diff --git a/.azure-devops/build/steps/windows/before.yml b/.azure-devops/build/steps/windows/before.yml index ce3f162190..39bf5ecb74 100644 --- a/.azure-devops/build/steps/windows/before.yml +++ b/.azure-devops/build/steps/windows/before.yml @@ -46,9 +46,17 @@ steps: # install cygwin and build dependencies - powershell: | $ProgressPreference = 'SilentlyContinue'; - Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe'; - Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64'; - displayName: "[Windows Before] download and install Cygwin" + $DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe"; + $DownloadUrl = 'https://cygwin.com/setup-x86_64.exe'; + $ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8'; + Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile; + + # Calculate SHA256 checksum of the downloaded file + $DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash; + + # Compare calculated checksum with the expected checksum + if ($DownloadedChecksum -eq $ExpectedChecksum) { + Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site # add cygwin bin to PATH - script: | diff --git a/.github/workflows/build-autotriage.yml b/.github/workflows/build-autotriage.yml index 493e35f033..3f57adfc2b 100644 --- a/.github/workflows/build-autotriage.yml +++ b/.github/workflows/build-autotriage.yml @@ -22,6 +22,9 @@ on: env: TRIAGE_SCRIPT: "tooling/build_autotriage/build_autotriage.sh" +permissions: + contents: read + jobs: autotriage: permissions: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27f9b174c5..72133a9a85 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -134,7 +134,7 @@ jobs: os: [macOS] version: [ { name: jdk8u, distro: macos-11 }, - { name: jdk11u, distro: macos-13 }, + { name: jdk11u, distro: macos-14 }, { name: jdk17u, distro: macos-14 } ] variant: [temurin] @@ -162,7 +162,7 @@ jobs: rm /usr/local/bin/python3-config || true rm /usr/local/bin/python3.11-config || true rm /usr/local/bin/python3.12-config || true - + - name: Install Dependencies run: | brew install automake bash binutils freetype gnu-sed nasm @@ -173,7 +173,7 @@ jobs: java-version: 7 distribution: 'zulu' if: matrix.version.name == 'jdk8u' - + - name: Select correct Xcode (JDK8) if: matrix.version.name == 'jdk8u' run: | @@ -184,7 +184,7 @@ jobs: if: matrix.version.name != 'jdk8u' run: | rm -rf /Applications/Xcode.app - ln -s /Applications/Xcode_15.0.1.app /Applications/Xcode.app + ln -s /Applications/Xcode_15.2.app /Applications/Xcode.app - name: Build macOS run: | @@ -206,7 +206,7 @@ jobs: TARGET_OS: mac FILENAME: OpenJDK.tar.gz JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }} - + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 name: Collect and Archive Artifacts with: @@ -328,6 +328,19 @@ jobs: curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe" if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Verify Download Of Visual Studio 2017 + shell: powershell + run: | + $expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Install Visual Studio 2017 if: matrix.version == 'jdk8u' run: > @@ -343,6 +356,19 @@ jobs: curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe" if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Verify Download Of Visual Studio 2019 + shell: powershell + run: | + $expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Install Visual Studio 2019 if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u' run: > @@ -409,7 +435,7 @@ jobs: path: workspace/target/* - name: Restore build artifacts - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} path: ~/${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} diff --git a/.github/workflows/ca-cert-updater.yml b/.github/workflows/ca-cert-updater.yml index c07ead59fd..3a4a60085d 100644 --- a/.github/workflows/ca-cert-updater.yml +++ b/.github/workflows/ca-cert-updater.yml @@ -35,7 +35,7 @@ jobs: working-directory: ./security run: "./mk-ca-bundle.pl" - - uses: gr2m/create-or-update-pull-request-action@dc1726cbf4dd3ce766af4ec29cfb660e0125e8ee # v1 + - uses: gr2m/create-or-update-pull-request-action@86ec1766034c8173518f61d2075cc2a173fb8c97 # v1.9.4 env: GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }} with: diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml index f43ad22696..506c913319 100644 --- a/.github/workflows/code-freeze.yml +++ b/.github/workflows/code-freeze.yml @@ -1,5 +1,5 @@ # ******************************************************************************** -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) with this work for additional # information regarding copyright ownership. @@ -16,7 +16,8 @@ name: Code Freeze Bot # Controls when the workflow will run on: pull_request_target: - branches: [ "v[0-9]+.[0-9]+.