Add timestamps to repro_compare.sh and friends

[sxa]

This adds time stamps to the steps in the reproducible comparison script just to be able to compare how long it takes when it's running (particularly on machines with different disks).
It slightly changes the wording on some of the echo statements to to clarify what tools are being used for each step.
I've also enabled the use of unzip -q instead of unzip ... > /dev/null which looks nicer.
I have also added -quiet to the openssl commands which should mask the line with all the . and + characters but that doesn't seem to do the job on the windows/cygwin environment. I'm leaving it in anyway on the basis that it will hopefully make the output cleaner in some circumstances, including on windows if an update to openssl comes in that's happier with it.

Not tested on macos - it might be nice to verify that the -q and quiet options don't cause a problem there prior to merging.

[sxa]

@andrew-m-leonard semgrep is objecting to the use of -nodes in the openssl command used to generate the temporary certificate. Has this been seen previously in this file? It's not something I have added in this PR.

[andrew-m-leonard]

@andrew-m-leonard semgrep is objecting to the use of -nodes in the openssl command used to generate the temporary certificate. Has this been seen previously in this file? It's not something I have added in this PR.

not seen that before, suspect this file has not been changed since semgrep was introduced?

[sxa]

@andrew-m-leonard semgrep is objecting to the use of -nodes in the openssl command used to generate the temporary certificate. Has this been seen previously in this file? It's not something I have added in this PR.

not seen that before, suspect this file has not been changed since semgrep was introduced?

Hmmm I guess it could have slipped between the cracks between the initial audit and us putting it into GHA. Do you know what the impact is of removing it?

[andrew-m-leonard]

@andrew-m-leonard semgrep is objecting to the use of -nodes in the openssl command used to generate the temporary certificate. Has this been seen previously in this file? It's not something I have added in this PR.

not seen that before, suspect this file has not been changed since semgrep was introduced?

Hmmm I guess it could have slipped between the cracks between the initial audit and us putting it into GHA. Do you know what the impact is of removing it?

It will prompt for a PEM "pass phrase" to encrypt the key, which is not ideal for this purpose. Can we add an "ignore" like for linter things...?

[andrew-m-leonard]

@sxa I think this works, change the two lines to:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -passout pass:test -keyout $selfCert.key -out $selfCert.crt -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"
openssl pkcs12 -export -passout pass:test -passin pass:test -out $selfCert.pfx -inkey $selfCert.key -in $selfCert.crt

[sxa]

@sxa I think this works, change the two lines to:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -passout pass:test -keyout $selfCert.key -out $selfCert.crt -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"
openssl pkcs12 -export -passout pass:test -passin pass:test -out $selfCert.pfx -inkey $selfCert.key -in $selfCert.crt

I've got a few more comparison runs to kick off this evening so I'll do that and run with the changes. Cheers.

[EDIT: Semgrep still objecting by the look of it:

          391┆ openssl req -x509 -quiet -newkey rsa:4096 -sha256 -days 3650 -passout pass:test -keyout
               $selfCert.key -out $selfCert.crt -subj "/CN=example.com" -addext                       
               "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"                         
            ⋮┆----------------------------------------
          392┆ openssl pkcs12 -export -passout pass:test -passin pass:test -out $selfCert.pfx -inkey
               $selfCert.key -in $selfCert.crt                                                      
            ⋮┆----------------------------------------
          392┆ openssl pkcs12 -export -passout pass:test -passin pass:test -out $selfCert.pfx -inkey
               $selfCert.key -in $selfCert.crt              

]

[sxa]

@andrew-m-leonard We seem to be getting issues with the CycloneDX jar download in the CodeQL action:

  [2024-11-01 11:35:40] [autobuild]      [echo] File to download: https://ci.adoptium.net/view/all/job/build.getDependency/lastSuccessfulBuild/artifact/sbom_dependencies/cyclonedx-core-java.jar
  [2024-11-01 11:35:40] [autobuild]      [echo] Destination: build/jar/cyclonedx-core-java.jar
  [2024-11-01 11:35:40] [autobuild]      [echo] Download tool: curl
  [2024-11-01 11:35:40] [autobuild]     [mkdir] Created dir: /home/runner/work/temurin-build/temurin-build/cyclonedx-lib/build/jar
  [2024-11-01 11:35:40] [autobuild]      [exec]   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  [2024-11-01 11:35:40] [autobuild]      [exec]                                  Dload  Upload   Total   Spent    Left  Speed
  [2024-11-01 11:35:40] [autobuild]      [exec] 
  [2024-11-01 11:35:41] [autobuild]      [exec]   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0 15 2331k   15  371k    0     0   333k      0  0:00:06  0:00:01  0:00:05  333k100 2331k  100 2331k    0     0  1738k      0  0:00:01  0:00:01 --:--:-- 1738k
  [2024-11-01 11:35:41] [autobuild] BUILD FAILED
  [2024-11-01 11:35:41] [autobuild] /home/runner/work/temurin-build/temurin-build/cyclonedx-lib/build.xml:47: The following error occurred while executing this line:
  [2024-11-01 11:35:41] [autobuild] /home/runner/work/temurin-build/temurin-build/cyclonedx-lib/build.xml:492: The following error occurred while executing this line:
  [2024-11-01 11:35:41] [autobuild] /home/runner/work/temurin-build/temurin-build/cyclonedx-lib/build.xml:520: The checksum of the cyclonedx-core-java.jar file does not match expected value.
  [2024-11-01 11:35:41] [autobuild] Total time: 1 second
  Error: 1-01 11:35:41] [ERROR] Spawned process exited abnormally (code 1; tried to run: [ant, -noinput, -f, build.xml, clean, build])
  Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.19.2/x64/codeql/java/tools/autobuild.sh". Exit code was 1 and last log line was: Picked up JAVA_TOOL_OPTIONS:  -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false. See the logs for more details.

(Scratch that - it hadn't re-run that check alongside all of the others)

[sxa]

Noting that I've added semgrep check exclusions to these files as the key is dynamically generated, temporary, does not use secret credentials and the certificate is not utilised off the machine.

[karianna]

@sxa Will leave for you to merge if you're happy with the test

[sxa]

I've been testing with these changes for stuff over been doing to validate adoptium/ci-jenkins-pipelines#1117 so I'm comfortable that it's good (and can fix up quickly if not). Cheers for the review