From b7cadc52d2db0c45c4a12241df2f2967f2267453 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 30 Apr 2024 01:02:23 -0700 Subject: [PATCH 1/7] [StepSecurity] Apply security best practices (#3775) * [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot * Update codeql.yml --------- Signed-off-by: StepSecurity Bot Co-authored-by: George Adams --- .github/workflows/build-autotriage.yml | 3 + .github/workflows/codeql.yml | 86 ++++++++++++++++++++++++++ .github/workflows/comment-bot.yml | 3 + .github/workflows/labeler.yml | 3 + .github/workflows/signsbom.yml | 3 + .github/workflows/testsbom.yml | 3 + 6 files changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/build-autotriage.yml b/.github/workflows/build-autotriage.yml index 493e35f03..3f57adfc2 100644 --- a/.github/workflows/build-autotriage.yml +++ b/.github/workflows/build-autotriage.yml @@ -22,6 +22,9 @@ on: env: TRIAGE_SCRIPT: "tooling/build_autotriage/build_autotriage.sh" +permissions: + contents: read + jobs: autotriage: permissions: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..fc185dcc5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,86 @@ +# ******************************************************************************** +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/comment-bot.yml b/.github/workflows/comment-bot.yml index d8e3d3eff..43f066a55 100644 --- a/.github/workflows/comment-bot.yml +++ b/.github/workflows/comment-bot.yml @@ -17,6 +17,9 @@ on: pull_request_target: types: [ opened ] +permissions: + contents: read + jobs: comment: permissions: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index c328a846b..383db66df 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -19,6 +19,9 @@ on: issues: issue_comment: +permissions: + contents: read + jobs: label: permissions: diff --git a/.github/workflows/signsbom.yml b/.github/workflows/signsbom.yml index 1247e6562..1ba9b3ec5 100644 --- a/.github/workflows/signsbom.yml +++ b/.github/workflows/signsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_sign: name: sign_sbom diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testsbom.yml index 25ae42d76..f6825c06b 100644 --- a/.github/workflows/testsbom.yml +++ b/.github/workflows/testsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_gen: name: gen_sbom From 2663a0a9f41b1a1137449e347752ed006b4f60a6 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Tue, 30 Apr 2024 09:58:15 +0100 Subject: [PATCH 2/7] update SBOM validator for April 2024 (#3771) Signed-off-by: Stewart X Addison --- tooling/release_download_test.sh | 2 +- tooling/validateSBOMcontent.sh | 23 +++++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/tooling/release_download_test.sh b/tooling/release_download_test.sh index 12186a882..32cbb40e7 100755 --- a/tooling/release_download_test.sh +++ b/tooling/release_download_test.sh @@ -344,7 +344,7 @@ verify_gcc_version() { # shellcheck disable=SC2166 [ "${MAJOR_VERSION}" = "8" -o "${MAJOR_VERSION}" = "11" ] && expected_gcc=7.5.0 [ "${MAJOR_VERSION}" = "17" ] && expected_gcc=10.3.0 - [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.2.0 + [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.3.0 if ! strings tarballtest/bin/java | grep "^GCC:.*${expected_gcc}"; then print_error "GCC version detected in the JDK java executable is not the expected ${expected_gcc}" diff --git a/tooling/validateSBOMcontent.sh b/tooling/validateSBOMcontent.sh index 9c3b6a874..56e98c6f6 100755 --- a/tooling/validateSBOMcontent.sh +++ b/tooling/validateSBOMcontent.sh @@ -41,7 +41,11 @@ if echo "$SBOMFILE" | grep _solaris_; then EXPECTED_COMPILER="solstudio (Oracle Solaris Studio)" elif echo "$SBOMFILE" | grep _aix_; then EXPECTED_COMPILER="xlc (IBM XL C/C++)" - EXPECTED_FREETYPE=2.8.0 + if [ "$MAJORVERSION" -lt 17 ]; then + EXPECTED_FREETYPE=2.8.0 + else + EXPECTED_FREETYPE=2.13.2 # Bundled version + fi elif echo "$SBOMFILE" | grep _alpine-linux_ > /dev/null; then EXPECTED_FREETYPE=2.11.1 EXPECTED_ALSA=1.1.6 @@ -61,8 +65,12 @@ elif echo "$SBOMFILE" | grep _linux_; then [ "${MAJORVERSION}" = "8" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "11" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "17" ] && EXPECTED_GCC=10.3.0 - [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.2.0 && EXPECTED_FREETYPE=Unknown + [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.3.0 && EXPECTED_FREETYPE=Unknown EXPECTED_ALSA=1.1.6 + if echo "$SBOMFILE" | grep _riscv64_ > /dev/null; then + EXPECTED_GCC=10.5.0 # No devkit yet so default in Ubuntu 20.04 + EXPECTED_GLIBC=2.31 + fi #elif echo $SBOMFILE | grep _mac_; then # EXPECTED_COMPILER="clang (clang/LLVM from Xcode 10.3)" elif echo "$SBOMFILE" | grep _x64_windows_; then @@ -73,10 +81,10 @@ elif echo "$SBOMFILE" | grep _x64_windows_; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2022)" else # JDK11 and 17 EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2019)" - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version fi elif echo "$SBOMFILE" | grep _x86-32_windows_; then - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version if [ "${MAJORVERSION}" = "8" ]; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2013)" EXPECTED_FREETYPE=2.5.3 @@ -87,8 +95,8 @@ elif echo "$SBOMFILE" | grep _x86-32_windows_; then fi elif echo "$SBOMFILE" | grep _mac_; then # NOTE: mac/x64 native builds >=11 were using "clang (clang/LLVM from Xcode 10.3)" - EXPECTED_FREETYPE=Unknown - EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.0.1)" + EXPECTED_FREETYPE=2.13.2 # Bundled version + EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.2)" # shellcheck disable=SC2166 if [ "${MAJORVERSION}" = "8" ] && echo "$SBOMFILE" | grep _x64_; then EXPECTED_COMPILER="clang (clang/LLVM)" @@ -96,8 +104,7 @@ elif echo "$SBOMFILE" | grep _mac_; then fi fi -[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=Unknown - +[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=2.13.2 # Bundled version RC=0 if echo "$SBOMFILE" | grep 'linux_'; then From bc0709af8a0c9373eadfe876bc56e5769230fd42 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Tue, 30 Apr 2024 18:26:29 +0100 Subject: [PATCH 3/7] Improve security by adding checksum validation to downloads. (#3781) * Improve security by adding checksum validation to downloads. * Fix sha check on windows. --- .azure-devops/build/steps/windows/before.yml | 14 ++++-- .github/workflows/build.yml | 32 +++++++++++-- .../platform-specific-configurations/linux.sh | 36 +++++++++++++-- docker/buildDocker.sh | 7 +++ .../reproducible/linux_repro_build_compare.sh | 45 ++++++++++++++----- 5 files changed, 114 insertions(+), 20 deletions(-) diff --git a/.azure-devops/build/steps/windows/before.yml b/.azure-devops/build/steps/windows/before.yml index ce3f16219..39bf5ecb7 100644 --- a/.azure-devops/build/steps/windows/before.yml +++ b/.azure-devops/build/steps/windows/before.yml @@ -46,9 +46,17 @@ steps: # install cygwin and build dependencies - powershell: | $ProgressPreference = 'SilentlyContinue'; - Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe'; - Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64'; - displayName: "[Windows Before] download and install Cygwin" + $DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe"; + $DownloadUrl = 'https://cygwin.com/setup-x86_64.exe'; + $ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8'; + Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile; + + # Calculate SHA256 checksum of the downloaded file + $DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash; + + # Compare calculated checksum with the expected checksum + if ($DownloadedChecksum -eq $ExpectedChecksum) { + Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site # add cygwin bin to PATH - script: | diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ea5b0a8e..72133a9a8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -162,7 +162,7 @@ jobs: rm /usr/local/bin/python3-config || true rm /usr/local/bin/python3.11-config || true rm /usr/local/bin/python3.12-config || true - + - name: Install Dependencies run: | brew install automake bash binutils freetype gnu-sed nasm @@ -173,7 +173,7 @@ jobs: java-version: 7 distribution: 'zulu' if: matrix.version.name == 'jdk8u' - + - name: Select correct Xcode (JDK8) if: matrix.version.name == 'jdk8u' run: | @@ -206,7 +206,7 @@ jobs: TARGET_OS: mac FILENAME: OpenJDK.tar.gz JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }} - + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 name: Collect and Archive Artifacts with: @@ -328,6 +328,19 @@ jobs: curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe" if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Verify Download Of Visual Studio 2017 + shell: powershell + run: | + $expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Install Visual Studio 2017 if: matrix.version == 'jdk8u' run: > @@ -343,6 +356,19 @@ jobs: curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe" if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Verify Download Of Visual Studio 2019 + shell: powershell + run: | + $expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Install Visual Studio 2019 if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u' run: > diff --git a/build-farm/platform-specific-configurations/linux.sh b/build-farm/platform-specific-configurations/linux.sh index dca182588..104d1a3e0 100755 --- a/build-farm/platform-specific-configurations/linux.sh +++ b/build-farm/platform-specific-configurations/linux.sh @@ -51,14 +51,44 @@ function locateDragonwell8BootJDK() else echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ... mkdir -p "$PWD/jdk-8" + # if [ "$(uname -m)" = "x86_64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # elif [ "$(uname -m)" = "aarch64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # else + # echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" + # exit 1 + # fi + ## Secure Dragonwell Downloads By Validating Checksums if [ "$(uname -m)" = "x86_64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" + EXPECTED_SHA256="E03923f200dffddf9eee2aadc0c495674fe0b87cc2eece94a9a8dec84812d12bd" elif [ "$(uname -m)" = "aarch64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" + EXPECTED_SHA256="ff0594f36d13883972ca0b302d35cca5099f10b8be54c70c091f626e4e308774" else echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" exit 1 fi + # Download the file and calculate its SHA256 checksum + TMP_FILE=$(mktemp) + curl -L "$DOWNLOAD_URL" -o "$TMP_FILE" + + # Calculate the SHA256 checksum of the downloaded file + ACTUAL_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}') + + # Compare the actual and expected SHA256 checksums + if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "Checksum verification failed for downloaded file!" + rm "$TMP_FILE" + exit 1 + fi + + # Extract the downloaded file + tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8" + + # Clean up the temporary file + rm "$TMP_FILE" export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8" fi } @@ -333,7 +363,7 @@ if [[ "${CONFIGURE_ARGS}" =~ .*"--with-devkit=".* ]]; then echo "Using gcc from DevKit toolchain specified in configure args" elif [[ "${BUILD_ARGS}" =~ .*"--use-adoptium-devkit".* ]]; then echo "Using gcc from Adoptium DevKit toolchain specified in --use-adoptium-devkit build args" -else +else if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION" -eq 11 ] && [ -r /usr/local/gcc9/ ] && [ "${ARCHITECTURE}" == "aarch64" ]; then # GCC9 rather than 10 requested by Alibaba for now # Ref https://github.com/adoptium/temurin-build/issues/2250#issuecomment-732958466 diff --git a/docker/buildDocker.sh b/docker/buildDocker.sh index 5740d931c..4b23447b8 100755 --- a/docker/buildDocker.sh +++ b/docker/buildDocker.sh @@ -129,6 +129,13 @@ useEclipseOpenJ9DockerFiles() mkdir -p "$dockerfileDir" cd "$dockerfileDir" || { echo "Dockerfile directory ($dockerfileDir) was not found"; exit 3; } getFile