[0-9]+" ] + branches: + - '*' issue_comment: types: [created] @@ -25,6 +26,15 @@ permissions: pull-requests: write jobs: - codefreeze: + # Check if the pull request target branch matches the required branch-regex? + codefreeze_branch_check: + uses: adoptium/.github/.github/workflows/code-freeze-regex-branch.yml@main + with: + branch-regex: "^v[0-9]+.[0-9]+.[0-9]+$" + + # Code freeze if branch-regex matches + codefreeze_if_branch_match: + needs: codefreeze_branch_check uses: adoptium/.github/.github/workflows/code-freeze.yml@main + if: (github.event_name == 'pull_request_target' || (github.event_name == 'issue_comment' && github.event.issue.pull_request)) && needs.codefreeze_branch_check.outputs.regex-matches == 'true' secrets: inherit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..ca1ba173f3 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,86 @@ +# ******************************************************************************** +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/comment-bot.yml b/.github/workflows/comment-bot.yml index d8e3d3eff6..43f066a55c 100644 --- a/.github/workflows/comment-bot.yml +++ b/.github/workflows/comment-bot.yml @@ -17,6 +17,9 @@ on: pull_request_target: types: [ opened ] +permissions: + contents: read + jobs: comment: permissions: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index c328a846b4..383db66df5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -19,6 +19,9 @@ on: issues: issue_comment: +permissions: + contents: read + jobs: label: permissions: diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 2aabc32333..8529c0fb96 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -46,6 +46,6 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v2.13.4 with: sarif_file: results.sarif diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml new file mode 100644 index 0000000000..1887e6dbb9 --- /dev/null +++ b/.github/workflows/semgrep_diff.yml @@ -0,0 +1,21 @@ +# ******************************************************************************** +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** + +--- +name: Semgrep Differential Scan +on: + pull_request: + +jobs: + semgrep-diff: + uses: adoptium/.github/.github/workflows/semgrep_diff.yml@main diff --git a/.github/workflows/signsbom.yml b/.github/workflows/signsbom.yml index 1247e65620..1ba9b3ec54 100644 --- a/.github/workflows/signsbom.yml +++ b/.github/workflows/signsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_sign: name: sign_sbom diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testsbom.yml index 25ae42d763..f6825c06b5 100644 --- a/.github/workflows/testsbom.yml +++ b/.github/workflows/testsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_gen: name: gen_sbom diff --git a/.licenserc.yaml b/.licenserc.yaml index dfa5af9fa3..125b90a34a 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -28,7 +28,7 @@ header: SPDX-License-Identifier: Apache-2.0 ******************************************************************************** - pattern: Copyright (c) \d{4} Contributors to the Eclipse Foundation + pattern: Copyright (c) ((\d{4})(, \d{4})*) Contributors to the Eclipse Foundation comment: on-failure @@ -39,6 +39,7 @@ header: - '**/*.asc' - '.gitignore' - '.dockerignore' + - '.semgrepignore' - 'docker/.gitignore' - 'security/.gitignore' - 'security/mk-ca-bundle.pl' @@ -46,4 +47,6 @@ header: - 'sbin/*.template' - '.github/linters/*' - 'cyclonedx-lib/getDependencies' + - 'cyclonedx-lib/dependency_data/**' - 'makejdk-any-platform.1' + - 'serverTimestamp.properties' diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ + diff --git a/RELEASING.md b/RELEASING.md index 07cbf1757b..29112911c2 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -54,7 +54,7 @@ Create release branch in the format `vYYYY.MM.NN` on each of the following repos - ci-jenkins-pipelines - jenkins-helper -These branches should be named according to the following format (vYYYY.MM+NN) ,e.g v2023.03+01 , whereby the final element is an incremental counter appended to the year and month of the release. +These branches should be named according to the following format (vYYYY.MM.NN) ,e.g v2023.03.01 , whereby the final element is an incremental counter appended to the year and month of the release. If anything needs to be merged into the new branch, it should typically be merged into master, then a `git cherry-pick` operation should be done to create a new PR against the release branch. This can typically be merged without further approval. diff --git a/build-farm/platform-specific-configurations/linux.sh b/build-farm/platform-specific-configurations/linux.sh index dca182588d..104d1a3e02 100755 --- a/build-farm/platform-specific-configurations/linux.sh +++ b/build-farm/platform-specific-configurations/linux.sh @@ -51,14 +51,44 @@ function locateDragonwell8BootJDK() else echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ... mkdir -p "$PWD/jdk-8" + # if [ "$(uname -m)" = "x86_64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # elif [ "$(uname -m)" = "aarch64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # else + # echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" + # exit 1 + # fi + ## Secure Dragonwell Downloads By Validating Checksums if [ "$(uname -m)" = "x86_64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" + EXPECTED_SHA256="E03923f200dffddf9eee2aadc0c495674fe0b87cc2eece94a9a8dec84812d12bd" elif [ "$(uname -m)" = "aarch64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" + EXPECTED_SHA256="ff0594f36d13883972ca0b302d35cca5099f10b8be54c70c091f626e4e308774" else echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" exit 1 fi + # Download the file and calculate its SHA256 checksum + TMP_FILE=$(mktemp) + curl -L "$DOWNLOAD_URL" -o "$TMP_FILE" + + # Calculate the SHA256 checksum of the downloaded file + ACTUAL_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}') + + # Compare the actual and expected SHA256 checksums + if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "Checksum verification failed for downloaded file!" + rm "$TMP_FILE" + exit 1 + fi + + # Extract the downloaded file + tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8" + + # Clean up the temporary file + rm "$TMP_FILE" export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8" fi } @@ -333,7 +363,7 @@ if [[ "${CONFIGURE_ARGS}" =~ .*"--with-devkit=".* ]]; then echo "Using gcc from DevKit toolchain specified in configure args" elif [[ "${BUILD_ARGS}" =~ .*"--use-adoptium-devkit".* ]]; then echo "Using gcc from Adoptium DevKit toolchain specified in --use-adoptium-devkit build args" -else +else if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION" -eq 11 ] && [ -r /usr/local/gcc9/ ] && [ "${ARCHITECTURE}" == "aarch64" ]; then # GCC9 rather than 10 requested by Alibaba for now # Ref https://github.com/adoptium/temurin-build/issues/2250#issuecomment-732958466 diff --git a/cyclonedx-lib/README.md b/cyclonedx-lib/README.md index 5dc5740a2e..711077035d 100644 --- a/cyclonedx-lib/README.md +++ b/cyclonedx-lib/README.md @@ -34,13 +34,12 @@ formulation section (mostly because the author of this added such a section recently) 1. Check that the version of CycloneDX you are using supports the - functionality you want. If not, it will need to be updated. To do this - you need to do three steps [Sample PR](https://github.com/adoptium/temurin-build/pull/3558/files): - - Update [getDependencies](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/getDependencies) with the new version and SHA + functionality you want. If not, it will need to be updated. To do this + you need to do two steps: + - Update the [sha and version files](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/dependency_data) for each jar you plan to change. - Ensure [build.getDependency](https://ci.adoptium.net/job/build.getDependency/) is run to pick up the new version - - Update [build.xml](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml) with the new SHA to allow it to be downloaded successfully during the build (This change can be made along with the getDependencies one if you co--ordinate the update appopriately -2. If the build and java code does not already have support for the CycloneDX functionality that you need the follow ([Sample PR](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml)) - - Updates to [cyclonedx-lib/TemurinGenSBOM.java])https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add a new parameter, a new function to implement it, the call to that function from the `switch` functionality in the `main` function +2. If the build and java code does not already have support for the CycloneDX functionality that you need, then follow these steps ([Sample PR](https://github.com/adoptium/temurin-build/pull/3538)) + - Updates to [cyclonedx-lib/TemurinGenSBOM.java](https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add a new parameter, a new function to implement it, the call to that function from the `switch` functionality in the `main` function - Update [cyclonedx-lib/build.xml](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml) to add tests for the new functionality - Add a new function to [sbin/common/sbom.sh](https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add the fields you need - Updates to [sbin/build.sh](https://github.com/adoptium/temurin-build/blob/master/sbin/build.sh) to invoke the new function(s) in sbom.sh diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 09c5059604..eeba51bb12 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -20,9 +20,12 @@ // jscpd:ignore-start --> - + + + + @@ -41,20 +44,12 @@ - - + + - + @@ -91,58 +86,37 @@ - + - + - + - + - + - + - + @@ -505,6 +479,20 @@ + + + + + + + + + + + diff --git a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 