Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: CI Hardening #2

Closed
wants to merge 33 commits into from
Closed

Security: CI Hardening #2

wants to merge 33 commits into from

Commits on Jun 10, 2024

  1. Add support for GraalVM 

    Adds a JAR publication at `jna-graalvm.jar`, with accompanying
build infrastructure, which provides support for JNA within the
context of the Substrate Virtual Machine (SVM).

GraalVM Native Image targets use SVM instead of JVM at runtime.
JNA's current strategy of unpacking libraries at runtime works
under SVM, but is suboptimal; the binary is native, so it can
simply include JNA object code for the current platform directly.

To accomplish this, several GraalVM "feature" implementations are
provided in this new publication. By default, regular JNA access
is enabled through the `JavaNativeAccess` feature; this class
enables reflection and runtime JNI configurations for downstream
projects which use JNA.

Another feature, `SubstrateStaticJNA`, is experimental because it
relies on unstable GraalVM APIs, but instead of loading JNA at
runtime from a dynamic library, it builds JNA into the final
native image with a static object.

These features are enabled through a resource within `META-INF`,
called `native-image.properties`, which is picked up by the native
image compiler at build time. The new artifact only needs to be
present for GraalVM native targets at build time; otherwise, the
classes and libraries in `jna-graalvm.jar` are inert.

Includes tested support for:
- macOS aarch64
- Linux amd64

Signed-off-by: Sam Gammon <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    c1a6c95 View commit details
    Browse the repository at this point in the history

  2. fix: only build gvm sources on jdk11+ 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    e7863cd View commit details
    Browse the repository at this point in the history

  3. fixup!: missing conditional 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    ae2ec5c View commit details
    Browse the repository at this point in the history

  4. fixup!: jdk8 missing classses dir 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    8da6e16 View commit details
    Browse the repository at this point in the history

  5. test: sample/test gradle build for native image 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    adf136c View commit details
    Browse the repository at this point in the history

  6. chore: ci config to run native sample 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    a730c69 View commit details
    Browse the repository at this point in the history

  7. fixup!: gradle properties 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    14d3102 View commit details
    Browse the repository at this point in the history

  8. fix: duplicate dependencies block in gvm pom 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    cf31c77 View commit details
    Browse the repository at this point in the history

  9. fix: method alignment in default feature 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    8ae4edb View commit details
    Browse the repository at this point in the history

  10. fixup!: give native image test an arg 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    e607719 View commit details
    Browse the repository at this point in the history

  11. fix: proxy config for user code sample 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    c6fad3d View commit details
    Browse the repository at this point in the history

  12. chore: update touched libs 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    cdd2fe9 View commit details
    Browse the repository at this point in the history

  13. chore: update remaining distlibs 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    afe9e2c View commit details
    Browse the repository at this point in the history

  14. fixup!: gvm ci job 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    2b6e853 View commit details
    Browse the repository at this point in the history

  15. fixup!: missing license header 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    eb78053 View commit details
    Browse the repository at this point in the history

  16. chore: dispatch graalvm ci as sub-workflow 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    ad5e68c View commit details
    Browse the repository at this point in the history

  17. fixup!: job names for gvm ci 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    84090b5 View commit details
    Browse the repository at this point in the history

  18. fixup!: drop daemon jvm props 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    c91b6ea View commit details
    Browse the repository at this point in the history

  19. fixup!: reusable workflow issues 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    c0183be View commit details
    Browse the repository at this point in the history

  20. fixup!: fail on native image build err 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    49666a4 View commit details
    Browse the repository at this point in the history

  21. fixup!: restore main ci 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    40ba080 View commit details
    Browse the repository at this point in the history

  22. fixup!: nativeRun task 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    51b6a30 View commit details
    Browse the repository at this point in the history

  23. fixup!: mkdirs for gvm target directories 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    1525c23 View commit details
    Browse the repository at this point in the history

  24. feat(graalvm): add Library proxy auto-config 

    Adds a subtype reachability handler for `com.sun.jna.Library`, so that
user types which extend `Library` are automatically registered as
runtime-capable proxy types

Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    9bba1dd View commit details
    Browse the repository at this point in the history

  25. chore: general nit cleanup 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    46460e9 View commit details
    Browse the repository at this point in the history

  26. chore: add @sgammon and @darvld to developers of graalvm integration 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    0c905a0 View commit details
    Browse the repository at this point in the history

  27. chore: cleanups for codeql 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    66e6fad View commit details
    Browse the repository at this point in the history

  28. chore: dependency graph submission 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    1ecf5be View commit details
    Browse the repository at this point in the history

  29. fixup!: java version 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    6bb32c5 View commit details
    Browse the repository at this point in the history

  30. fixup!: token permissions for dependency graph 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    93d065a View commit details
    Browse the repository at this point in the history

  31. chore: local deploy capability 

    Adds an Ant task which "deploys" to a local directory, at `build/stage`.
Also adds a CI task which runs `deploy-local` and uploads the resulting
`build/stage` directory as an artifact.

This artifact can be unpacked and deployed to custom (or private) Maven
repositories, enabling easy testing downstream.

Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    423f82d View commit details
    Browse the repository at this point in the history

  32. fixup!: security manager for ci build 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    321ed51 View commit details
    Browse the repository at this point in the history

  33. fixup!: conditional java security manager fix 

    Signed-off-by: GitHub <[email protected]>
    @sgammon
    sgammon authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    fde7283 View commit details
    Browse the repository at this point in the history