https://raw.githubusercontent.com/eclipse-openj9/openj9/master/buildenv/docker/mkdocker.sh mkdocker.sh + MKDOCK_SHA="a09a00c2beb9c53985b4c3ed6fb62825d90808775941ab56417bef75a575be55" + mkd_downloaded_sha=$(sha256sum mkdocker.sh | awk '{print $1}') + if [ "$mkd_downloaded_sha" != "$MKDOCK_SHA" ]; then + echo "ERROR: SHA256 checksum mismatch for mkdocker.sh" + exit 1 + fi + chmod +x mkdocker.sh # Generate an Ubuntu1804 Dockerfile using mkdocker.sh "$dockerfileDir/mkdocker.sh" --dist=ubuntu --version=18 --print >> "$dockerfileDir/Dockerfile" diff --git a/tooling/reproducible/linux_repro_build_compare.sh b/tooling/reproducible/linux_repro_build_compare.sh index b25407e9a..7651ac753 100755 --- a/tooling/reproducible/linux_repro_build_compare.sh +++ b/tooling/reproducible/linux_repro_build_compare.sh @@ -21,7 +21,9 @@ set -e SBOM_PARAM=$1 JDK_PARAM=$2 ANT_VERSION=1.10.5 +ANT_SHA=9028e2fc64491cca0f991acc09b06ee7fe644afe41d1d6caf72702ca25c4613c ANT_CONTRIB_VERSION=1.0b3 +ANT_CONTRIB_SHA=4d93e07ae6479049bb28071b069b7107322adaee5b70016674a0bffd4aac47f9 isJdkDir=false installPrereqs() { @@ -31,8 +33,17 @@ installPrereqs() { yum install -y git bzip2 xz openssl pigz which jq # pigz/which not strictly needed but help in final compression if grep -i release.6 /etc/redhat-release; then if [ ! -r /usr/local/bin/autoconf ]; then - curl https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz | tar xpfz - || exit 1 - (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + curl --output ./autoconf-2.69.tar.gz https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz + ACSHA256=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969 + ACCHKSHA=$(sha256sum ./autoconf-2.69.tar.gz|cut -d" " -f1) + if [ "$ACSHA256" = "$ACCHKSHA" ]; then + echo "Hi" + tar xpfz ./autoconf-2.69.tar.gz || exit 1 + (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + else + echo "ERROR - Checksum For AutoConf Download Is Incorrect" + exit 1; + fi fi fi fi @@ -40,15 +51,27 @@ installPrereqs() { # ant required for --create-sbom downloadAnt() { - if [ ! -r /usr/local/apache-ant-${ANT_VERSION}/bin/ant ]; then - echo Downloading ant for SBOM creation: - curl https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip > /tmp/apache-ant-${ANT_VERSION}-bin.zip - (cd /usr/local && unzip -qn /tmp/apache-ant-${ANT_VERSION}-bin.zip) - rm /tmp/apache-ant-${ANT_VERSION}-bin.zip - echo Downloading ant-contrib-${ANT_CONTRIB_VERSION}: - curl -L https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip > /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip - (unzip -qnj /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar -d /usr/local/apache-ant-${ANT_VERSION}/lib) - rm /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip + if [ ! -r "/usr/local/apache-ant-${ANT_VERSION}/bin/ant" ]; then + echo "Downloading ant for SBOM creation..." + curl -o "/tmp/apache-ant-${ANT_VERSION}-bin.zip" "https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip" + ANTCHKSHA=$(sha256sum "/tmp/apache-ant-${ANT_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_SHA" = "$ANTCHKSHA" ]; then + (cd /usr/local && unzip -qn "/tmp/apache-ant-${ANT_VERSION}-bin.zip") + rm "/tmp/apache-ant-${ANT_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant download is incorrect" + exit 1 + fi + echo "Downloading ant-contrib-${ANT_CONTRIB_VERSION}..." + curl -Lo "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + ANTCTRCHKSHA=$(sha256sum "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_CONTRIB_SHA" = "$ANTCTRCHKSHA" ]; then + (unzip -qnj "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar" -d "/usr/local/apache-ant-${ANT_VERSION}/lib") + rm "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant Contrib download is incorrect" + exit 1 + fi fi } From 48a734dfd4db848ac3b7c2ad50e138df7e7ffc59 Mon Sep 17 00:00:00 2001 From: judovana Date: Wed, 1 May 2024 12:14:26 +0200 Subject: [PATCH 4/7] making local alsa properly optional (#3756) * Fixed issue when downloaded alsa was used only for