From a6af16117123e401f694c834290ab0d3d828db49 Mon Sep 17 00:00:00 2001 From: Tim Ellison Date: Fri, 12 Apr 2024 04:15:41 +0100 Subject: [PATCH 01/17] No source file header for serverTimestamp.properties (#3757) * Remove header comment Signing tool does not allow for header comment. * Ignore serverTimestamp.properties Don't add license header to the serverTimestamp.properties * Ignore serverTimestamp.properties --- .licenserc.yaml | 1 + serverTimestamp.properties | 13 ------------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/.licenserc.yaml b/.licenserc.yaml index dfa5af9fa3..a346f887fd 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -47,3 +47,4 @@ header: - '.github/linters/*' - 'cyclonedx-lib/getDependencies' - 'makejdk-any-platform.1' + - 'serverTimestamp.properties' diff --git a/serverTimestamp.properties b/serverTimestamp.properties index 7f96aadb1b..98a69dfb68 100644 --- a/serverTimestamp.properties +++ b/serverTimestamp.properties @@ -1,16 +1,3 @@ -# ******************************************************************************** -# Copyright (c) 2021 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made -# available under the terms of the Apache Software License 2.0 -# which is available at https://www.apache.org/licenses/LICENSE-2.0. -# -# SPDX-License-Identifier: Apache-2.0 -# ******************************************************************************** - comodaca=http://timestamp.comodoca.com/authenticode globalsign=http://timestamp.globalsign.com/scripts/timstamp.dll isectigo=http://timestamp.sectigo.com From 6fecaa78cf8debdb173faee518ffbde6153170be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 05:28:02 +1200 Subject: [PATCH 02/17] build(deps): bump actions/download-artifact from 4.1.4 to 4.1.5 (#3761) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.4 to 4.1.5. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/c850b930e6ba138125429b7e5c93fc707a7f8427...8caf195ad4b1dee92908e23f56eeb0696f1dd42d) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27f9b174c5..2270e700a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -409,7 +409,7 @@ jobs: path: workspace/target/* - name: Restore build artifacts - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # v4.1.5 with: name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} path: ~/${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} From 0936cc28cec3be96322fb07be8b4713a5ff3dea4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 22:39:12 +1200 Subject: [PATCH 03/17] build(deps): bump actions/download-artifact from 4.1.5 to 4.1.6 (#3765) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.5 to 4.1.6. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/8caf195ad4b1dee92908e23f56eeb0696f1dd42d...9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2270e700a5..480adeeabb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -409,7 +409,7 @@ jobs: path: workspace/target/* - name: Restore build artifacts - uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # v4.1.5 + uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 with: name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} path: ~/${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} From 21f55f841d221f7c9e3af72b3d842a75db86f468 Mon Sep 17 00:00:00 2001 From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com> Date: Wed, 24 Apr 2024 09:22:06 +0100 Subject: [PATCH 04/17] Fix failing jdk11 macos CI checks due to Xcode 15 dependencies (#3766) * Update macos github build action Signed-off-by: Andrew Leonard * Update macos github build action Signed-off-by: Andrew Leonard * Update macos github build action Signed-off-by: Andrew Leonard * Update macos github build action Signed-off-by: Andrew Leonard * Update macos github build action Signed-off-by: Andrew Leonard * Update macos github build action Signed-off-by: Andrew Leonard --------- Signed-off-by: Andrew Leonard Co-authored-by: Martijn Verburg --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 480adeeabb..b8c9fc8e7f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -134,7 +134,7 @@ jobs: os: [macOS] version: [ { name: jdk8u, distro: macos-11 }, - { name: jdk11u, distro: macos-13 }, + { name: jdk11u, distro: macos-14 }, { name: jdk17u, distro: macos-14 } ] variant: [temurin] @@ -184,7 +184,7 @@ jobs: if: matrix.version.name != 'jdk8u' run: | rm -rf /Applications/Xcode.app - ln -s /Applications/Xcode_15.0.1.app /Applications/Xcode.app + ln -s /Applications/Xcode_15.2.app /Applications/Xcode.app - name: Build macOS run: | From a45cadab57ff1bd89e7b4f0cbab1df4dc5eea6b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 10:25:10 +0100 Subject: [PATCH 05/17] build(deps): bump actions/download-artifact from 4.1.6 to 4.1.7 (#3773) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395...65a9edc5881444af0b9093a5e628f2fe47ea3b2e) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b8c9fc8e7f..8ea5b0a8e1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -409,7 +409,7 @@ jobs: path: workspace/target/* - name: Restore build artifacts - uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} path: ~/${{matrix.version}}-${{matrix.os}}-${{matrix.variant}} From b1f8de0174fc4a96a3c177306ff02ff2f2eece57 Mon Sep 17 00:00:00 2001 From: Adam Farley Date: Thu, 25 Apr 2024 11:40:12 +0100 Subject: [PATCH 06/17] Centralising sbom dependency data, plus adding versions to sboms (#3709) This is to centralise the jar versions and shas to simplify future updates, and to enable a user to easily set their own values. This also adds cyclonedx dependency version strings to sboms. Signed-off-by: Adam Farley Co-authored-by: Martijn Verburg --- cyclonedx-lib/README.md | 11 ++- cyclonedx-lib/build.xml | 68 ++++++++----------- .../shas/commons-codec.jar.sha256 | 1 + .../shas/commons-io.jar.sha256 | 1 + .../shas/cyclonedx-core-java.jar.sha256 | 1 + .../shas/github-package-url.jar.sha256 | 1 + .../shas/jackson-annotations.jar.sha256 | 1 + .../shas/jackson-core.jar.sha256 | 1 + .../shas/jackson-databind.jar.sha256 | 1 + .../shas/jackson-dataformat-xml.jar.sha256 | 1 + .../shas/json-schema.jar.sha256 | 1 + .../versions/commons-codec.jar.version | 1 + .../versions/commons-io.jar.version | 1 + .../versions/cyclonedx-core-java.jar.version | 1 + .../versions/github-package-url.jar.version | 1 + .../versions/jackson-annotations.jar.version | 1 + .../versions/jackson-core.jar.version | 1 + .../versions/jackson-databind.jar.version | 1 + .../jackson-dataformat-xml.jar.version | 1 + .../versions/json-schema.jar.version | 1 + cyclonedx-lib/getDependencies | 68 ++++++++++++------- sbin/build.sh | 10 +++ 22 files changed, 104 insertions(+), 71 deletions(-) create mode 100644 cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/versions/commons-codec.