Proposal: mandatory versioning metadata for modules

Hendy Irawan hendy at soluvas.com
Wed Oct 24 22:18:42 PDT 2012 

I'm not sure what OSGi says about this, but if omitting the version number
implicitly means version 0.0.0, then whether it's optional or mandatory
*technically* doesn't matter to the module consumer.

However, practically due to human concerns, I truly support this mandatory
version requirement. Even if tooling will lax the version support (and
generate 0.0.0 anyway) there should be clear WARNING message to the module
developer when this is the case.

In your case, your modules are already versioned (Spring 2.5.6 and Spring
2.5.6.SEC01 respectively) so there shouldn't be a problem in identifying
which one.

Hendy

On Thu, Oct 25, 2012 at 12:03 PM, David Jorm <djorm at redhat.com> wrote:

> Hi All
>
> I am currently working on a system for tracking JAR files that expose
> known security flaws, identifying them by checksums or metadata. In short,
> both of these mechanisms have shortcomings. Checksums of JAR files provide
> zero false positives, but have huge scope for false negatives. Whenever a
> JAR is re-compiled, bits in the JAR change and the checksum changes.
> Metadata is unreliable, as META-INF/MANIFEST.MF does not require the
> inclusion of title and version elements. A more detailed overview is
> available here [0]. To give an example of the problem I'm attempting to
> solve, Spring 2.5.6 exposes a remote code execution flaw. It is fixed in
> Spring 2.5.6.SEC01. I want to be able to distinguish between 2.5.6 and
> 2.5.6.SEC01 to identify whether a system is deploying the vulnerable JAR. I
> can't
> just use a checksum of the file, because if anyone recompiles it, bits
> change. I also can't rely on the MANIFEST.MF, because it may or may not
> include any version data; it may not even identify the title of the
> component as "Spring".
>
> The Jigsaw project offers a great opportunity to solve this problem.
> However, I note in the documentation [1]:
>
> "A /module/ is a collection of Java types (/i.e./, classes and interfaces)
> with a name, an optional version number, and a formal description of its
> relationships to other modules."
>
> The problem here is "optional" version number. What I'm trying to achieve
> is mandatory minimal version metadata. What do people think about making
> version number a requirement for Jigsaw modules? Would that be feasible and
> if so would it be desirable?
>
> Thanks
> --
> David Jorm / Red Hat Security Response Team
>
> [0] http://www.slideshare.net/davidjorm/tracking-vulnerable-jars
> [1] http://cr.openjdk.java.net/~mr/jigsaw/notes/jigsaw-big-picture-01
>



-- 
Hendy Irawan - on Twitter <http://twitter.com/hendybippo> - on
LinkedIn<http://id.linkedin.com/in/hendyirawan>
Web Developer | Bippo Indonesia <http://www.bippo.co.id/> | Akselerator
Bisnis | Bandung

More information about the jigsaw-dev mailing list