jdk8 * Made download (and its usage) of alsa optional * Update sbin/prepareWorkspace.sh Co-authored-by: Martijn Verburg * s/skip/Skip in makejdk-any-platform.1 Co-authored-by: Martijn Verburg --------- Co-authored-by: Martijn Verburg --- makejdk-any-platform.1 | 6 ++++++ sbin/build.sh | 10 +++++++++- sbin/common/config_init.sh | 7 ++++++- sbin/prepareWorkspace.sh | 9 ++++++++- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/makejdk-any-platform.1 b/makejdk-any-platform.1 index 8b840d957..a052497ff 100755 --- a/makejdk-any-platform.1 +++ b/makejdk-any-platform.1 @@ -48,6 +48,12 @@ Build JDK (tip), defaults to https://github.com/adoptium/jdk .SH OPTIONS .TP +.BR \-A ", " \-\-skip-alsa +Skip downloading of alsa automatically. +If you do so, the underlying configure will detect system lib and headers. +If you wish to point to some custom build/install pass it via \fI\-C, \-\-configure-args \fR +Presence of \-\-with-alsa in \-\-configure-args will also not include freshly installed alsa to build. +.TP .BR \-b ", " \-\-branch " " \fI\fR specify a custom branch to build from, e.g. dev. For reference, Adoptium GitHub source repos default to the \fI\fR diff --git a/sbin/build.sh b/sbin/build.sh index a11cc6476..172ede760 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -479,7 +479,6 @@ buildingTheRestOfTheConfigParameters() { if [ "${BUILD_CONFIG[OPENJDK_CORE_VERSION]}" == "${JDK8_CORE_VERSION}" ]; then addConfigureArg "--with-x=" "/usr/include/X11" - addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" fi } @@ -505,6 +504,14 @@ configureDebugParameters() { fi } +configureAlsaLocation() { + if [[ ! "${CONFIGURE_ARGS}" =~ "--with-alsa" ]]; then + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" + fi + fi +} + configureFreetypeLocation() { if [[ ! "${CONFIGURE_ARGS}" =~ "--with-freetype" ]]; then if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then @@ -551,6 +558,7 @@ configureCommandParameters() { else echo "Building up the configure command..." buildingTheRestOfTheConfigParameters + configureAlsaLocation fi echo "Adjust configure for reproducible build" diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh index fbe3f15f2..79884278a 100755 --- a/sbin/common/config_init.sh +++ b/sbin/common/config_init.sh @@ -31,6 +31,7 @@ CONFIG_PARAMS=( ADOPTIUM_DEVKIT_LOCATION ADOPT_PATCHES +ALSA ASSEMBLE_EXPLODED_IMAGE OPENJDK_BUILD_REPO_BRANCH OPENJDK_BUILD_REPO_URI @@ -297,6 +298,9 @@ function parseConfigurationArguments() { "--skip-freetype" | "-F" ) BUILD_CONFIG[FREETYPE]=false;; + "--skip-alsa" | "-A" ) + BUILD_CONFIG[ALSA]=false;; + "--help" | "-h" ) man ./makejdk-any-platform.1 && exit 0;; @@ -477,7 +481,8 @@ function configDefaults() { BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JDK_FLAG]="false" BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JRE_FLAG]="false" - BUILD_CONFIG[FREETYPE]=true + BUILD_CONFIG[ALSA]="true" + BUILD_CONFIG[FREETYPE]="true" BUILD_CONFIG[FREETYPE_DIRECTORY]="" BUILD_CONFIG[FREETYPE_FONT_VERSION]="86bc8a95056c97a810986434a3f268cbe67f2902" # 2.9.1 BUILD_CONFIG[FREETYPE_FONT_BUILD_TYPE_PARAM]="" diff --git a/sbin/prepareWorkspace.sh b/sbin/prepareWorkspace.sh index 38738f5c2..d2ad91dc8 100644 --- a/sbin/prepareWorkspace.sh +++ b/sbin/prepareWorkspace.sh @@ -314,6 +314,7 @@ createWorkspace() { # ALSA first for sound checkingAndDownloadingAlsa() { + cd "${BUILD_CONFIG[WORKSPACE_DIR]}/libs/" || exit echo "Checking for ALSA" @@ -667,7 +668,13 @@ downloadingRequiredDependencies() { echo "Non-Linux-based environment detected, skipping download of dependency Alsa." else echo "Checking and downloading Alsa dependency because OSTYPE=\"${OSTYPE}\"" - checkingAndDownloadingAlsa + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + checkingAndDownloadingAlsa + else + echo "" + echo "---> Skipping the process of checking and downloading the Alsa dependency, a pre-built version should be provided via -C/--configure-args <---" + echo "" + fi fi