonatype/docker-nexus3/blob/main/Dockerfile.alpine.java11) This Dockerfile is built to leverage the minimalistic and efficient nature of Alpine Linux, emphasizing fewer dependencies to achieve a cleaner SBOM (Software Bill of Materials) and a stronger security posture.
+
+The Alpine-based container image includes minimal dependencies and uses an ENTRYPOINT script to ensure the application runs with the necessary permissions. It is optimized for rapid deployment and efficient resource usage.
+
+The Alpine-based container image is available from Docker Hub and can be pulled using the following tags:
+
+- sonatype/nexus3:3.XX.y-alpine (runs Java 11)
+- sonatype/nexus3:3.XX.y-java11-alpine
+- sonatype/nexus3:3.XX.y-java17-alpine
+
 ## Notes
 
 * Our [system requirements](https://help.sonatype.com/display/NXRM3/System+Requirements) should be taken into account when provisioning the Docker container.
@@ -111,16 +138,18 @@ process, which runs as UID 200.
 
 * There is an environment variable that is being used to pass JVM arguments to the startup script
 
-  * `INSTALL4J_ADD_VM_PARAMS`, passed to the Install4J startup script. Defaults to `-Xms1200m -Xmx1200m -XX:MaxDirectMemorySize=2g -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs`.
+  * `INSTALL4J_ADD_VM_PARAMS`, passed to the Install4J startup script. Defaults to `-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs`.
 
   This can be adjusted at runtime:
 
   ```
-  $ docker run -d -p 8081:8081 --name nexus -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/some-other-dir" sonatype/nexus3
+  $ docker run -d -p 8081:8081 --name nexus -e INSTALL4J_ADD_VM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=/some-other-dir" sonatype/nexus3
   ```
 
   Of particular note, `-Djava.util.prefs.userRoot=/some-other-dir` can be set to a persistent path, which will maintain
-  the installed Nexus Repository License if the container is restarted.
+  the installed Sonatype Nexus Repository License if the container is restarted.
+  
+  Be sure to check the [memory requirements](https://help.sonatype.com/display/NXRM3/System+Requirements#SystemRequirements-MemoryRequirements) when deciding how much heap and direct memory to allocate.
 
 * Another environment variable can be used to control the Nexus Context Path
 
@@ -161,6 +190,9 @@ for additional information.
 Looking to contribute to our Docker image but need some help? There's a few ways to get information or our attention:
 
 * Chat with us on [Gitter](https://gitter.im/sonatype/nexus-developers)
-* File an issue [on our public JIRA](https://issues.sonatype.org/projects/NEXUS/)
 * Check out the [Nexus3](http://stackoverflow.com/questions/tagged/nexus3) tag on Stack Overflow
-* Check out the [Nexus Repository User List](https://groups.google.com/a/glists.sonatype.com/forum/?hl=en#!forum/nexus-users)
+* Check out the [Sonatype Nexus Repository User List](https://groups.google.com/a/glists.sonatype.com/forum/?hl=en#!forum/nexus-users)
+
+## License Disclaimer
+
+_Sonatype Nexus Repository OSS is distributed with Sencha Ext JS pursuant to a FLOSS Exception agreed upon between Sonatype, Inc. and Sencha Inc. Sencha Ext JS is licensed under GPL v3 and cannot be redistributed as part of a closed source work._

SECURITY.md

@@ -0,0 +1,78 @@
+<!--
+
+    Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+# Reporting Security Vulnerabilities
+
+## When to report
+
+First check
+[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)
+to see if this has been previously reported.
+
+## How to report
+
+Please email reports regarding security related issues you find to [mailto:security@sonatype.com](security@sonatype.com).
+
+Use our public key below to keep your message safe.
+
+## What to include
+
+Please use a descriptive subject line in your email report.
+
+Your name and/or affiliation.
+
+A detailed technical description of the vulnerability, attack scenario and where
+possible, how we can reproduce your findings.
+
+Provide us with a secure way to respond.
+
+## What to expect
+
+Your email will be acknowledged within 1 - 2 business days, and you'll receive a
+more detailed response to your email within 7 business days.
+
+We ask that everyone please follow responsible disclosure practices and allow
+time for us to release a fix prior to public release.
+
+Once an issue is reported, Sonatype uses the following disclosure process:
+
+When a report is received, we confirm the issue and determine its severity.
+
+If third-party services or software require mitigation before publication, those
+projects will be notified.
+
+## Our public key
+
+```console
+-----BEGIN PUBLIC KEY BLOCK-----
+mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw
+onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q
+Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7
+3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ
+eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs
+5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy
+aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo
+2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE
+iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA
+oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR
+Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT
+Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX
+wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy
+o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0
+JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK
+x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi
+jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6
+8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF
+AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0
+pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ
+bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre
+1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP
+DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3
+dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt
+-----END PUBLIC KEY BLOCK-----
+```