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/commons-io.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/github-package-url.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/jackson-core.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version create mode 100644 cyclonedx-lib/dependency_data/versions/json-schema.jar.version diff --git a/cyclonedx-lib/README.md b/cyclonedx-lib/README.md index 5dc5740a2e..711077035d 100644 --- a/cyclonedx-lib/README.md +++ b/cyclonedx-lib/README.md @@ -34,13 +34,12 @@ formulation section (mostly because the author of this added such a section recently) 1. Check that the version of CycloneDX you are using supports the - functionality you want. If not, it will need to be updated. To do this - you need to do three steps [Sample PR](https://github.com/adoptium/temurin-build/pull/3558/files): - - Update [getDependencies](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/getDependencies) with the new version and SHA + functionality you want. If not, it will need to be updated. To do this + you need to do two steps: + - Update the [sha and version files](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/dependency_data) for each jar you plan to change. - Ensure [build.getDependency](https://ci.adoptium.net/job/build.getDependency/) is run to pick up the new version - - Update [build.xml](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml) with the new SHA to allow it to be downloaded successfully during the build (This change can be made along with the getDependencies one if you co--ordinate the update appopriately -2. If the build and java code does not already have support for the CycloneDX functionality that you need the follow ([Sample PR](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml)) - - Updates to [cyclonedx-lib/TemurinGenSBOM.java])https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add a new parameter, a new function to implement it, the call to that function from the `switch` functionality in the `main` function +2. If the build and java code does not already have support for the CycloneDX functionality that you need, then follow these steps ([Sample PR](https://github.com/adoptium/temurin-build/pull/3538)) + - Updates to [cyclonedx-lib/TemurinGenSBOM.java](https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add a new parameter, a new function to implement it, the call to that function from the `switch` functionality in the `main` function - Update [cyclonedx-lib/build.xml](https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/build.xml) to add tests for the new functionality - Add a new function to [sbin/common/sbom.sh](https://github.com/adoptium/temurin-build/blob/master/sbin/common/sbom.sh) to add the fields you need - Updates to [sbin/build.sh](https://github.com/adoptium/temurin-build/blob/master/sbin/build.sh) to invoke the new function(s) in sbom.sh diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 09c5059604..eeba51bb12 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -20,9 +20,12 @@ // jscpd:ignore-start --> - + + + + @@ -41,20 +44,12 @@ - - + + - + @@ -91,58 +86,37 @@ - + - + - + - + - + - + - + @@ -505,6 +479,20 @@ + + + + + + + + + + + diff --git a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 new file mode 100644 index 0000000000..a5f27b9cb6 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 @@ -0,0 +1 @@ +b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 new file mode 100644 index 0000000000..854ca3d3eb --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 @@ -0,0 +1 @@ +961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 new file mode 100644 index 0000000000..44090c667a --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 @@ -0,0 +1 @@ +ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 new file mode 100644 index 0000000000..b9d1f60ef1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 @@ -0,0 +1 @@ +8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 new file mode 100644 index 0000000000..95f7e9a2ea --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 @@ -0,0 +1 @@ +2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 new file mode 100644 index 0000000000..c75a5db5e3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 @@ -0,0 +1 @@ +b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 new file mode 100644 index 0000000000..49bdf8a3a5 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 @@ -0,0 +1 @@ +501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 new file mode 100644 index 0000000000..bdf90ce8c9 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 @@ -0,0 +1 @@ +edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 new file mode 100644 index 0000000000..492cd69b81 --- /dev/null +++ b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 @@ -0,0 +1 @@ +968991e5718520cdd7b224770f790cf2c241cddf64d10a36c21f9f8b4a15e79c \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version new file mode 100644 index 0000000000..07fe6f6c9f --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version @@ -0,0 +1 @@ +1.15 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version new file mode 100644 index 0000000000..ed0edc885b --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version @@ -0,0 +1 @@ +2.11.0 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version new file mode 100644 index 0000000000..24afbc91d3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version @@ -0,0 +1 @@ +8.0.3 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version new file mode 100644 index 0000000000..13175fdc43 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version @@ -0,0 +1 @@ +1.4.1 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version new file mode 100644 index 0000000000..fb71e071a1 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version @@ -0,0 +1 @@ +2.14.2 \ No newline at end of file diff --git a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version new file mode 100644 index 0000000000..0c59751cf3 --- /dev/null +++ b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version @@ -0,0 +1 @@ +1.0.77 \ No newline at end of file diff --git a/cyclonedx-lib/getDependencies b/cyclonedx-lib/getDependencies index fbbdca11bc..03164a7b34 100644 --- a/cyclonedx-lib/getDependencies +++ b/cyclonedx-lib/getDependencies @@ -2,6 +2,9 @@ LABEL=params.LABEL ? params.LABEL : 'ci.role.test&&hw.arch.x86&&sw.os.linux' +TEMURIN_BUILD_REPO="https://github.com/adamfarley/temurin-build" +TEMURIN_BUILD_BRANCH="add_versions_and_shas_to_build_getdependencies" + stage('Queue') { node("$LABEL") { cleanWs() @@ -9,9 +12,17 @@ stage('Queue') { } } -def fetchSingleFile(String jarFile, String sha, String mavenURL) { - sh 'echo "' + sha + ' sbom_dependencies/' + jarFile + '" >> sbom_dep_shas.txt' +// Fetch a single file from a location under Maven. +// Args: +// - jarFile: The name of the file after we've downloaded it. +// - mavenURL: The file and location of the jarfile to be downloaded (under Maven). +def fetchSingleFile(String jarFile, String mavenURL) { + // Downloads the requested jarfile sh 'curl -L -o "sbom_dependencies/' + jarFile + '" "https://search.maven.org/classic/remotecontent?filepath=' + mavenURL + '"' + + // Puts the matching sha for the jarfile into the list of shas to check. + def jarSHA = readFile(file : './temurin-build/cyclonedx-lib/dependency_data/shas/' + jarFile + '.sha256').replaceAll("\\s","") + sh 'echo "' + jarSHA + ' sbom_dependencies/' + jarFile + '" >> sbom_dependency_shas.txt' } def fetchDeps() { @@ -21,38 +32,45 @@ def fetchDeps() { } timeout(time: time_limit, unit: 'HOURS') { try { + // This allows us to easily specify which of our workspace files are to be archived later. sh 'mkdir sbom_dependencies' - - + // These versions come from https://github.com/CycloneDX/cyclonedx-core-java/tags // Version->spec mappings are in https://github.com/CycloneDX/cyclonedx-core-java#cyclonedx-schema-support - def cyclonedx_core_java_version = "8.0.3" - def jackson_core_version = "2.14.2" - def jackson_annotations_version = "2.14.2" - def jackson_databind_version = "2.14.2" - def json_schema_version = "1.0.77" - def commons_codec_version = "1.15" - def commons_io_version = "2.11.0" - def github_package_url_version = "1.4.1" - - fetchSingleFile("cyclonedx-core-java.jar", "ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5", "org/cyclonedx/cyclonedx-core-java/${cyclonedx_core_java_version}/cyclonedx-core-java-${cyclonedx_core_java_version}.jar") - fetchSingleFile("jackson-core.jar", "b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a", "com/fasterxml/jackson/core/jackson-core/${jackson_core_version}/jackson-core-${jackson_core_version}.jar") - fetchSingleFile("jackson-dataformat-xml.jar", "edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b", "com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson_databind_version}/jackson-dataformat-xml-${jackson_databind_version}.jar") - fetchSingleFile("jackson-databind.jar", "501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424", "com/fasterxml/jackson/core/jackson-databind/${jackson_databind_version}/jackson-databind-${jackson_databind_version}.jar") - fetchSingleFile("jackson-annotations.jar", "2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d", "com/fasterxml/jackson/core/jackson-annotations/${jackson_annotations_version}/jackson-annotations-${jackson_annotations_version}.jar") - fetchSingleFile("json-schema.jar", "968991e5718520cdd7b224770f790cf2c241cddf64d10a36c21f9f8b4a15e79c", "com/networknt/json-schema-validator/${json_schema_version}/json-schema-validator-${json_schema_version}.jar") - fetchSingleFile("commons-codec.jar", "b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63", "commons-codec/commons-codec/${commons_codec_version}/commons-codec-${commons_codec_version}.jar") - fetchSingleFile("github-package-url.jar", "8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2", "com/github/package-url/packageurl-java/${github_package_url_version}/packageurl-java-${github_package_url_version}.jar") - fetchSingleFile("commons-io.jar", "961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908", "commons-io/commons-io/${commons_io_version}/commons-io-${commons_io_version}.jar") - - sh 'sha256sum -c sbom_dep_shas.txt' + sh 'git clone -b ' + TEMURIN_BUILD_BRANCH + ' ' + TEMURIN_BUILD_REPO + ' temurin-build' + def dep_data = WORKSPACE + "/temurin-build/cyclonedx-lib/dependency_data/" + + def cyclonedx_core_java_version = readFile(file : dep_data + 'versions/cyclonedx-core-java.jar.version').replaceAll("\\s","") + def jackson_core_version = readFile(file : dep_data + 'versions/jackson-core.jar.version').replaceAll("\\s","") + def jackson_annotations_version = readFile(file : dep_data + 'versions/jackson-annotations.jar.version').replaceAll("\\s","") + def jackson_databind_version = readFile(file : dep_data + 'versions/jackson-databind.jar.version').replaceAll("\\s","") + def json_schema_version = readFile(file : dep_data + 'versions/json-schema.jar.version').replaceAll("\\s","") + def commons_codec_version = readFile(file : dep_data + 'versions/commons-codec.jar.version').replaceAll("\\s","") + def commons_io_version = readFile(file : dep_data + 'versions/commons-io.jar.version').replaceAll("\\s","") + def github_package_url_version = readFile(file : dep_data + 'versions/github-package-url.jar.version').replaceAll("\\s","") + // Each of these fetches a jar in the format: fetchSingleFile(jar name post-download, current jar location under Maven) + fetchSingleFile("cyclonedx-core-java.jar", "org/cyclonedx/cyclonedx-core-java/${cyclonedx_core_java_version}/cyclonedx-core-java-${cyclonedx_core_java_version}.jar") + fetchSingleFile("jackson-core.jar", "com/fasterxml/jackson/core/jackson-core/${jackson_core_version}/jackson-core-${jackson_core_version}.jar") + fetchSingleFile("jackson-dataformat-xml.jar", "com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson_databind_version}/jackson-dataformat-xml-${jackson_databind_version}.jar") + fetchSingleFile("jackson-databind.jar", "com/fasterxml/jackson/core/jackson-databind/${jackson_databind_version}/jackson-databind-${jackson_databind_version}.jar") + fetchSingleFile("jackson-annotations.jar", "com/fasterxml/jackson/core/jackson-annotations/${jackson_annotations_version}/jackson-annotations-${jackson_annotations_version}.jar") + fetchSingleFile("json-schema.jar", "com/networknt/json-schema-validator/${json_schema_version}/json-schema-validator-${json_schema_version}.jar") + fetchSingleFile("commons-codec.jar", "commons-codec/commons-codec/${commons_codec_version}/commons-codec-${commons_codec_version}.jar") + fetchSingleFile("github-package-url.jar", "com/github/package-url/packageurl-java/${github_package_url_version}/packageurl-java-${github_package_url_version}.jar") + fetchSingleFile("commons-io.jar", "commons-io/commons-io/${commons_io_version}/commons-io-${commons_io_version}.jar") + + + // Check that every file matches the sha of the file we expected. + sh 'sha256sum -c sbom_dependency_shas.txt' + + // Store all retrieved files on Jenkins, for use during sbom