Open sxa opened 1 year ago
sxa
commented
1 year ago Initial list of software that would be in scope for this for Temurin builds (currently excluding the items supplied with the OS such as glibc, cups, systemtap and X11 libraries)
sxa
commented
1 year ago Need to verify which of these are now included in the SBOM and whether others would be required.
sxa
commented
1 year ago I'm going to list the products in this comment as they are identified along with their official page, and a link to any related CVEs as a basis for this:
| Product | Home page | CVE list |
|---|---|---|
| Compiler - gcc (Linux) | https://gcc.gnu.org/ | CVEdetails |
| Compiler - xlc (AIX) | https://www.ibm.com/products/xl-c-aix-compiler-power | ? |
| Compiler - VS (Windows) | https://visualstudio.microsoft.com/vs/community/ | CVEdetails |
| Compiler - Xcode (macos) | https://developer.apple.com/xcode/ | CVEdetails |
| Freetype | https://freetype.org/ | CVEdetails |
| ALSA | https://alsa-project.org | CVEdetails |
| zlib | https://www.zlib.net/ | CVEdetails |
| Apache Ant | https://ant.apache.org/ | CVEdetails |
| GNU Make | https://www.gnu.org/software/make/ | CVEdetails |
sxa
commented
10 months ago We now have a reasonably complete SBOM, only missing some of the compiler details for non-Linux platforms.
It should be noted that zlib, freetype and alsa are all things which are included into the openjdk build, and therefore we should ensure that we follow the advice of the upstream openjdk project where feasible to ensure we remain secure. The other tools are things we have full control over and should aim to monitor those on a regular basis to ensure that our machines are suitably secure, which means we should review the CVEs on a regular basis - either monthly, or on a cycle that matches the quarterly PSU updates of Eclipse Temurin.
Once we have determine which components are critical for the build process on each platform we should use this information to determine policies regarding how/when/if to perform updates or mitigate them and start using those policies so that we avoid being exposed via CVEs which may be raised by our customers. We should be proactive in identifying and resolving such issues.