build-images/Dockerfile.sbom-deployer

@@ -0,0 +1,3 @@
+FROM docker-all.repo.sonatype.com/python:3.12
+
+RUN apt-get update && apt-get install -y jq curl

build_red_hat_image.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+# Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+# "Sonatype" is a trademark of Sonatype, Inc.
+#
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# prerequisites:
+# * software:
+#   * https://github.com/redhat-openshift-ecosystem/openshift-preflight
+#   * https://podman.io/
+# * environment variables:
+#   * DOCKERFILE to be built
+#   * BASE_IMG_REF to add as a label to the image
+#   * VERSION of the docker image  to build for the red hat registry
+#   * REGISTRY_LOGIN from Red Hat config page for image
+#   * REGISTRY_PASSWORD from Red Hat config page for image
+#   * API_TOKEN from red hat token/account page for API access
+
+set -x # log commands as they execute
+set -e # stop execution on the first failed command
+
+# from config/scanning page at red hat
+CERT_PROJECT_ID=5e61d90a38776799eb517bd2
+
+REPOSITORY="quay.io"
+IMAGE_LATEST="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:latest"
+IMAGE_TAG="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:${VERSION}"
+
+AUTHFILE="${HOME}/.docker/config.json"
+
+docker build -f "${DOCKERFILE}" --label base-image-ref=${BASE_IMG_REF} -t "${IMAGE_TAG}" .
+docker tag "${IMAGE_TAG}" "${IMAGE_LATEST}"
+
+docker login "${REPOSITORY}" \
+       -u "${REGISTRY_LOGIN}" \
+       --password "${REGISTRY_PASSWORD}"
+
+docker push "${IMAGE_TAG}"
+docker push "${IMAGE_LATEST}"
+
+preflight check container \
+          "${IMAGE_TAG}" \
+          --docker-config="${AUTHFILE}" \
+          --submit \
+          --certification-project-id="${CERT_PROJECT_ID}" \
+          --pyxis-api-token="${API_TOKEN}"

build_red_hat_image_for_java11.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2017-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# prerequisites:
+# * software:
+#   * https://github.com/redhat-openshift-ecosystem/openshift-preflight
+#   * https://podman.io/
+# * environment variables:
+#   * VERSION of the docker image  to build for the red hat registry
+#   * REGISTRY_LOGIN from Red Hat config page for image
+#   * REGISTRY_PASSWORD from Red Hat config page for image
+#   * API_TOKEN from red hat token/account page for API access
+
+set -x # log commands as they execute
+set -e # stop execution on the first failed command
+
+DOCKERFILE=Dockerfile.rh.ubi.java11
+JAVA_VERSION="java11"
+
+# from config/scanning page at red hat
+CERT_PROJECT_ID=5e61d90a38776799eb517bd2
+
+REPOSITORY="quay.io"
+IMAGE_TAG="${REPOSITORY}/redhat-isv-containers/${CERT_PROJECT_ID}:${VERSION}-${JAVA_VERSION}"
+
+AUTHFILE="${HOME}/.docker/config.json"
+
+docker build -f "${DOCKERFILE}" -t "${IMAGE_TAG}" .
+docker tag "${IMAGE_TAG}"
+
+docker login "${REPOSITORY}" \
+       -u "${REGISTRY_LOGIN}" \
+       --password "${REGISTRY_PASSWORD}"
+
+docker push "${IMAGE_TAG}"
+
+preflight check container \
+          "${IMAGE_TAG}" \
+          --docker-config="${AUTHFILE}" \
+          --submit \
+          --certification-project-id="${CERT_PROJECT_ID}" \
+          --pyxis-api-token="${API_TOKEN}"