creation. archiveArtifacts '**/sbom_dependencies/*' } finally { + // Clean up workspace. cleanWs() } } } - return this diff --git a/sbin/build.sh b/sbin/build.sh index e16e273ad9..a11cc64761 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -920,6 +920,7 @@ generateSBoM() { # Set default SBOM formulation addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" # Below add build tools into metadata tools if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then @@ -1128,6 +1129,15 @@ addCycloneDXVersions() { JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}" + # Now the jar's SHA has been added, we add the version string. + JarVersionFile="$(joinPath ${CYCLONEDB_DIR} dependency_data versions ${JarName}.version)" + if [ -f "${JarVersionFile}" ]; then + JarVersionString=$(cat "${JarVersionFile}") + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}" "${JarVersionString}" + elif [ "${JarName}" != "temurin-gen-sbom.jar" ]; then + echo "ERROR: Cannot find jar version file for SBOM creation dependency ${JarName}." + echo "ERROR: Expected location: ${JarVersionFile}" + fi done fi } From c3c4a96769ce2400bb5112c812e2ddf8d7a59a4c Mon Sep 17 00:00:00 2001 From: judovana Date: Fri, 26 Apr 2024 09:49:15 +0200 Subject: [PATCH 07/17] Added check to prevent input of invalid repo as main argument (#3728) * Added check to prevent input of invalid repo as main argument * typos removal Update makejdk-any-platform.1 Co-authored-by: Martijn Verburg * Update makejdk-any-platform.1 from typo Co-authored-by: Martijn Verburg * added space sbin/common/common.sh Co-authored-by: Martijn Verburg * typos fixed in sbin/common/common.sh Co-authored-by: Martijn Verburg * Update sbin/common/common.sh Co-authored-by: Martijn Verburg * Update sbin/common/common.sh Co-authored-by: Martijn Verburg * Update sbin/common/common.sh Co-authored-by: Martijn Verburg --------- Co-authored-by: Martijn Verburg --- makejdk-any-platform.1 | 3 +++ sbin/common/common.sh | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/makejdk-any-platform.1 b/makejdk-any-platform.1 index f52f95f31d..8b840d9570 100755 --- a/makejdk-any-platform.1 +++ b/makejdk-any-platform.1 @@ -26,6 +26,9 @@ that you are building for further details. This will start a Docker container and build you the latest Java 8 Temurin binary from the source at https://github.com/adoptium/openjdk-jdk8u +Note that the main argument, in this case jdk8, is compared and enforced +against an enumeration - jdk8, jdk8u, ... jdk21, jdk21u, ...jdk. Nothing else. +You can workaround this by \-\-version switch. Please visit https://www.adoptium.net for further support diff --git a/sbin/common/common.sh b/sbin/common/common.sh index d60dff4b15..45c6ce5857 100755 --- a/sbin/common/common.sh +++ b/sbin/common/common.sh @@ -17,6 +17,17 @@ function setOpenJdkVersion() { local forest_name=$1 + # The argument passed here have actually very strict format of jdk8, jdk8u..., jdk + # the build may fail later if this is not honoured. + # If your repository has a different name, you can use --version or build from dir/snapshot + local forest_name_check=0 + echo "$forest_name" | grep -q -e "^jdk$" -e "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" || forest_name_check=$? + if [ ${forest_name_check} -ne 0 ]; then + echo "The mandatory repo argument has a very strict format 'jdk[0-9]{1,3}[u]{0,1}' or just plain 'jdk' for tip. '$forest_name' does not match." + echo "This can be worked around by using '--version jdkXYu'. If set (and matching) then the main argument can have any value." + exit 1 + fi + # Derive the openjdk_core_version from the forest name. local openjdk_core_version=${forest_name} if [[ ${forest_name} == *u ]]; then From fae0d1a0f0e514865679323e459c53580677e26c Mon Sep 17 00:00:00 2001 From: Adam Farley Date: Fri, 26 Apr 2024 10:10:54 +0100 Subject: [PATCH 08/17] dependency_data files do not need licenses (#3772) ...on the basis that they only contain version strings, jar names, and SHAs that are obtained from external sources. Signed-off-by: Adam Farley Co-authored-by: Martijn Verburg --- .licenserc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.licenserc.yaml b/.licenserc.yaml index a346f887fd..48cd41bf16 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -46,5 +46,6 @@ header: - 'sbin/*.template' - '.github/linters/*' - 'cyclonedx-lib/getDependencies' + - 'cyclonedx-lib/dependency_data/**' - 'makejdk-any-platform.1' - 'serverTimestamp.properties' From b7cadc52d2db0c45c4a12241df2f2967f2267453 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 30 Apr 2024 01:02:23 -0700 Subject: [PATCH 09/17] [StepSecurity] Apply security best practices (#3775) * [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot * Update codeql.yml --------- Signed-off-by: StepSecurity Bot Co-authored-by: George Adams --- .github/workflows/build-autotriage.yml | 3 + .github/workflows/codeql.yml | 86 ++++++++++++++++++++++++++ .github/workflows/comment-bot.yml | 3 + .github/workflows/labeler.yml | 3 + .github/workflows/signsbom.yml | 3 + .github/workflows/testsbom.yml | 3 + 6 files changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/build-autotriage.yml b/.github/workflows/build-autotriage.yml index 493e35f033..3f57adfc2b 100644 --- a/.github/workflows/build-autotriage.yml +++ b/.github/workflows/build-autotriage.yml @@ -22,6 +22,9 @@ on: env: TRIAGE_SCRIPT: "tooling/build_autotriage/build_autotriage.sh" +permissions: + contents: read + jobs: autotriage: permissions: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..fc185dcc55 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,86 @@ +# ******************************************************************************** +# Copyright (c) 2021 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/comment-bot.yml b/.github/workflows/comment-bot.yml index d8e3d3eff6..43f066a55c 100644 --- a/.github/workflows/comment-bot.yml +++ b/.github/workflows/comment-bot.yml @@ -17,6 +17,9 @@ on: pull_request_target: types: [ opened ] +permissions: + contents: read + jobs: comment: permissions: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index c328a846b4..383db66df5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -19,6 +19,9 @@ on: issues: issue_comment: +permissions: + contents: read + jobs: label: permissions: diff --git a/.github/workflows/signsbom.yml b/.github/workflows/signsbom.yml index 1247e65620..1ba9b3ec54 100644 --- a/.github/workflows/signsbom.yml +++ b/.github/workflows/signsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_sign: name: sign_sbom diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testsbom.yml index 