Proposal: mandatory versioning metadata for modules

[Sean Mullan]

On 10/25/12 7:29 AM, Alan Bateman wrote:
> On 25/10/2012 06:03, David Jorm wrote:
>> Hi All
>>
>> I am currently working on a system for tracking JAR files that expose known security flaws, identifying them by checksums or metadata. In short, both of these mechanisms have shortcomings. Checksums of JAR files provide zero false positives, but have huge scope for false negatives. Whenever a JAR is re-compiled, bits in the JAR change and the checksum changes. Metadata is unreliable, as META-INF/MANIFEST.MF does not require the inclusion of title and version elements. A more detailed overview is available here [0]. To give an example of the problem I'm attempting to solve, Spring 2.5.6 exposes a remote code execution flaw. It is fixed in Spring 2.5.6.SEC01. I want to be able to distinguish between 2.5.6 and 2.5.6.SEC01 to identify whether a system is deploying the vulnerable JAR. I can't
>> just use a checksum of the file, because if anyone recompiles it, bits change. I also can't rely on the MANIFEST.MF, because it may or may not include any version data; it may not even identify the title of the component as "Spring".
>>
>> The Jigsaw project offers a great opportunity to solve this problem. However, I note in the documentation [1]:
>>
>> "A /module/ is a collection of Java types (/i.e./, classes and interfaces) with a name, an optional version number, and a formal description of its relationships to other modules."
>>
>> The problem here is "optional" version number. What I'm trying to achieve is mandatory minimal version metadata. What do people think about making version number a requirement for Jigsaw modules? Would that be feasible and if so would it be desirable?
>>
>> Thanks
> I could imagine module repositories having policies to require all 
> modules hosted in the repository to have a version number.
> 
> On blacklisting JAR files then just an FYI that Sun/Oracle's JDK has had 
> support for blacklisting of signed JAR files [1] for some time (this is 
> pluging/webstart so I can't point to you something in OpenJDK). Jigsaw 
> already has signed modules, I could imagine in time having blacklisting 
> of signed modules too.

Yes, and a Jigsaw blacklisting feature would likely be more flexible than the
current signed JAR blacklisting mechanism Alan mentioned, which is based on the
hash of the Manifest, so each JAR needs to be individually blacklisted. I could
imagine providing the capability to blacklist several modules at once based on
version ranges, etc.

--Sean

> 
> -Alan.
> 
> [1] 
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/blacklistfeature.html
>