ci/TriggerRedHatBuild.groovy

@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2020-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+
+/**
+ * This script triggers the build service for a certified docker image at Red Hat.
+ * It's meant to be used by Jenkins via the Jenkinsfile.
+ */
+@Grab('io.github.http-builder-ng:http-builder-ng-core:1.0.4')
+
+import groovyx.net.http.HttpBuilder
+import groovyx.net.http.HttpException
+
+if (args.size() < 3) {
+  System.err.println('Usage: groovy TriggerRedhatBuild.groovy <version> <projectId> <apiKey>')
+  System.exit(1)
+}
+
+new BuildClient(*args).run()
+
+class BuildClient {
+  private static final Integer TIMEOUT_MINUTES = 20
+
+  private final String version
+  private final String projectId
+
+  private final HttpBuilder builder
+
+  BuildClient(String version, String projectId, String apiKey) {
+    this.version = version
+    this.projectId = projectId
+
+    builder = HttpBuilder.configure {
+      request.uri = 'https://connect.redhat.com'
+      request.headers['Authorization'] = "Bearer ${apiKey}"
+      request.contentType = 'application/json'
+      request.body = [:]
+    }
+  }
+
+  /**
+   * fire off a series of requests to build and publish
+   * a container.
+   */
+  void run() {
+    final nextTag = getNextTag(version)
+    println "Triggering build as ${nextTag}"
+
+    final buildStatus = build(nextTag)
+
+    if (buildStatus.status != 'Created') {
+      fail(buildStatus)
+    }
+
+    final completedBuild = getCompletedBuild(nextTag)
+
+    if (completedBuild.failure) {
+      fail(completedBuild.failure)
+    }
+
+    final published = publish(completedBuild.digest, completedBuild.name)
+
+    if (published.failure) {
+      fail(published.failure)
+    }
+
+    println published
+  }
+
+  /**
+   * calculate the cutoff time in the future in miliseconds
+   * for comparison to System.currentTimeMillis()
+   * @param start start time in millis
+   * @param minutes minutes into the future
+   * @return future time in millis
+   */
+  private Long calcCutoffTime(Long start, Integer minutes) {
+    return minutes * 60 * 1000 + start
+  }
+
+  /**
+  * fail with message and exit with an error code for jenkins to see
+  * @param message message to print
+  */
+  private void fail(String message) {
+    System.err.println(message)
+    System.exit(1)
+  }
+
+
+  /**
+  * Request current version tags available at Red Hat.
+  * @return the list of all tags
+  */
+  private List getTags() {
+    return builder.post {
+      request.uri.path = "/api/v2/projects/${projectId}/tags"
+    }.tags
+  }
+
+  /**
+  * Request current version tags available at Red Hat,
+  * and calculate the next tag to use in this build.
+  * @param version the base version we're currently building
+  * @return the full new version string to submit for the next build
+  */
+  private String getNextTag(String version) {
+    final tags = getTags()*.name.collectMany {
+      it.split(', ').collect()
+    }
+
+    final currentIndex = tags.findAll {
+      it.startsWith(version)
+    }.collect {
+      it.replaceAll(/${version}-(\d+)-?.*/, '$1') as Integer
+    }.sort().reverse()[0]
+
+    final nextIndex =((currentIndex ?: 0) as Integer) + 1
+
+    return "${version}-${nextIndex}"
+  }
+
+  /**
+  * Trigger build of the certified image at Red Hat,
+  * @param nextTag the full version tag to be assigned to the new build
+  * @return the map from json with the status of the submitted build
+  */
+  private Map build(String nextTag) {
+    return builder.post {
+      request.uri.path = "/api/v2/projects/${projectId}/build"
+      request.body = [tag: nextTag]
+    }
+  }
+
+  /**
+  * Poll for the completed (built and scanned) build at Red Hat build service.
+  * @param nextTag the full version tag assigned to the new build
+  * @return the map from json with info about the completed build
+  */
+  private Map getCompletedBuild(String nextTag) {
+    final endTime = calcCutoffTime(System.currentTimeMillis(), TIMEOUT_MINUTES)
+
+    while (System.currentTimeMillis() < endTime) {
+      println 'Waiting for build to finish.'
+      sleep 60000
+
+      try {
+        final completedBuild = getTags().find {
+          it.name == nextTag && it.scan_status == 'passed'
+        }
+
+        if (completedBuild) {
+          return completedBuild
+        }
+      } catch (HttpException ex) {
+        ex.printStackTrace()
+        System.err.println "Failed retrieving completed builds, but still trying: ${ex.statusCode} [${ex.body}]"
+      }
+    }
+
+    return [failure: "TIMEOUT waiting for complete build: ${TIMEOUT_MINUTES} minutes"]
+  }
+
+  /**
+  * Trigger publishing of the new image at Red Hat build service.
+  * @param digest hash string that identifies the container to publish
+  * @param name tag name (version) of the container image to publish
+  * @return the map from json with status of the published container image
+  */
+  private Map publish(String digest, String name) {
+    final publishPath = [
+      '/api/v2/projects',
+      projectId,
+      'containers',
+      digest,
+      'tags',
+      name,
+      'publish'
+    ].join('/')
+
+    try {
+      return builder.post {
+        request.uri.path = publishPath
+      }
+    } catch (HttpException ex) {
+      ex.printStackTrace()
+      return [failure: "Failed to publish: ${ex.statusCode} [${ex.body}]"]
+    }
+  }
+}

header.txt

@@ -0,0 +1,3 @@
+Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+"Sonatype" is a trademark of Sonatype, Inc.

rh-docker/help.1

@@ -0,0 +1,74 @@
+.PP
+% 
+.BR NEXUS (1) 
+Container Image Pages
+% Sonatype
+% December 15, 2017
+.TH NAME
+.PP
+nexus \- Nexus Repository Manager container image
+.SH DESCRIPTION
+.PP
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+.PP
+The nexus image is designed to be run by the atomic command with one of these options:
+.PP
+\fB\fCrun\fR
+.PP
+Starts the installed container with selected privileges to the host.
+.PP
+\fB\fCstop\fR
+.PP
+Stops the installed container
+.PP
+The container itself consists of:
+    \- Linux base image
+    \- Java OpenJDK
+    \- Nexus Repository Manager
+    \- Atomic help file
+.PP
+Files added to the container during docker build include: /help.1.
+.SH USAGE
+.PP
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+.PP
+To run the nexus container:
+.IP
+atomic run nexus
+.PP
+To stop the nexus container (after it is installed), run:
+.IP
+atomic stop nexus
+.SH LABELS
+.PP
+The nexus container includes the following LABEL settings:
+.PP
+That atomic command runs the docker command set in this label:
+.PP
+\fB\fCRUN=\fR
+.IP
+LABEL RUN='docker run \-d \-p 8081:8081 \-\-name ${NAME} ${IMAGE}'
+.IP
+The contents of the RUN label tells an \fB\fCatomic run nexus\fR command to open port 8081 & set the name of the container.
+.PP
+\fB\fCSTOP=\fR
+.IP
+LABEL STOP='docker stop ${NAME}'
+.PP
+\fB\fCName=\fR
+.PP
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+.PP
+\fB\fCVersion=\fR
+.PP
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2\-01".
+.PP
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+.SH SECURITY IMPLICATIONS
+.PP
+\fB\fC\-d\fR
+.PP
+Runs continuously as a daemon process in the background

