Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: CI Hardening #2

Closed
wants to merge 33 commits into from
Closed

Security: CI Hardening #2

wants to merge 33 commits into from

Conversation

sgammon
Copy link
Member

@sgammon sgammon commented Jun 9, 2024
edited
Loading

Summary

Applies CI hardening with StepSecurity bot; each CI step is now isolated from unidentified network traffic, and withholds sudo from build steps.

Network traffic can eventually be sealed into an allow-list, and shifted into block mode.

Improvements

  • Ran StepSecurity to add the Harden Runner action and pin at action hashes
  • Tuned CodeQL workflow
  • Added Maven dependency graph submission and review
  • Added Security Scorecards workflow

@sgammon sgammon added the enhancement New feature or request label Jun 9, 2024
@sgammon sgammon self-assigned this Jun 9, 2024
@sgammon sgammon mentioned this pull request Jun 9, 2024
Closed
sgammon and others added 26 commits June 10, 2024 04:40
@sgammon
Add support for GraalVM
c1a6c95 
Adds a JAR publication at `jna-graalvm.jar`, with accompanying
build infrastructure, which provides support for JNA within the
context of the Substrate Virtual Machine (SVM).

GraalVM Native Image targets use SVM instead of JVM at runtime.
JNA's current strategy of unpacking libraries at runtime works
under SVM, but is suboptimal; the binary is native, so it can
simply include JNA object code for the current platform directly.

To accomplish this, several GraalVM "feature" implementations are
provided in this new publication. By default, regular JNA access
is enabled through the `JavaNativeAccess` feature; this class
enables reflection and runtime JNI configurations for downstream
projects which use JNA.

Another feature, `SubstrateStaticJNA`, is experimental because it
relies on unstable GraalVM APIs, but instead of loading JNA at
runtime from a dynamic library, it builds JNA into the final
native image with a static object.

These features are enabled through a resource within `META-INF`,
called `native-image.properties`, which is picked up by the native
image compiler at build time. The new artifact only needs to be
present for GraalVM native targets at build time; otherwise, the
classes and libraries in `jna-graalvm.jar` are inert.

Includes tested support for:
- macOS aarch64
- Linux amd64

Signed-off-by: Sam Gammon <[email protected]>
@sgammon
fix: only build gvm sources on jdk11+
e7863cd 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: missing conditional
ae2ec5c 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: jdk8 missing classses dir
8da6e16 
Signed-off-by: GitHub <[email protected]>
@sgammon
test: sample/test gradle build for native image
adf136c 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: ci config to run native sample
a730c69 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: gradle properties
14d3102 
Signed-off-by: GitHub <[email protected]>
@sgammon
fix: duplicate dependencies block in gvm pom
cf31c77 
Signed-off-by: GitHub <[email protected]>
@sgammon
fix: method alignment in default feature
8ae4edb 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: give native image test an arg
e607719 
Signed-off-by: GitHub <[email protected]>
@sgammon
fix: proxy config for user code sample
c6fad3d 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: update touched libs
cdd2fe9 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: update remaining distlibs
afe9e2c 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: gvm ci job
2b6e853 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: missing license header
eb78053 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: dispatch graalvm ci as sub-workflow
ad5e68c 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: job names for gvm ci
84090b5 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: drop daemon jvm props
c91b6ea 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: reusable workflow issues
c0183be 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: fail on native image build err
49666a4 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: restore main ci
40ba080 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: nativeRun task
51b6a30 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: mkdirs for gvm target directories
1525c23 
Signed-off-by: GitHub <[email protected]>
@sgammon
feat(graalvm): add Library proxy auto-config
9bba1dd 
Adds a subtype reachability handler for `com.sun.jna.Library`, so that
user types which extend `Library` are automatically registered as
runtime-capable proxy types

Signed-off-by: GitHub <[email protected]>
@sgammon
chore: general nit cleanup
46460e9 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: add @sgammon and @darvld to developers of graalvm integration
0c905a0 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: cleanups for codeql
66e6fad 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: dependency graph submission
1ecf5be 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: java version
6bb32c5 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: token permissions for dependency graph
93d065a 
Signed-off-by: GitHub <[email protected]>
@sgammon
chore: local deploy capability
423f82d 
Adds an Ant task which "deploys" to a local directory, at `build/stage`.
Also adds a CI task which runs `deploy-local` and uploads the resulting
`build/stage` directory as an artifact.

This artifact can be unpacked and deployed to custom (or private) Maven
repositories, enabling easy testing downstream.

Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: security manager for ci build
321ed51 
Signed-off-by: GitHub <[email protected]>
@sgammon
fixup!: conditional java security manager fix
fde7283 
Signed-off-by: GitHub <[email protected]>
@sgammon sgammon changed the base branch from feat/static-graalvm-jni to master June 10, 2024 04:46
sgammon added a commit that referenced this pull request Jun 10, 2024
@sgammon
chore: squash #2 for testing
32b25db 
Signed-off-by: GitHub <[email protected]>
sgammon added a commit that referenced this pull request Jun 10, 2024
@sgammon
chore: squash #2 for testing
f52fd23 
Signed-off-by: GitHub <[email protected]>
@sgammon sgammon closed this Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sgammon sgammon

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sgammon