bootJar gradle task creates a fat jar with writeable files.
Security scans from stuff like Synk/Sonar fail because of this.
This is my workaround, would be nice for existing bootJar task to do something similar internally.
task unzipBootJar(type: Copy) {
dependsOn bootJar
from zipTree(bootJar.destinationDirectory.file(bootJar.archiveFileName))
into layout.buildDirectory.file('/unpacked/dist')
}
task zipDistToSecureBootJar(type: Zip) {
dependsOn unzipBootJar
from layout.buildDirectory.file('/unpacked/dist')
entryCompression = ZipEntryCompression.STORED
filePermissions {
user {
read = true
}
other.execute = false
other.write = false
}
dirPermissions {
user {
read = true
}
other.execute = false
other.write = false
}
include '**/**/*'
archiveFileName="secure-${bootJar.archiveFileName.get()}"
destinationDirectory=layout.buildDirectory.dir('/libs')
}
bootJar.finalizedBy zipDistToSecureBootJar
Comment From: wilkinsona
Thanks for the suggestion. I don't think we should change the default behavior as we're currently relying on Gradle's defaults. I think that's the right thing to do. It means that things behave as expected by those who are familiar with Gradle and also means that any changes made to Gradle in the future will be picked up automatically by the bootJar task.
Instead of your workaround, you should be able to configure the permissions when creating the jar:
tasks.named("bootJar") {
fileMode = 0400
dirMode = 0500
}
This correctly sets the permissions for the files and directories in BOOT-INF/lib and BOOT-INF/classes but it does not work for the loader classes in the root of the jar or for the classpath.idx and index.idx files. I've opened https://github.com/spring-projects/spring-boot/issues/37496 to address this. Thanks for bringing it to our attention.
Comment From: dmarsh26
The scan passes with your suggestion it only seems to be looking at the subdirectories.
You can close this and https://github.com/spring-projects/spring-boot/issues/37496.
thanks!
Comment From: dmarsh26
Comment From: philwebb
@dmarsh26 That scan seems to be looking at a file within a jar. What's the permissions for BOOT-INF/lib/spring-security-config-6.1.3.jar? That's the file that the permission should be setting.
Is the scanner somehow looking inside this jar or has it somehow unpacked inside the image? How are you actually creating your images?
Comment From: dmarsh26
I'm using grade wrapper 8.3 with spring boot 3.1. The bootJar target. The jar is the standard fatjar from spring boot, we do not unpack. I guess the scanner can look inside archives.
I added tasks.named("bootJar") { fileMode = 0400 dirMode = 0500 } to my build so I expected all jars in jar to be readonly by owner including the security jar, or does this only affect the classes folder.
The deployment is docker based so I've now set the application jar in docker to chmod 500 so hopefully that fixes it, changing all jars in build doesn't seem a general solution.
So maybe it's not a problem, waiting to see, previously I tired chmod o-w and it didn't work. I guess maybe the scanner can sudo or something and root has write access.
Maybe spring libraries could include fileMode = 0400 and dirMode = 0500 going forward, as I doubt they need to be writeable? I heard gradle 8.5 might make jars readonly by default?
The company does not want to turn any aquascan features off.
From: Phil Webb @.> Sent: Monday, September 25, 2023 10:40:04 PM To: spring-projects/spring-boot @.> Cc: dmarsh26 @.>; Mention @.> Subject: Re: [spring-projects/spring-boot] bootJar gradle task does not set file permissions within jar to readonly (Issue #37494)
@dmarsh26https://github.com/dmarsh26 That scan seems to be looking at a file within a jar. What's the permissions for BOOT-INF/lib/spring-security-config-6.1.3.jar? That's the file that the permission should be setting.
Is the scanner somehow looking inside this jar or has it somehow unpacked inside the image? How are you actually creating your images? I heard gradle 8.5 might make jars readonly by default?
— Reply to this email directly, view it on GitHubhttps://github.com/spring-projects/spring-boot/issues/37494#issuecomment-1734501216, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AB3JHP7AOISRJPI7WGG3KT3X4H23JANCNFSM6AAAAAA5ABN4VM. You are receiving this because you were mentioned.Message ID: @.***>
Comment From: dmarsh26
https://github.com/spring-projects/spring-security/blob/main/config/spring-security-config.gradle
def versionlessXsd = tasks.register("versionlessXsd", CreateVersionlessXsdTask) {
inputFiles.from(rncToXsd.map { task -> project.fileTree(task.xsdDir) })
versionlessXsdFile = project.layout.buildDirectory.file("versionlessXsd/spring-security.xsd")
}
tasks.named('processResources', ProcessResources).configure {
from(versionlessXsd) {
into 'org/springframework/security/config/'
}
from(rncToXsd) {
duplicatesStrategy DuplicatesStrategy.EXCLUDE
into 'org/springframework/security/config/'
}
}
Process resources has dirPermissions, so maybe spring security can be changed, not sure if its sensible. Appreciate that is a different Spring project.