rh-docker/help.md

@@ -0,0 +1,79 @@
+<!--
+
+    Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+% NEXUS(1) Container Image Pages
+% Sonatype
+% December 15, 2017
+
+# NAME
+nexus \- Nexus Repository Manager container image
+
+# DESCRIPTION
+The nexus image provides a containerized packaging of the Nexus Repository Manager.
+Nexus Repository Manager is a repository manager with universal support for popular component formats including Maven, Docker, NuGet, npm, PyPi, Bower and more.
+
+The nexus image is designed to be run by the atomic command with one of these options:
+
+`run`
+
+Starts the installed container with selected privileges to the host.
+
+`stop`
+
+Stops the installed container
+
+The container itself consists of:
+    - Linux base image
+    - Java OpenJDK
+    - Nexus Repository Manager
+    - Atomic help file
+
+Files added to the container during docker build include: /help.1.
+
+# USAGE
+To use the nexus container, you can run the atomic command with run, stop, or uninstall options:
+
+To run the nexus container:
+
+  atomic run nexus
+
+To stop the nexus container (after it is installed), run:
+
+  atomic stop nexus
+
+# LABELS
+The nexus container includes the following LABEL settings:
+
+That atomic command runs the docker command set in this label:
+
+`RUN=`
+
+  LABEL RUN='docker run -d -p 8081:8081 --name ${NAME} ${IMAGE}'
+
+  The contents of the RUN label tells an `atomic run nexus` command to open port 8081 & set the name of the container.
+
+`STOP=`
+
+  LABEL STOP='docker stop ${NAME}'
+
+`Name=`
+
+The registry location and name of the image. For example, Name="Nexus Repository Manager".
+
+`Version=`
+
+The Nexus Repository Manager version from which the container was built. For example, Version="3.6.2-01".
+
+When the atomic command runs the nexus container, it reads the command line associated with the selected option
+from a LABEL set within the Docker container itself. It then runs that command. The following sections detail
+each option and associated LABEL:
+
+# SECURITY IMPLICATIONS
+
+`-d`
+
+Runs continuously as a daemon process in the background

rh-docker/licenses/LICENSE

@@ -0,0 +1,10 @@
+Sonatype Nexus (TM) Open Source Version
+Copyright (c) 2008-present Sonatype, Inc.
+All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+Eclipse Foundation. All other trademarks are the property of their respective owners.

rh-docker/uid_entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+# Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+# "Sonatype" is a trademark of Sonatype, Inc.
+#
+
+# arbitrary uid recognition at runtime - for OpenShift deployments
+USER_ID=$(id -u)
+if [[ ${USER_UID} != ${USER_ID} ]]; then
+    sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" /etc/passwd.template > /etc/passwd
+fi
+exec "$@"
+

rh-docker/uid_template.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+# Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+# "Sonatype" is a trademark of Sonatype, Inc.
+#
+
+# arbitrary uid recognition at runtime - for OpenShift deployments
+sed "s@${USER_NAME}:x:${USER_UID}:@${USER_NAME}:x:\${USER_ID}:@g" /etc/passwd > /etc/passwd.template