new file mode 100644 index 0000000000..a5f27b9cb6 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 @@ -0,0 +1 @@ +b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 new file mode 100644 index 0000000000..854ca3d3eb --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 @@ -0,0 +1 @@ +961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 new file mode 100644 index 0000000000..44090c667a --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 @@ -0,0 +1 @@ +ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 new file mode 100644 index 0000000000..b9d1f60ef1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 @@ -0,0 +1 @@ +8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 new file mode 100644 index 0000000000..95f7e9a2ea --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 @@ -0,0 +1 @@ +2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 new file mode 100644 index 0000000000..c75a5db5e3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 @@ -0,0 +1 @@ +b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 new file mode 100644 index 0000000000..49bdf8a3a5 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 @@ -0,0 +1 @@ +501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 new file mode 100644 index 0000000000..bdf90ce8c9 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 @@ -0,0 +1 @@ +edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 new file mode 100644 index 0000000000..492cd69b81 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 @@ -0,0 +1 @@ +968991e5718520cdd7b224770f790cf2c241cddf64d10a36c21f9f8b4a15e79c \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version new file mode 100644 index 0000000000..07fe6f6c9f --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version @@ -0,0 +1 @@ +1.15 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version new file mode 100644 index 0000000000..ed0edc885b --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version @@ -0,0 +1 @@ +2.11.0 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version new file mode 100644 index 0000000000..24afbc91d3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version @@ -0,0 +1 @@ +8.0.3 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version new file mode 100644 index 0000000000..13175fdc43 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version @@ -0,0 +1 @@ +1.4.1 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version new file mode 100644 index 0000000000..0c59751cf3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version @@ -0,0 +1 @@ +1.0.77 \ No newline at end of file diff --git a/cyclonedx-lib/getDependencies b/cyclonedx-lib/getDependencies index fbbdca11bc..03164a7b34 100644 --- a/cyclonedx-lib/getDependencies +++ b/cyclonedx-lib/getDependencies @@ -2,6 +2,9 @@ LABEL=params.LABEL ? params.LABEL : 'ci.role.test&&hw.arch.x86&&sw.os.linux' +TEMURIN_BUILD_REPO="https://github.com/adamfarley/temurin-build" +TEMURIN_BUILD_BRANCH="add_versions_and_shas_to_build_getdependencies" + stage('Queue') { node("$LABEL") { cleanWs() @@ -9,9 +12,17 @@ stage('Queue') { } } -def fetchSingleFile(String jarFile, String sha, String mavenURL) { - sh 'echo "' + sha + ' sbom_dependencies/' + jarFile + '" >> sbom_dep_shas.txt' +// Fetch a single file from a location under Maven. +// Args: +// - jarFile: The name of the file after we've downloaded it. +// - mavenURL: The file and location of the jarfile to be downloaded (under Maven). +def fetchSingleFile(String jarFile, String mavenURL) { + // Downloads the requested jarfile sh 'curl -L -o "sbom_dependencies/' + jarFile + '" "https://search.maven.org/classic/remotecontent?filepath=' + mavenURL + '"' + + // Puts the matching sha for the jarfile into the list of shas to check. + def jarSHA = readFile(file : './temurin-build/cyclonedx-lib/dependency_data/shas/' + jarFile + '.sha256').replaceAll("\\s","") + sh 'echo "' + jarSHA + ' sbom_dependencies/' + jarFile + '" >> sbom_dependency_shas.txt' } def fetchDeps() { @@ -21,38 +32,45 @@ def fetchDeps() { } timeout(time: time_limit, unit: 'HOURS') { try { + // This allows us to easily specify which of our workspace files are to be archived later. sh 'mkdir sbom_dependencies' - - + // These versions come from https://github.com/CycloneDX/cyclonedx-core-java/tags // Version->spec mappings are in https://github.com/CycloneDX/cyclonedx-core-java#cyclonedx-schema-support - def cyclonedx_core_java_version = "8.0.3" - def jackson_core_version = "2.14.2" - def jackson_annotations_version = "2.14.2" - def jackson_databind_version = "2.14.2" - def json_schema_version = "1.0.77" - def commons_codec_version = "1.15" - def commons_io_version = "2.11.0" - def github_package_url_version = "1.4.1" - - fetchSingleFile("cyclonedx-core-java.jar", "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5", "org/cyclonedx/cyclonedx-core-java/${cyclonedx_core_java_version}/cyclonedx-core-java-${cyclonedx_core_java_version}.jar") - fetchSingleFile("jackson-core.jar", "b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a", "com/fasterxml/jackson/core/jackson-core/${jackson_core_version}/jackson-core-${jackson_core_version}.jar") - fetchSingleFile("jackson-dataformat-xml.jar", "edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b", "com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson_databind_version}/jackson-dataformat-xml-${jackson_databind_version}.jar") - fetchSingleFile("jackson-databind.jar", "501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424", "com/fasterxml/jackson/core/jackson-databind/${jackson_databind_version}/jackson-databind-${jackson_databind_version}.jar") - fetchSingleFile("jackson-annotations.jar", "2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d", "com/fasterxml/jackson/core/jackson-annotations/${jackson_annotations_version}/jackson-annotations-${jackson_annotations_version}.jar") - fetchSingleFile("json-schema.jar", "968991e5718520cdd7b224770f790cf2c241cddf64d10a36c21f9f8b4a15e79c", "com/networknt/json-schema-validator/${json_schema_version}/json-schema-validator-${json_schema_version}.jar") - fetchSingleFile("commons-codec.jar", "b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63", "commons-codec/commons-codec/${commons_codec_version}/commons-codec-${commons_codec_version}.jar") - fetchSingleFile("github-package-url.jar", "8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2", "com/github/package-url/packageurl-java/${github_package_url_version}/packageurl-java-${github_package_url_version}.jar") - fetchSingleFile("commons-io.jar", "961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908", "commons-io/commons-io/${commons_io_version}/commons-io-${commons_io_version}.jar") - - sh 'sha256sum -c sbom_dep_shas.txt' + sh 'git clone -b ' + TEMURIN_BUILD_BRANCH + ' ' + TEMURIN_BUILD_REPO + ' temurin-build' + def dep_data = WORKSPACE + "/temurin-build/cyclonedx-lib/dependency_data/" + + def cyclonedx_core_java_version = readFile(file : dep_data + 'versions/cyclonedx-core-java.jar.version').replaceAll("\\s","") + def jackson_core_version = readFile(file : dep_data + 'versions/jackson-core.jar.version').replaceAll("\\s","") + def jackson_annotations_version = readFile(file : dep_data + 'versions/jackson-annotations.jar.version').replaceAll("\\s","") + def jackson_databind_version = readFile(file : dep_data + 'versions/jackson-databind.jar.version').replaceAll("\\s","") + def json_schema_version = readFile(file : dep_data + 'versions/json-schema.jar.version').replaceAll("\\s","") + def commons_codec_version = readFile(file : dep_data + 'versions/commons-codec.jar.version').replaceAll("\\s","") + def commons_io_version = readFile(file : dep_data + 'versions/commons-io.jar.version').replaceAll("\\s","") + def github_package_url_version = readFile(file : dep_data + 'versions/github-package-url.jar.version').replaceAll("\\s","") + // Each of these fetches a jar in the format: fetchSingleFile(jar name post-download, current jar location under Maven) + fetchSingleFile("cyclonedx-core-java.jar", "org/cyclonedx/cyclonedx-core-java/${cyclonedx_core_java_version}/cyclonedx-core-java-${cyclonedx_core_java_version}.jar") + fetchSingleFile("jackson-core.jar", "com/fasterxml/jackson/core/jackson-core/${jackson_core_version}/jackson-core-${jackson_core_version}.jar") + fetchSingleFile("jackson-dataformat-xml.jar", "com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson_databind_version}/jackson-dataformat-xml-${jackson_databind_version}.jar") + fetchSingleFile("jackson-databind.jar", "com/fasterxml/jackson/core/jackson-databind/${jackson_databind_version}/jackson-databind-${jackson_databind_version}.jar") + fetchSingleFile("jackson-annotations.jar", "com/fasterxml/jackson/core/jackson-annotations/${jackson_annotations_version}/jackson-annotations-${jackson_annotations_version}.jar") + fetchSingleFile("json-schema.jar", "com/networknt/json-schema-validator/${json_schema_version}/json-schema-validator-${json_schema_version}.jar") + fetchSingleFile("commons-codec.jar", "commons-codec/commons-codec/${commons_codec_version}/commons-codec-${commons_codec_version}.jar") + fetchSingleFile("github-package-url.jar", "com/github/package-url/packageurl-java/${github_package_url_version}/packageurl-java-${github_package_url_version}.jar") + fetchSingleFile("commons-io.jar", "commons-io/commons-io/${commons_io_version}/commons-io-${commons_io_version}.jar") + + + // Check that every file matches the sha of the file we expected. + sh 'sha256sum -c sbom_dependency_shas.txt' + + // Store all retrieved files on Jenkins, for use during sbom creation. archiveArtifacts '**/sbom_dependencies/*' } finally { + // Clean up