Not allowed classes for `graphhopper`

chains-project / sbom.exe

calls the police if a prohibited class is loaded by the JVM

https://arxiv.org/abs/2407.00246

MIT License

5 stars 0 forks source link

Not allowed classes for `graphhopper` #240

Open algomaster99 opened 2 months ago

algomaster99 commented 2 months ago

[NOT ALLOWLISTED]: jdk/proxy2/$Proxy38
[NOT ALLOWLISTED]: jdk/proxy2/$Proxy39
[NOT ALLOWLISTED]: com/sun/proxy/jdk/proxy1/$Proxy40
[MODIFIED]: jdk/proxy2/$Proxy41
[NOT ALLOWLISTED]: io/dropwizard/jersey/DropwizardResourceConfig$SpecificBinderc2dc9ea4-857e-4536-96f8-30074f586c33
[NOT ALLOWLISTED]: io/dropwizard/jersey/DropwizardResourceConfig$SpecificBinder6d2ebb7b-7303-4840-bc4f-a83ce59b5e6a
[NOT ALLOWLISTED]: com/graphhopper/util/GitInfo

algomaster99 commented 2 months ago

[MODIFIED]: jdk/proxy2/$Proxy41

Fixed via #241

[NOT ALLOWLISTED]: jdk/proxy2/$Proxy38: io.dropwizard.validation.MinDataSize
[NOT ALLOWLISTED]: jdk/proxy2/$Proxy39: io.dropwizard.validation.MaxDuration
[NOT ALLOWLISTED]: com/sun/proxy/jdk/proxy1/$Proxy40: jdk.internal.vm.annotation.Stable

algomaster99 commented 2 months ago

The proxy classes are fixed by introducing a test that emulates starting a server. The caveat here is that the config.yml should be exhaustive and triggers all classes.

algomaster99 commented 2 months ago

The dropwizard library generates class based on a UUID.

algomaster99 commented 2 months ago

We need to write a test for com.graphhopper.util.GitInfo because the released POM links to artefacts in SNAPSHOTs version.

algomaster99 commented 1 month ago

--add-opens java.desktop/java.awt=ALL-UNNAMED