scripts/BaseImageReference.groovy

@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
+ * Includes the third-party code listed at http://links.sonatype.com/products/nxrm/attributions.
+ * "Sonatype" is a trademark of Sonatype, Inc.
+ */
+interface BaseImageReference
+{
+  String getReference()
+
+  String getReference(String registryName)
+}
+
+class DefaultBaseImageReference
+    implements BaseImageReference
+{
+  private String baseImage
+
+  private DockerImageHelper dockerImageHelper
+
+  DefaultBaseImageReference(String baseImage, DockerImageHelper dockerImageHelper) {
+    this.baseImage = baseImage
+    this.dockerImageHelper = dockerImageHelper
+  }
+
+  String getReference(String registryName = null) {
+    def imageDigest = dockerImageHelper.getImageFirstRepoDigest(baseImage)
+    if (imageDigest == null) {
+      return baseImage
+    }
+    return imageDigest
+  }
+}
+
+class RedHatBaseImageReference
+    implements BaseImageReference
+{
+  final static RED_HAT_REGISTRY = "registry.access.redhat.com"
+
+  private String baseImage
+
+  private DockerImageHelper dockerImageHelper
+
+  private steps
+
+  RedHatBaseImageReference(String baseImage, DockerImageHelper dockerImageHelper, steps) {
+    this.baseImage = baseImage
+    this.dockerImageHelper = dockerImageHelper
+    this.steps = steps
+  }
+
+  String getReference(String registryName = RED_HAT_REGISTRY) {
+    def repoName = extractRedHatRepoName(baseImage, registryName)
+    def dockerImageId = dockerImageHelper.getImageId(baseImage)
+    if (repoName == null || dockerImageId == null) {
+      return null
+    }
+
+    def imageId = getRedHatImageId(dockerImageId)
+    def repoId = getRedHatRepoId(repoName, registryName)
+    if (imageId == null || repoId == null) {
+      def imageDigest = dockerImageHelper.getImageFirstRepoDigest(baseImage)
+      return imageDigest
+    }
+
+    def imageArch = dockerImageHelper.getImageArchitecture(baseImage)
+    if (imageArch != null) {
+      return "https://catalog.redhat.com/software/containers/${repoName}/${repoId}?architecture=${imageArch}&image=${imageId}"
+    }
+    else {
+      return "https://catalog.redhat.com/software/containers/${repoName}/${repoId}?image=${imageId}"
+    }
+  }
+
+  private static extractRedHatRepoName(baseImage, registryName) {
+    if (!baseImage.contains(registryName)) {
+      return null
+    }
+    def repositoryRegex = "${registryName}\\/(.*)"
+    def repository = (baseImage =~ repositoryRegex)[0][1]
+    return repository
+  }
+
+  private getRedHatImageId(dockerImageId) {
+    def imageSearchUrl =
+        "https://catalog.redhat.com/api/containers/v1/images?filter=docker_image_id==\"${dockerImageId}\""
+    def imageId = steps.sh(
+        script: "curl -s -L ${imageSearchUrl} | jq -r '.data[0]._id' ",
+        returnStdout: true
+    ).trim()
+
+    return imageId == "null" ? null : imageId
+  }
+
+  private getRedHatRepoId(repoName, registryName) {
+    def repoSearchUrl =
+        "https://catalog.redhat.com/api/containers/v1/repositories/registry/${registryName}/repository/${repoName}"
+    def repoId = steps.sh(
+        script: "curl -s -L ${repoSearchUrl} | jq -r '._id' ",
+        returnStdout: true
+    ).trim()
+
+    return repoId == "null" ? null : repoId
+  }
+}
+
+class DockerImageHelper
+{
+  private steps
+
+  DockerImageHelper(steps) {
+    this.steps = steps
+  }
+
+  def getImageId(baseImage) {
+    pullImage(baseImage)
+    def dockerImageId = steps.sh(
+        script: "docker image inspect ${baseImage} | jq -r '.[0].Id' ",
+        returnStdout: true
+    ).trim()
+    return dockerImageId == "null" ? null : dockerImageId
+  }
+
+  def getImageArchitecture(baseImage) {
+    pullImage(baseImage)
+    def imageArch = steps.sh(
+        script: "docker image inspect ${baseImage} | jq -r '.[0].Architecture' ",
+        returnStdout: true
+    ).trim()
+    return imageArch == "null" ? null : imageArch
+  }
+
+  def getImageFirstRepoDigest(baseImage) {
+    pullImage(baseImage)
+    def imageDigest = steps.sh(
+        script: "docker image inspect ${baseImage} | jq -r '.[0].RepoDigests[0]'",
+        returnStdout: true
+    ).trim()
+    return imageDigest == "null" ? null : imageDigest
+  }
+
+  private def pullImage(baseImage) {
+    if (!isPulled(baseImage)) {
+      steps.sh("docker pull ${baseImage}")
+    }
+  }
+
+  private def isPulled(baseImage) {
+    def status = steps.sh(
+        script: "docker image inspect ${baseImage} 1> /dev/null",
+        returnStatus: true
+    )
+    return status == 0
+  }
+}
+
+static BaseImageReference build(steps, String baseImage) {
+  def dockerHelper = new DockerImageHelper(steps)
+
+  if (baseImage.contains(RedHatBaseImageReference.RED_HAT_REGISTRY)) {
+    return new RedHatBaseImageReference(baseImage, dockerHelper, steps)
+  }
+  else {
+    return new DefaultBaseImageReference(baseImage, dockerHelper)
+  }
+}
+
+return this

spec/Dockerfile_spec.rb

@@ -37,8 +37,22 @@ describe 'Dockerfile' do
     expect(user('nexus')).to exist
   end
 
-  it 'should have a nexus process running' do
-    expect(process('java')).to be_running
-    expect(process('java')).to have_attributes(:user => 'nexus')
+  describe 'Dockerfile#running' do
+    before(:all) do
+      @container = Docker::Container.create(
+        'Image' => @image.id
+      )
+      @container.start
+    end
+
+    it 'should have a nexus process running' do
+      expect(process('java')).to be_running
+      expect(process('java')).to have_attributes(user: 'nexus')
+    end
+
+    after(:all) do
+      @container.kill
+      @container.delete(force: true)
+    end
   end
 end