workspace. cleanWs() } } } - return this diff --git a/docker/buildDocker.sh b/docker/buildDocker.sh index 5740d931ca..4b23447b8a 100755 --- a/docker/buildDocker.sh +++ b/docker/buildDocker.sh @@ -129,6 +129,13 @@ useEclipseOpenJ9DockerFiles() mkdir -p "$dockerfileDir" cd "$dockerfileDir" || { echo "Dockerfile directory ($dockerfileDir) was not found"; exit 3; } getFile https://raw.githubusercontent.com/eclipse-openj9/openj9/master/buildenv/docker/mkdocker.sh mkdocker.sh + MKDOCK_SHA="a09a00c2beb9c53985b4c3ed6fb62825d90808775941ab56417bef75a575be55" + mkd_downloaded_sha=$(sha256sum mkdocker.sh | awk '{print $1}') + if [ "$mkd_downloaded_sha" != "$MKDOCK_SHA" ]; then + echo "ERROR: SHA256 checksum mismatch for mkdocker.sh" + exit 1 + fi + chmod +x mkdocker.sh # Generate an Ubuntu1804 Dockerfile using mkdocker.sh "$dockerfileDir/mkdocker.sh" --dist=ubuntu --version=18 --print >> "$dockerfileDir/Dockerfile" diff --git a/makejdk-any-platform.1 b/makejdk-any-platform.1 index 34d36d33be..849d6ff6a0 100755 --- a/makejdk-any-platform.1 +++ b/makejdk-any-platform.1 @@ -26,6 +26,9 @@ that you are building for further details. This will start a Docker container and build you the latest Java 8 Temurin binary from the source at https://github.com/adoptium/openjdk-jdk8u +Note that the main argument, in this case jdk8, is compared and enforced +against an enumeration - jdk8, jdk8u, ... jdk21, jdk21u, ...jdk. Nothing else. +You can workaround this by \-\-version switch. Please visit https://www.adoptium.net for further support @@ -45,6 +48,12 @@ Build JDK (tip), defaults to https://github.com/adoptium/jdk .SH OPTIONS .TP +.BR \-A ", " \-\-skip-alsa +Skip downloading of alsa automatically. +If you do so, the underlying configure will detect system lib and headers. +If you wish to point to some custom build/install pass it via \fI\-C, \-\-configure-args \fR +Presence of \-\-with-alsa in \-\-configure-args will also not include freshly installed alsa to build. +.TP .BR \-b ", " \-\-branch " " \fI\fR specify a custom branch to build from, e.g. dev. For reference, Adoptium GitHub source repos default to the \fI\fR diff --git a/sbin/build.sh b/sbin/build.sh index ced5d1f4d8..52c0442cc0 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -479,7 +479,6 @@ buildingTheRestOfTheConfigParameters() { if [ "${BUILD_CONFIG[OPENJDK_CORE_VERSION]}" == "${JDK8_CORE_VERSION}" ]; then addConfigureArg "--with-x=" "/usr/include/X11" - addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" fi } @@ -505,6 +504,14 @@ configureDebugParameters() { fi } +configureAlsaLocation() { + if [[ ! "${CONFIGURE_ARGS}" =~ "--with-alsa" ]]; then + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" + fi + fi +} + configureFreetypeLocation() { if [[ ! "${CONFIGURE_ARGS}" =~ "--with-freetype" ]]; then if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then @@ -551,6 +558,7 @@ configureCommandParameters() { else echo "Building up the configure command..." buildingTheRestOfTheConfigParameters + configureAlsaLocation fi echo "Adjust configure for reproducible build" @@ -920,6 +928,7 @@ generateSBoM() { # Set default SBOM formulation addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" # Below add build tools into metadata tools if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then @@ -1128,6 +1137,15 @@ addCycloneDXVersions() { JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}" + # Now the jar's SHA has been added, we add the version string. + JarVersionFile="$(joinPath ${CYCLONEDB_DIR} dependency_data versions ${JarName}.version)" + if [ -f "${JarVersionFile}" ]; then + JarVersionString=$(cat "${JarVersionFile}") + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}" "${JarVersionString}" + elif [ "${JarName}" != "temurin-gen-sbom.jar" ]; then + echo "ERROR: Cannot find jar version file for SBOM creation dependency ${JarName}." + echo "ERROR: Expected location: ${JarVersionFile}" + fi done fi } diff --git a/sbin/common/common.sh b/sbin/common/common.sh index d60dff4b15..0fbcca594a 100755 --- a/sbin/common/common.sh +++ b/sbin/common/common.sh @@ -17,6 +17,20 @@ function setOpenJdkVersion() { local forest_name=$1 + # The argument passed here have actually very strict format of jdk8, jdk8u..., jdk + # the build may fail later if this is not honoured. + # If your repository has a different name, you can use --version or build from dir/snapshot + local forest_name_check1=0 + local forest_name_check2=0 + # This two returns condition is there to make grep on solaris happy. -e, -q and \( and \| do not work on that platform + echo "$forest_name" | grep "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" >/dev/null || forest_name_check1=$? + echo "$forest_name" | grep "^jdk$" >/dev/null || forest_name_check2=$? + if [ ${forest_name_check1} -ne 0 ] && [ ${forest_name_check2} -ne 0 ]; then + echo "The mandatory repo argument has a very strict format 'jdk[0-9]{1,3}[u]{0,1}' or just plain 'jdk' for tip. '$forest_name' does not match." + echo "This can be worked around by using '--version jdkXYu'. If set (and matching) then the main argument can have any value." + exit 1 + fi + # Derive the openjdk_core_version from the forest name. local openjdk_core_version=${forest_name} if [[ ${forest_name} == *u ]]; then diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh index e9537564ee..fb240c5e5b 100755 --- a/sbin/common/config_init.sh +++ b/sbin/common/config_init.sh @@ -31,6 +31,7 @@ CONFIG_PARAMS=( ADOPTIUM_DEVKIT_LOCATION ADOPT_PATCHES +ALSA ASSEMBLE_EXPLODED_IMAGE OPENJDK_BUILD_REPO_BRANCH OPENJDK_BUILD_REPO_URI @@ -303,6 +304,9 @@ function parseConfigurationArguments() { "--skip-freetype" | "-F" ) BUILD_CONFIG[FREETYPE]=false;; + "--skip-alsa" | "-A" ) + BUILD_CONFIG[ALSA]=false;; + "--help" | "-h" ) man ./makejdk-any-platform.1 && exit 0;; @@ -483,7 +487,8 @@ function configDefaults() { BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JDK_FLAG]="false" BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JRE_FLAG]="false" - BUILD_CONFIG[FREETYPE]=true + BUILD_CONFIG[ALSA]="true" + BUILD_CONFIG[FREETYPE]="true" BUILD_CONFIG[FREETYPE_DIRECTORY]="" BUILD_CONFIG[FREETYPE_FONT_VERSION]="86bc8a95056c97a810986434a3f268cbe67f2902" # 2.9.1 BUILD_CONFIG[FREETYPE_FONT_BUILD_TYPE_PARAM]="" diff --git a/sbin/prepareWorkspace.sh b/sbin/prepareWorkspace.sh index 38738f5c25..d2ad91dc88 100644 --- a/sbin/prepareWorkspace.sh +++ b/sbin/prepareWorkspace.sh @@ -314,6 +314,7 @@ createWorkspace() { # ALSA first for sound checkingAndDownloadingAlsa() { + cd "${BUILD_CONFIG[WORKSPACE_DIR]}/libs/" || exit echo "Checking for ALSA" @@ -667,7 +668,13 @@ downloadingRequiredDependencies() { echo "Non-Linux-based environment detected, skipping download of dependency Alsa." else echo "Checking and downloading Alsa dependency because OSTYPE=\"${OSTYPE}\"" - checkingAndDownloadingAlsa + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + checkingAndDownloadingAlsa + else + echo "" + echo "---> Skipping the process of checking and downloading the Alsa dependency, a pre-built version should be provided via -C/--configure-args <---" + echo "" + fi fi if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then diff --git a/serverTimestamp.properties b/serverTimestamp.properties index 7f96aadb1b..98a69dfb68 100644 --- a/serverTimestamp.properties +++ b/serverTimestamp.properties @@ -1,16 +1,3 @@ -# ******************************************************************************** -# Copyright (c) 2021 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made -# available under the terms of the Apache Software License 2.0 -# which is available at https://www.apache.org/licenses/LICENSE-2.0. -# -# SPDX-License-Identifier: Apache-2.0 -# ******************************************************************************** - comodaca=http://timestamp.comodoca.com/authenticode globalsign=http://timestamp.globalsign.com/scripts/timstamp.dll isectigo=http://timestamp.sectigo.com diff --git a/tooling/release_download_test.sh b/tooling/release_download_test.sh index 12186a8827..32cbb40e73 100755 --- a/tooling/release_download_test.sh +++ b/tooling/release_download_test.sh @@ -344,7 +344,7 @@ verify_gcc_version() { # shellcheck disable=SC2166 [ "${MAJOR_VERSION}" = "8" -o "${MAJOR_VERSION}" = "11" ] && expected_gcc=7.5.0 [ "${MAJOR_VERSION}" = "17" ] && expected_gcc=10.3.0 - [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.2.0 + [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.3.0 if ! strings tarballtest/bin/java | grep "^GCC:.*${expected_gcc}"; then print_error "GCC version detected in the JDK java executable is not the expected ${expected_gcc}" diff --git a/tooling/reproducible/linux_repro_build_compare.sh b/tooling/reproducible/linux_repro_build_compare.sh index b25407e9a8..7651ac7537 100755 --- a/tooling/reproducible/linux_repro_build_compare.sh +++ b/tooling/reproducible/linux_repro_build_compare.sh @@ -21,7 +21,9 @@ set -e SBOM_PARAM=$1 JDK_PARAM=$2 ANT_VERSION=1.10.5 +ANT_SHA=9028e2fc64491cca0f991acc09b06ee7fe644afe41d1d6caf72702ca25c4613c ANT_CONTRIB_VERSION=1.0b3 +ANT_CONTRIB_SHA=4d93e07ae6479049bb28071b069b7107322adaee5b70016674a0bffd4aac47f9 isJdkDir=false installPrereqs() { @@ -31,8 +33,17 @@ installPrereqs() { yum install -y git bzip2 xz openssl pigz which jq # pigz/which not strictly needed but help in final compression if grep -i release.6 /etc/redhat-release; then if [ ! -r /usr/local/bin/autoconf ]; then - curl https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz | tar xpfz - || exit 1 - (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + curl --output ./autoconf-2.69.tar.gz https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz + ACSHA256=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969 + ACCHKSHA=$(sha256sum ./autoconf-2.69.tar.gz|cut -d" " -f1) + if [ "$ACSHA256" = "$ACCHKSHA" ]; then + echo "Hi" + tar xpfz ./autoconf-2.69.tar.gz || exit 1 + (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + else + echo "ERROR - Checksum For AutoConf Download Is Incorrect" + exit 1; + fi fi fi fi @@ -40,15 +51,27 @@ installPrereqs() { # ant required for --create-sbom downloadAnt() { - if [ ! -r /usr/local/apache-ant-${ANT_VERSION}/bin/ant ]; then - echo Downloading ant for SBOM creation: - curl https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip > /tmp/apache-ant-${ANT_VERSION}-bin.zip - (cd /usr/local && unzip -qn /tmp/apache-ant-${ANT_VERSION}-bin.zip) - rm /tmp/apache-ant-${ANT_VERSION}-bin.zip - echo Downloading ant-contrib-${ANT_CONTRIB_VERSION}: - curl -L https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip > /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip - (unzip -qnj /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar -d /usr/local/apache-ant-${ANT_VERSION}/lib) - rm /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip + if [ ! -r "/usr/local/apache-ant-${ANT_VERSION}/bin/ant" ]; then + echo "Downloading ant for SBOM creation..." + curl -o "/tmp/apache-ant-${ANT_VERSION}-bin.zip" "https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip" + ANTCHKSHA=$(sha256sum "/tmp/apache-ant-${ANT_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_SHA" = "$ANTCHKSHA" ]; then + (cd /usr/local && unzip -qn "/tmp/apache-ant-${ANT_VERSION}-bin.zip") + rm "/tmp/apache-ant-${ANT_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant download is incorrect" + exit 1 + fi + echo "Downloading ant-contrib-${ANT_CONTRIB_VERSION}..." + curl -Lo "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + ANTCTRCHKSHA=$(sha256sum "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_CONTRIB_SHA" = "$ANTCTRCHKSHA" ]; then + (unzip -qnj "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar" -d "/usr/local/apache-ant-${ANT_VERSION}/lib") + rm "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant Contrib download is incorrect" + exit 1 + fi fi } diff --git a/tooling/validateSBOMcontent.sh b/tooling/validateSBOMcontent.sh index 9c3b6a874e..56e98c6f60 100755 --- a/tooling/validateSBOMcontent.sh +++ b/tooling/validateSBOMcontent.sh @@ -41,7 +41,11 @@ if echo "$SBOMFILE" | grep _solaris_; then EXPECTED_COMPILER="solstudio (Oracle Solaris Studio)" elif echo "$SBOMFILE" | grep _aix_; then EXPECTED_COMPILER="xlc (IBM XL C/C++)" - EXPECTED_FREETYPE=2.8.0 + if [ "$MAJORVERSION" -lt 17 ]; then + EXPECTED_FREETYPE=2.8.0 + else + EXPECTED_FREETYPE=2.13.2 # Bundled version + fi elif echo "$SBOMFILE" | grep _alpine-linux_ > /dev/null; then EXPECTED_FREETYPE=2.11.1 EXPECTED_ALSA=1.1.6 @@ -61,8 +65,12 @@ elif echo "$SBOMFILE" | grep _linux_; then [ "${MAJORVERSION}" = "8" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "11" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "17" ] && EXPECTED_GCC=10.3.0 - [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.2.0 && EXPECTED_FREETYPE=Unknown + [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.3.0 && EXPECTED_FREETYPE=Unknown EXPECTED_ALSA=1.1.6 + if echo "$SBOMFILE" | grep _riscv64_ > /dev/null; then + EXPECTED_GCC=10.5.0 # No devkit yet so default in Ubuntu 20.04 + EXPECTED_GLIBC=2.31 + fi #elif echo $SBOMFILE | grep _mac_; then # EXPECTED_COMPILER="clang (clang/LLVM from Xcode 10.3)" elif echo "$SBOMFILE" | grep _x64_windows_; then @@ -73,10 +81,10 @@ elif echo "$SBOMFILE" | grep _x64_windows_; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2022)" else # JDK11 and 17 EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2019)" - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version fi elif echo "$SBOMFILE" | grep _x86-32_windows_; then - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version if [ "${MAJORVERSION}" = "8" ]; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2013)" EXPECTED_FREETYPE=2.5.3 @@ -87,8 +95,8 @@ elif echo "$SBOMFILE" | grep _x86-32_windows_; then fi elif echo "$SBOMFILE" | grep _mac_; then # NOTE: mac/x64 native builds >=11 were using "clang (clang/LLVM from Xcode 10.3)" - EXPECTED_FREETYPE=Unknown - EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.0.1)" + EXPECTED_FREETYPE=2.13.2 # Bundled version + EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.2)" # shellcheck disable=SC2166 if [ "${MAJORVERSION}" = "8" ] && echo "$SBOMFILE" | grep _x64_; then EXPECTED_COMPILER="clang (clang/LLVM)" @@ -96,8 +104,7 @@ elif echo "$SBOMFILE" | grep _mac_; then fi fi -[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=Unknown - +[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=2.13.2 # Bundled version RC=0 if echo "$SBOMFILE" | grep 'linux_'; then