From 88df6b9d5c0b0c74af73b26363538b8156924bd3 Mon Sep 17 00:00:00 2001
From: Apostolos Matsagkas <apostolos.matsagkas@elastic.co>
Date: Wed, 1 Apr 2026 09:10:59 +0300
Subject: [PATCH] remove plexus-utils from production image due to
 CVE-2025-67030

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Dockerfile       | 7 +++++++
 Dockerfile.wolfi | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 5f5e6a57..1b8cfa34 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,4 +19,11 @@ RUN make clean install
 # Clean up build dependencies
 RUN rm -r /home/crawleruser/.m2
 
+# Remove ruby-maven and ruby-maven-libs gems, which are only needed at build time
+# for JAR dependency resolution. This also removes the bundled plexus-utils-3.5.1.jar
+# (CVE-2025-67030) from the production image.
+RUN rm -rf /usr/local/bundle/gems/ruby-maven-* \
+    /usr/local/bundle/specifications/ruby-maven-* \
+    /usr/local/bundle/cache/ruby-maven-*
+
 ENTRYPOINT [ "/bin/bash" ]
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
index ad27fe0c..4813a9aa 100644
--- a/Dockerfile.wolfi
+++ b/Dockerfile.wolfi
@@ -52,6 +52,13 @@ RUN make clean install
 # add more directories and files not to be copied to the runtime image from /home/app
 RUN rm -rf .git .github .idea .devcontainer .buildkite
 
+# Remove ruby-maven and ruby-maven-libs gems, which are only needed at build time
+# for JAR dependency resolution. This also removes the bundled plexus-utils-3.5.1.jar
+# (CVE-2025-67030) from the production image.
+RUN rm -rf /usr/local/bundle/gems/ruby-maven-* \
+    /usr/local/bundle/specifications/ruby-maven-* \
+    /usr/local/bundle/cache/ruby-maven-*
+
 # Create custom JDK using jlink
 RUN jlink \
     --add-modules java.base,jdk.crypto.ec,java.logging,java.management,java.naming,java.net.http,java.scripting,java.security.jgss,java.security.sasl,java.sql,jdk.unsupported \