RFR: 8264010: Add Gradle dependency verification [v3]

John Neffenger jgneff at openjdk.java.net
Wed Apr 14 05:06:02 UTC 2021 

On Wed, 14 Apr 2021 04:32:29 GMT, John Neffenger <jgneff at openjdk.org> wrote:

>> This pull request adds dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. It is the third of three changes that close the gaps in the JavaFX build security:
>> 
>> * [JDK-8262236][1]: Configure Gradle checksum verification
>> * [JDK-8263204][2]: Add Gradle Wrapper Validation Action
>> * [JDK-8264010][3]: Add Gradle dependency verification
>> 
>> "Without dependency verification it's easy for an attacker to compromise your supply chain," warns the [Gradle User Guide][4]. All three changes come from conference talks by members of the Gradle team, available as [PDF slides][5] or on YouTube in the following two videos:
>> 
>> * [Cédric Champeau at Devoxx][6] in November 2019
>> * [Louis Jacomet at Jfokus][7] in February 2020
>> 
>> "We all run in a crazy-unsafe environment, in a way," says Louis Jacomet at the end of his talk. These three changes make it just a little less crazy-unsafe for all of us building JavaFX, regardless of our system, network, or country.
>> 
>> [1]: https://bugs.openjdk.java.net/browse/JDK-8262236
>> [2]: https://bugs.openjdk.java.net/browse/JDK-8263204
>> [3]: https://bugs.openjdk.java.net/browse/JDK-8264010
>> 
>> [4]: https://docs.gradle.org/current/userguide/dependency_verification.html
>> [5]: https://www.jfokus.se/jfokus20-preso/Protecting-your-organization-against-attacks-via-the-build-system.pdf
>> [6]: https://youtu.be/GWGNp3a3hpk
>> [7]: https://youtu.be/bwiafNatsf0
>
> John Neffenger has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - Add dependencies for media and WebKit libraries
>  - Merge branch 'master' into dependency-verification
>  - Add a README file and update 'UPDATING-lucene.txt'
>  - 8264010: Add Gradle dependency verification

There's an odd thing happening with some of the artifact names in the dependency file. For example:


<component group="" name="ffmpeg-3.3.3" version="">
    <artifact name="ffmpeg-3.3.3-.tar.gz">
        <sha256 value="6600...bf3c" origin="Generated by Gradle"/>
    </artifact>
</component>


Gradle creates the artifact name from the component name and version, separated by a hyphen. Because the version attribute is empty, we get an artifact name ending in `-.tar.gz`. It should be `ffmpeg-3.3.3.tar.gz`, but Gradle sees `-3.3.3` as part of the name. This particular name originates from:


dependencies {
    if (IS_BUILD_LIBAV_STUBS) {
        media name: "libav-9.14", ext: "tar.gz"
        media name: "libav-11.4", ext: "tar.gz"
        media name: "libav-12.1", ext: "tar.gz"
        media name: "ffmpeg-3.3.3", ext: "tar.gz"
        media name: "ffmpeg-4.0.2", ext: "tar.gz"
    }
    compile project(":base")
    compile project(":graphics")
}


Other places in the build file seem to depend on having the version as part of the name string, and my initial attempt to separate the two failed. The build works with the names as they are, and these are in fact the names of the files in the Gradle cache. Some day, though, we might want to have better component elements in the dependency file, seeing as it functions also like a software bill of materials.

-------------

PR: https://git.openjdk.java.net/jfx/pull/437

More information about the openjfx-dev mailing list