25ae42d763..f6825c06b5 100644 --- a/.github/workflows/testsbom.yml +++ b/.github/workflows/testsbom.yml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: test_sbom_gen: name: gen_sbom From 2663a0a9f41b1a1137449e347752ed006b4f60a6 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Tue, 30 Apr 2024 09:58:15 +0100 Subject: [PATCH 10/17] update SBOM validator for April 2024 (#3771) Signed-off-by: Stewart X Addison --- tooling/release_download_test.sh | 2 +- tooling/validateSBOMcontent.sh | 23 +++++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/tooling/release_download_test.sh b/tooling/release_download_test.sh index 12186a8827..32cbb40e73 100755 --- a/tooling/release_download_test.sh +++ b/tooling/release_download_test.sh @@ -344,7 +344,7 @@ verify_gcc_version() { # shellcheck disable=SC2166 [ "${MAJOR_VERSION}" = "8" -o "${MAJOR_VERSION}" = "11" ] && expected_gcc=7.5.0 [ "${MAJOR_VERSION}" = "17" ] && expected_gcc=10.3.0 - [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.2.0 + [ "${MAJOR_VERSION}" -ge 20 ] && expected_gcc=11.3.0 if ! strings tarballtest/bin/java | grep "^GCC:.*${expected_gcc}"; then print_error "GCC version detected in the JDK java executable is not the expected ${expected_gcc}" diff --git a/tooling/validateSBOMcontent.sh b/tooling/validateSBOMcontent.sh index 9c3b6a874e..56e98c6f60 100755 --- a/tooling/validateSBOMcontent.sh +++ b/tooling/validateSBOMcontent.sh @@ -41,7 +41,11 @@ if echo "$SBOMFILE" | grep _solaris_; then EXPECTED_COMPILER="solstudio (Oracle Solaris Studio)" elif echo "$SBOMFILE" | grep _aix_; then EXPECTED_COMPILER="xlc (IBM XL C/C++)" - EXPECTED_FREETYPE=2.8.0 + if [ "$MAJORVERSION" -lt 17 ]; then + EXPECTED_FREETYPE=2.8.0 + else + EXPECTED_FREETYPE=2.13.2 # Bundled version + fi elif echo "$SBOMFILE" | grep _alpine-linux_ > /dev/null; then EXPECTED_FREETYPE=2.11.1 EXPECTED_ALSA=1.1.6 @@ -61,8 +65,12 @@ elif echo "$SBOMFILE" | grep _linux_; then [ "${MAJORVERSION}" = "8" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "11" ] && EXPECTED_GCC=7.5.0 [ "${MAJORVERSION}" = "17" ] && EXPECTED_GCC=10.3.0 - [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.2.0 && EXPECTED_FREETYPE=Unknown + [ "${MAJORVERSION}" -ge 20 ] && EXPECTED_GCC=11.3.0 && EXPECTED_FREETYPE=Unknown EXPECTED_ALSA=1.1.6 + if echo "$SBOMFILE" | grep _riscv64_ > /dev/null; then + EXPECTED_GCC=10.5.0 # No devkit yet so default in Ubuntu 20.04 + EXPECTED_GLIBC=2.31 + fi #elif echo $SBOMFILE | grep _mac_; then # EXPECTED_COMPILER="clang (clang/LLVM from Xcode 10.3)" elif echo "$SBOMFILE" | grep _x64_windows_; then @@ -73,10 +81,10 @@ elif echo "$SBOMFILE" | grep _x64_windows_; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2022)" else # JDK11 and 17 EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2019)" - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version fi elif echo "$SBOMFILE" | grep _x86-32_windows_; then - EXPECTED_FREETYPE=Unknown + EXPECTED_FREETYPE=2.13.2 # Bundled version if [ "${MAJORVERSION}" = "8" ]; then EXPECTED_COMPILER="microsoft (Microsoft Visual Studio 2013)" EXPECTED_FREETYPE=2.5.3 @@ -87,8 +95,8 @@ elif echo "$SBOMFILE" | grep _x86-32_windows_; then fi elif echo "$SBOMFILE" | grep _mac_; then # NOTE: mac/x64 native builds >=11 were using "clang (clang/LLVM from Xcode 10.3)" - EXPECTED_FREETYPE=Unknown - EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.0.1)" + EXPECTED_FREETYPE=2.13.2 # Bundled version + EXPECTED_COMPILER="clang (clang/LLVM from Xcode 15.2)" # shellcheck disable=SC2166 if [ "${MAJORVERSION}" = "8" ] && echo "$SBOMFILE" | grep _x64_; then EXPECTED_COMPILER="clang (clang/LLVM)" @@ -96,8 +104,7 @@ elif echo "$SBOMFILE" | grep _mac_; then fi fi -[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=Unknown - +[ "${MAJORVERSION}" -ge 20 ] && EXPECTED_FREETYPE=2.13.2 # Bundled version RC=0 if echo "$SBOMFILE" | grep 'linux_'; then From bc0709af8a0c9373eadfe876bc56e5769230fd42 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Tue, 30 Apr 2024 18:26:29 +0100 Subject: [PATCH 11/17] Improve security by adding checksum validation to downloads. (#3781) * Improve security by adding checksum validation to downloads. * Fix sha check on windows. --- .azure-devops/build/steps/windows/before.yml | 14 ++++-- .github/workflows/build.yml | 32 +++++++++++-- .../platform-specific-configurations/linux.sh | 36 +++++++++++++-- docker/buildDocker.sh | 7 +++ .../reproducible/linux_repro_build_compare.sh | 45 ++++++++++++++----- 5 files changed, 114 insertions(+), 20 deletions(-) diff --git a/.azure-devops/build/steps/windows/before.yml b/.azure-devops/build/steps/windows/before.yml index ce3f162190..39bf5ecb74 100644 --- a/.azure-devops/build/steps/windows/before.yml +++ b/.azure-devops/build/steps/windows/before.yml @@ -46,9 +46,17 @@ steps: # install cygwin and build dependencies - powershell: | $ProgressPreference = 'SilentlyContinue'; - Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe'; - Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64'; - displayName: "[Windows Before] download and install Cygwin" + $DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe"; + $DownloadUrl = 'https://cygwin.com/setup-x86_64.exe'; + $ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8'; + Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile; + + # Calculate SHA256 checksum of the downloaded file + $DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash; + + # Compare calculated checksum with the expected checksum + if ($DownloadedChecksum -eq $ExpectedChecksum) { + Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site # add cygwin bin to PATH - script: | diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ea5b0a8e1..72133a9a85 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -162,7 +162,7 @@ jobs: rm /usr/local/bin/python3-config || true rm /usr/local/bin/python3.11-config || true rm /usr/local/bin/python3.12-config || true - + - name: Install Dependencies run: | brew install automake bash binutils freetype gnu-sed nasm @@ -173,7 +173,7 @@ jobs: java-version: 7 distribution: 'zulu' if: matrix.version.name == 'jdk8u' - + - name: Select correct Xcode (JDK8) if: matrix.version.name == 'jdk8u' run: | @@ -206,7 +206,7 @@ jobs: TARGET_OS: mac FILENAME: OpenJDK.tar.gz JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }} - + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 name: Collect and Archive Artifacts with: @@ -328,6 +328,19 @@ jobs: curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe" if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Verify Download Of Visual Studio 2017 + shell: powershell + run: | + $expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Install Visual Studio 2017 if: matrix.version == 'jdk8u' run: > @@ -343,6 +356,19 @@ jobs: curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe" if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Verify Download Of Visual Studio 2019 + shell: powershell + run: | + $expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Install Visual Studio 2019 if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u' run: > diff --git a/build-farm/platform-specific-configurations/linux.sh b/build-farm/platform-specific-configurations/linux.sh index dca182588d..104d1a3e02 100755 --- a/build-farm/platform-specific-configurations/linux.sh +++ b/build-farm/platform-specific-configurations/linux.sh @@ -51,14 +51,44 @@ function locateDragonwell8BootJDK() else echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ... mkdir -p "$PWD/jdk-8" + # if [ "$(uname -m)" = "x86_64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # elif [ "$(uname -m)" = "aarch64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # else + # echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" + # exit 1 + # fi + ## Secure Dragonwell Downloads By Validating Checksums if [ "$(uname -m)" = "x86_64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" + EXPECTED_SHA256="E03923f200dffddf9eee2aadc0c495674fe0b87cc2eece94a9a8dec84812d12bd" elif [ "$(uname -m)" = "aarch64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" + EXPECTED_SHA256="ff0594f36d13883972ca0b302d35cca5099f10b8be54c70c091f626e4e308774" else echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" exit 1 fi + # Download the file and calculate its SHA256 checksum + TMP_FILE=$(mktemp) + curl -L "$DOWNLOAD_URL" -o "$TMP_FILE" + + # Calculate the SHA256 checksum of the downloaded file + ACTUAL_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}') + + # Compare the actual and expected SHA256 checksums + if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "Checksum verification failed for downloaded file!" + rm "$TMP_FILE" + exit 1 + fi + + # Extract the downloaded file + tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8" + + # Clean up the temporary file + rm "$TMP_FILE" export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8" fi } @@ -333,7 +363,7 @@ if [[ "${CONFIGURE_ARGS}" =~ .*"--with-devkit=".* ]]; then echo "Using gcc from DevKit toolchain specified in configure args" elif [[ "${BUILD_ARGS}" =~ .*"--use-adoptium-devkit".* ]]; then echo "Using gcc from Adoptium DevKit toolchain specified in --use-adoptium-devkit build args" -else +else if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION" -eq 11 ] && [ -r /usr/local/gcc9/ ] && [ "${ARCHITECTURE}" == "aarch64" ]; then # GCC9 rather than 10 requested by Alibaba for now # Ref https://github.com/adoptium/temurin-build/issues/2250#issuecomment-732958466 diff --git a/docker/buildDocker.sh b/docker/buildDocker.sh index 5740d931ca..4b23447b8a 100755 --- a/docker/buildDocker.sh +++ b/docker/buildDocker.sh @@ -129,6 +129,13 @@ useEclipseOpenJ9DockerFiles() mkdir -p "$dockerfileDir" cd "$dockerfileDir" || { echo "Dockerfile directory ($dockerfileDir) was not found"; exit 3; } getFile https://raw.githubusercontent.com/eclipse-openj9/openj9/master/buildenv/docker/mkdocker.sh mkdocker.sh + MKDOCK_SHA="a09a00c2beb9c53985b4c3ed6fb62825d90808775941ab56417bef75a575be55" + mkd_downloaded_sha=$(sha256sum mkdocker.sh | awk '{print $1}') + if [ "$mkd_downloaded_sha" != "$MKDOCK_SHA" ]; then + echo "ERROR: SHA256 checksum mismatch for mkdocker.sh" + exit 1 + fi + chmod +x mkdocker.sh # Generate an Ubuntu1804 Dockerfile using mkdocker.sh "$dockerfileDir/mkdocker.sh" --dist=ubuntu --version=18 --print >> "$dockerfileDir/Dockerfile" diff --git a/tooling/reproducible/linux_repro_build_compare.sh b/tooling/reproducible/linux_repro_build_compare.sh index b25407e9a8..7651ac7537 100755 --- a/tooling/reproducible/linux_repro_build_compare.sh +++ b/tooling/reproducible/linux_repro_build_compare.sh @@ -21,7 +21,9 @@ set -e SBOM_PARAM=$1 JDK_PARAM=$2 ANT_VERSION=1.10.5 +ANT_SHA=9028e2fc64491cca0f991acc09b06ee7fe644afe41d1d6caf72702ca25c4613c ANT_CONTRIB_VERSION=1.0b3 +ANT_CONTRIB_SHA=4d93e07ae6479049bb28071b069b7107322adaee5b70016674a0bffd4aac47f9 isJdkDir=false installPrereqs() { @@ -31,8 +33,17 @@ installPrereqs() { yum install -y git bzip2 xz openssl pigz which jq # pigz/which not strictly needed but help in final compression if grep -i release.6 /etc/redhat-release; then if [ ! -r /usr/local/bin/autoconf ]; then - curl https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz | tar xpfz - || exit 1 - (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + curl --output ./autoconf-2.69.tar.gz https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz + ACSHA256=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969 + ACCHKSHA=$(sha256sum ./autoconf-2.69.tar.gz|cut -d" " -f1) + if [ "$ACSHA256" = "$ACCHKSHA" ]; then + echo "Hi" + tar xpfz ./autoconf-2.69.tar.gz || exit 1 + (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + else + echo "ERROR - Checksum For AutoConf Download Is Incorrect" + exit 1; + fi fi fi fi @@ -40,15 +51,27 @@ installPrereqs() { # ant required for --create-sbom downloadAnt() { - if [ ! -r /usr/local/apache-ant-${ANT_VERSION}/bin/ant ]; then - echo Downloading ant for SBOM creation: - curl https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip > /tmp/apache-ant-${ANT_VERSION}-bin.zip - (cd /usr/local && unzip -qn /tmp/apache-ant-${ANT_VERSION}-bin.zip) - rm /tmp/apache-ant-${ANT_VERSION}-bin.zip - echo Downloading ant-contrib-${ANT_CONTRIB_VERSION}: - curl -L https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip > /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip - (unzip -qnj /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar -d /usr/local/apache-ant-${ANT_VERSION}/lib) - rm /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip + if [ ! -r "/usr/local/apache-ant-${ANT_VERSION}/bin/ant" ]; then + echo "Downloading ant for SBOM creation..." + curl -o "/tmp/apache-ant-${ANT_VERSION}-bin.zip" "https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip" + ANTCHKSHA=$(sha256sum "/tmp/apache-ant-${ANT_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_SHA" = "$ANTCHKSHA" ]; then + (cd /usr/local && unzip -qn "/tmp/apache-ant-${ANT_VERSION}-bin.zip") + rm "/tmp/apache-ant-${ANT_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant download is incorrect" + exit 1 + fi + echo "Downloading ant-contrib-${ANT_CONTRIB_VERSION}..." + curl -Lo "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + ANTCTRCHKSHA=$(sha256sum "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_CONTRIB_SHA" = "$ANTCTRCHKSHA" ]; then + (unzip -qnj "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar" -d "/usr/local/apache-ant-${ANT_VERSION}/lib") + rm "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant Contrib download is incorrect" + exit 1 + fi fi } From 48a734dfd4db848ac3b7c2ad50e138df7e7ffc59 Mon Sep 17 00:00:00 2001 From: judovana Date: Wed, 1 May 2024 12:14:26 +0200 Subject: [PATCH 12/17] making local alsa properly optional (#3756) * Fixed issue when downloaded alsa was used only for jdk8 * Made download (and its usage) of alsa optional * Update sbin/prepareWorkspace.sh Co-authored-by: Martijn Verburg * s/skip/Skip in makejdk-any-platform.1 Co-authored-by: Martijn Verburg --------- Co-authored-by: Martijn Verburg --- makejdk-any-platform.1 | 6 ++++++ sbin/build.sh | 10 +++++++++- sbin/common/config_init.sh | 7 ++++++- sbin/prepareWorkspace.sh | 9 ++++++++- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/makejdk-any-platform.1 b/makejdk-any-platform.1 index 8b840d9570..a052497fff 100755 --- a/makejdk-any-platform.1 +++ b/makejdk-any-platform.1 @@ -48,6 +48,12 @@ Build JDK (tip), defaults to https://github.com/adoptium/jdk .SH OPTIONS .TP +.BR \-A ", " \-\-skip-alsa +Skip downloading of alsa automatically. +If you do so, the underlying configure will detect system lib and headers. +If you wish to point to some custom build/install pass it via \fI\-C, \-\-configure-args \fR +Presence of \-\-with-alsa in \-\-configure-args will also not include freshly installed alsa to build. +.TP .BR \-b ", " \-\-branch " " \fI\fR specify a custom branch to build from, e.g. dev. For reference, Adoptium GitHub source repos default to the \fI\fR diff --git a/sbin/build.sh b/sbin/build.sh index a11cc64761..172ede7609 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -479,7 +479,6 @@ buildingTheRestOfTheConfigParameters() { if [ "${BUILD_CONFIG[OPENJDK_CORE_VERSION]}" == "${JDK8_CORE_VERSION}" ]; then addConfigureArg "--with-x=" "/usr/include/X11" - addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" fi } @@ -505,6 +504,14 @@ configureDebugParameters() { fi } +configureAlsaLocation() { + if [[ ! "${CONFIGURE_ARGS}" =~ "--with-alsa" ]]; then + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + addConfigureArg "--with-alsa=" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[WORKING_DIR]}/installedalsa" + fi + fi +} + configureFreetypeLocation() { if [[ ! "${CONFIGURE_ARGS}" =~ "--with-freetype" ]]; then if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then @@ -551,6 +558,7 @@ configureCommandParameters() { else echo "Building up the configure command..." buildingTheRestOfTheConfigParameters + configureAlsaLocation fi echo "Adjust configure for reproducible build" diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh index fbe3f15f27..79884278ab 100755 --- a/sbin/common/config_init.sh +++ b/sbin/common/config_init.sh @@ -31,6 +31,7 @@ CONFIG_PARAMS=( ADOPTIUM_DEVKIT_LOCATION ADOPT_PATCHES +ALSA ASSEMBLE_EXPLODED_IMAGE OPENJDK_BUILD_REPO_BRANCH OPENJDK_BUILD_REPO_URI @@ -297,6 +298,9 @@ function parseConfigurationArguments() { "--skip-freetype" | "-F" ) BUILD_CONFIG[FREETYPE]=false;; + "--skip-alsa" | "-A" ) + BUILD_CONFIG[ALSA]=false;; + "--help" | "-h" ) man ./makejdk-any-platform.1 && exit 0;; @@ -477,7 +481,8 @@ function configDefaults() { BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JDK_FLAG]="false" BUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JRE_FLAG]="false" - BUILD_CONFIG[FREETYPE]=true + BUILD_CONFIG[ALSA]="true" + BUILD_CONFIG[FREETYPE]="true" BUILD_CONFIG[FREETYPE_DIRECTORY]="" BUILD_CONFIG[FREETYPE_FONT_VERSION]="86bc8a95056c97a810986434a3f268cbe67f2902" # 2.9.1 BUILD_CONFIG[FREETYPE_FONT_BUILD_TYPE_PARAM]="" diff --git a/sbin/prepareWorkspace.sh b/sbin/prepareWorkspace.sh index 38738f5c25..d2ad91dc88 100644 --- a/sbin/prepareWorkspace.sh +++ b/sbin/prepareWorkspace.sh @@ -314,6 +314,7 @@ createWorkspace() { # ALSA first for sound checkingAndDownloadingAlsa() { + cd "${BUILD_CONFIG[WORKSPACE_DIR]}/libs/" || exit echo "Checking for ALSA" @@ -667,7 +668,13 @@ downloadingRequiredDependencies() { echo "Non-Linux-based environment detected, skipping download of dependency Alsa." else echo "Checking and downloading Alsa dependency because OSTYPE=\"${OSTYPE}\"" - checkingAndDownloadingAlsa + if [[ "${BUILD_CONFIG[ALSA]}" == "true" ]]; then + checkingAndDownloadingAlsa + else + echo "" + echo "---> Skipping the process of checking and downloading the Alsa dependency, a pre-built version should be provided via -C/--configure-args <---" + echo "" + fi fi if [[ "${BUILD_CONFIG[FREETYPE]}" == "true" ]]; then From 6aa6c942d0b3ba640f4262808c571c5210229b09 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Thu, 2 May 2024 14:56:05 +0100 Subject: [PATCH 13/17] Github: Add Semgrep Check On Pull Request (#3688) * Add Semgrep Diff GHA * Create .semgrepignore * Use centralised GHA workflow --------- Co-authored-by: Martijn Verburg --- .github/workflows/semgrep_diff.yml | 8 ++++++++ .semgrepignore | 1 + 2 files changed, 9 insertions(+) create mode 100644 .github/workflows/semgrep_diff.yml create mode 100644 .semgrepignore diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml new file mode 100644 index 0000000000..cb5f228812 --- /dev/null +++ b/.github/workflows/semgrep_diff.yml @@ -0,0 +1,8 @@ +--- +name: Semgrep Differential Scan +on: + pull_request: + +jobs: + semgrep-diff: + uses: adoptium/.github/.github/workflows/semgrep_diff.yml@main diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ + From a0b6241a71ed2e28d3a4d4ac99bebdd405dd9b35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 11:13:24 +0100 Subject: [PATCH 14/17] build(deps): bump github/codeql-action from 2.25.3 to 3.25.3 (#3779) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.25.3 to 3.25.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2.25.3...d39d31e687223d841ef683f52467bd88e9b21c14) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Martijn Verburg --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/ossf-scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fc185dcc55..ca1ba173f3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,7 +58,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -68,7 +68,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -81,6 +81,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 2aabc32333..8529c0fb96 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -46,6 +46,6 @@ jobs: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v2.13.4 with: sarif_file: results.sarif From 9982cfef4b761e27cf3b50f42d850bfcdf82f08d Mon Sep 17 00:00:00 2001 From: judovana Date: Sun, 5 May 2024 21:58:13 +0200 Subject: [PATCH 15/17] Making grep -q -e -e usable on solaris (#3788) * Making grep -q -e -e usable on solaris replacing -q by /dev/null repalcing double -e by two greps * Merged the two expressions to single regex * Revert "Merged the two expressions to single regex" This reverts commit 8695cbc1ac639c9d86e94b87d68616718a7fee20. * Added comment for future people who wish to make the regex and if nicer * language changes fixes in common.sh Co-authored-by: Martijn Verburg --------- Co-authored-by: Martijn Verburg --- sbin/common/common.