if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then From 6aa6c942d0b3ba640f4262808c571c5210229b09 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 2 May 2024 14:56:05 +0100 Subject: [PATCH 5/7] Github: Add Semgrep Check On Pull Request (#3688) * Add Semgrep Diff GHA * Create .semgrepignore * Use centralised GHA workflow --------- Co-authored-by: Martijn Verburg --- .github/workflows/semgrep_diff.yml | 8 ++++++++ .semgrepignore | 1 + 2 files changed, 9 insertions(+) create mode 100644 .github/workflows/semgrep_diff.yml create mode 100644 .semgrepignore diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml new file mode 100644 index 000000000..cb5f22881 --- /dev/null +++ b/.github/workflows/semgrep_diff.yml @@ -0,0 +1,8 @@ +--- +name: Semgrep Differential Scan +on: + pull_request: + +jobs: + semgrep-diff: + uses: adoptium/.github/.github/workflows/semgrep_diff.yml@main diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ + From a0b6241a71ed2e28d3a4d4ac99bebdd405dd9b35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 11:13:24 +0100 Subject: [PATCH 6/7] build(deps): bump github/codeql-action from 2.25.3 to 3.25.3 (#3779) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.25.3 to 3.25.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2.25.3...d39d31e687223d841ef683f52467bd88e9b21c14) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Martijn Verburg --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/ossf-scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fc185dcc5..ca1ba173f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,7 +58,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -68,7 +68,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -81,6 +81,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 2aabc3233..8529c0fb9 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -46,6 +46,6 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v2.13.4 with: sarif_file: results.sarif From 9982cfef4b761e27cf3b50f42d850bfcdf82f08d Mon Sep 17 00:00:00 2001 From: judovana Date: Sun, 5 May 2024 21:58:13 +0200 Subject: [PATCH 7/7] Making grep -q -e -e usable on solaris (#3788) * Making grep -q -e -e usable on solaris replacing -q by /dev/null repalcing double -e by two greps * Merged the two expressions to single regex * Revert "Merged the two expressions to single regex" This reverts commit 8695cbc1ac639c9d86e94b87d68616718a7fee20. * Added comment for future people who wish to make the regex and if nicer * language changes fixes in common.sh Co-authored-by: Martijn Verburg --------- Co-authored-by: Martijn Verburg --- sbin/common/common.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sbin/common/common.sh b/sbin/common/common.sh index 45c6ce585..0fbcca594 100755 --- a/sbin/common/common.sh +++ b/sbin/common/common.sh @@ -20,9 +20,12 @@ function setOpenJdkVersion() { # The argument passed here have actually very strict format of jdk8, jdk8u..., jdk # the build may fail later if this is not honoured. # If your repository has a different name, you can use --version or build from dir/snapshot - local forest_name_check=0 - echo "$forest_name" | grep -q -e "^jdk$" -e "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" || forest_name_check=$? - if [ ${forest_name_check} -ne 0 ]; then + local forest_name_check1=0 + local forest_name_check2=0 + # This two returns condition is there to make grep on solaris happy. -e, -q and \( and \| do not work on that platform + echo "$forest_name" | grep "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" >/dev/null || forest_name_check1=$? + echo "$forest_name" | grep "^jdk$" >/dev/null || forest_name_check2=$? + if [ ${forest_name_check1} -ne 0 ] && [ ${forest_name_check2} -ne 0 ]; then echo "The mandatory repo argument has a very strict format 'jdk[0-9]{1,3}[u]{0,1}' or just plain 'jdk' for tip. '$forest_name' does not match." echo "This can be worked around by using '--version jdkXYu'. If set (and matching) then the main argument can have any value." exit 1