temurin-build
temurin-build copied to clipboard
adoptium
Define policy for identifying security issues in prerequisite software products
Once we have determine which components are critical for the build process on each platform we should use this information to determine policies regarding how/when/if to perform updates or mitigate them and start using those policies so that we avoid being exposed via CVEs which may be raised by our customers. We should be proactive in identifying and resolving such issues.
Initial list of software that would be in scope for this for Temurin builds (currently excluding the items supplied with the OS such as glibc, cups, systemtap and X11 libraries)
- Compiler (gcc, xlc, VS, Xcodeetc.)
- freetype
- alsa
- zlib
- ant? (Used for SBOM creation but not the build itself)
Need to verify which of these are now included in the SBOM and whether others would be required.
I'm going to list the products in this comment as they are identified along with their official page, and a link to any related CVEs as a basis for this:
| Product | Home page | CVE list |
|---|---|---|
| Compiler - gcc (Linux) | https://gcc.gnu.org/ | CVEdetails |
| Compiler - xlc (AIX) | https://www.ibm.com/products/xl-c-aix-compiler-power | ? |
| Compiler - VS (Windows) | https://visualstudio.microsoft.com/vs/community/ | CVEdetails |
| Compiler - Xcode (macos) | https://developer.apple.com/xcode/ | CVEdetails |
| Freetype | https://freetype.org/ | CVEdetails |
| ALSA | https://alsa-project.org | CVEdetails |
| zlib | https://www.zlib.net/ | CVEdetails |
| Apache Ant | https://ant.apache.org/ | CVEdetails |
| GNU Make | https://www.gnu.org/software/make/ | CVEdetails |
We now have a reasonably complete SBOM, only missing some of the compiler details for non-Linux platforms.
It should be noted that zlib, freetype and alsa are all things which are included into the openjdk build, and therefore we should ensure that we follow the advice of the upstream openjdk project where feasible to ensure we remain secure. The other tools are things we have full control over and should aim to monitor those on a regular basis to ensure that our machines are suitably secure, which means we should review the CVEs on a regular basis - either monthly, or on a cycle that matches the quarterly PSU updates of Eclipse Temurin.
- zlib using the bundled version in 21 and then in other versions for the October release
- freetype is still inconsistent and perhaps needs an approach similar to what we've now done with zlib