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sbin/common/common.sh b/sbin/common/common.sh index 45c6ce5857..0fbcca594a 100755 --- a/sbin/common/common.sh +++ b/sbin/common/common.sh @@ -20,9 +20,12 @@ function setOpenJdkVersion() { # The argument passed here have actually very strict format of jdk8, jdk8u..., jdk # the build may fail later if this is not honoured. # If your repository has a different name, you can use --version or build from dir/snapshot - local forest_name_check=0 - echo "$forest_name" | grep -q -e "^jdk$" -e "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" || forest_name_check=$? - if [ ${forest_name_check} -ne 0 ]; then + local forest_name_check1=0 + local forest_name_check2=0 + # This two returns condition is there to make grep on solaris happy. -e, -q and \( and \| do not work on that platform + echo "$forest_name" | grep "^jdk[0-9]\\{1,3\\}[u]\\{0,1\\}$" >/dev/null || forest_name_check1=$? + echo "$forest_name" | grep "^jdk$" >/dev/null || forest_name_check2=$? + if [ ${forest_name_check1} -ne 0 ] && [ ${forest_name_check2} -ne 0 ]; then echo "The mandatory repo argument has a very strict format 'jdk[0-9]{1,3}[u]{0,1}' or just plain 'jdk' for tip. '$forest_name' does not match." echo "This can be worked around by using '--version jdkXYu'. If set (and matching) then the main argument can have any value." exit 1 From 797c3f06e959a71ef4650f7309c82a2ffdea2942 Mon Sep 17 00:00:00 2001 From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com> Date: Tue, 7 May 2024 19:10:33 +0100 Subject: [PATCH 16/17] Fix codefreeze to check PR target branch correctly (#3794) * Fix codefreeze to check PR target branch correctly Signed-off-by: Andrew Leonard * fix license checker --------- Signed-off-by: Andrew Leonard Co-authored-by: George Adams --- .github/workflows/code-freeze.yml | 16 +++++++++++++--- .github/workflows/semgrep_diff.yml | 13 +++++++++++++ .licenserc.yaml | 3 ++- RELEASING.md | 2 +- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml index f43ad22696..506c913319 100644 --- a/.github/workflows/code-freeze.yml +++ b/.github/workflows/code-freeze.yml @@ -1,5 +1,5 @@ # ******************************************************************************** -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) with this work for additional # information regarding copyright ownership. @@ -16,7 +16,8 @@ name: Code Freeze Bot # Controls when the workflow will run on: pull_request_target: - branches: [ "v[0-9]+.[0-9]+.[0-9]+" ] + branches: + - '*' issue_comment: types: [created] @@ -25,6 +26,15 @@ permissions: pull-requests: write jobs: - codefreeze: + # Check if the pull request target branch matches the required branch-regex? + codefreeze_branch_check: + uses: adoptium/.github/.github/workflows/code-freeze-regex-branch.yml@main + with: + branch-regex: "^v[0-9]+.[0-9]+.[0-9]+$" + + # Code freeze if branch-regex matches + codefreeze_if_branch_match: + needs: codefreeze_branch_check uses: adoptium/.github/.github/workflows/code-freeze.yml@main + if: (github.event_name == 'pull_request_target' || (github.event_name == 'issue_comment' && github.event.issue.pull_request)) && needs.codefreeze_branch_check.outputs.regex-matches == 'true' secrets: inherit diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml index cb5f228812..1887e6dbb9 100644 --- a/.github/workflows/semgrep_diff.yml +++ b/.github/workflows/semgrep_diff.yml @@ -1,3 +1,16 @@ +# ******************************************************************************** +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** + --- name: Semgrep Differential Scan on: diff --git a/.licenserc.yaml b/.licenserc.yaml index 48cd41bf16..125b90a34a 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -28,7 +28,7 @@ header: SPDX-License-Identifier: Apache-2.0 ******************************************************************************** - pattern: Copyright (c) \d{4} Contributors to the Eclipse Foundation + pattern: Copyright (c) ((\d{4})(, \d{4})*) Contributors to the Eclipse Foundation comment: on-failure @@ -39,6 +39,7 @@ header: - '**/*.asc' - '.gitignore' - '.dockerignore' + - '.semgrepignore' - 'docker/.gitignore' - 'security/.gitignore' - 'security/mk-ca-bundle.pl' diff --git a/RELEASING.md b/RELEASING.md index 07cbf1757b..29112911c2 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -54,7 +54,7 @@ Create release branch in the format `vYYYY.MM.NN` on each of the following repos - ci-jenkins-pipelines - jenkins-helper -These branches should be named according to the following format (vYYYY.MM+NN) ,e.g v2023.03+01 , whereby the final element is an incremental counter appended to the year and month of the release. +These branches should be named according to the following format (vYYYY.MM.NN) ,e.g v2023.03.01 , whereby the final element is an incremental counter appended to the year and month of the release. If anything needs to be merged into the new branch, it should typically be merged into master, then a `git cherry-pick` operation should be done to create a new PR against the release branch. This can typically be merged without further approval. From 675cc099ecd2e2cdbea14e96a71d4e5aab400282 Mon Sep 17 00:00:00 2001 From: George Adams Date: Wed, 8 May 2024 10:57:47 +0100 Subject: [PATCH 17/17] switch pull-request-action back to tagged release (#3797) --- .github/workflows/ca-cert-updater.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ca-cert-updater.yml b/.github/workflows/ca-cert-updater.yml index c07ead59fd..3a4a60085d 100644 --- a/.github/workflows/ca-cert-updater.yml +++ b/.github/workflows/ca-cert-updater.yml @@ -35,7 +35,7 @@ jobs: working-directory: ./security run: "./mk-ca-bundle.pl" - - uses: gr2m/create-or-update-pull-request-action@dc1726cbf4dd3ce766af4ec29cfb660e0125e8ee # v1 + - uses: gr2m/create-or-update-pull-request-action@86ec1766034c8173518f61d2075cc2a173fb8c97 # v1.9.4 env: GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }} with: