Improved: Dependency verification (OFBIZ-12186)

I just read an ASF members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build. I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer. [1] https://docs.gradle.org/current/userguide/dependency_verification.html This commit includes: The verification-metadata.xml and verification-keyring.gpg used by the verification task *.gpg as binary in .gitattrubtes for verification-keyring.gpg The documentation about the verification in sy-dependency-verification.adoc with a link and some unrelated changes in security.adoc about security for OFBiz in production An empty line removed in build.gradle
apache · Feb 27, 2021 · c2c609d · c2c609d
1 parent bcb76eb
commit c2c609d
Show file tree

Hide file tree

Showing 6 changed files with 8,865 additions and 2 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -39,3 +39,4 @@ rc.ofbiz.*   text
 *.zip        binary
 *.jks        binary
 *.ttf        binary
+*.gpg        binary
diff --git a/build.gradle b/build.gradle
@@ -152,7 +152,6 @@ allprojects {
             // com.springsource.com.sun.syndication
             url "https://repo.spring.io/plugins-release"
         }
-
     }
 }
 

diff --git a/framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc b/framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc
@@ -0,0 +1,60 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= Gradle Dependency Verification
+The Apache OFBiz Project
+Release trunk
+
+https://docs.gradle.org/current/userguide/dependency_verification.html[Here is the Gradle documentation about dependency verification]
+
+As it's a long read you might prefer this summary:
+
+NOTE: the dependency verification is an incubating feature. So we will wait before backporting from trunk...
+
+By default OFBiz comes with OOTB Gradle dependency verification.
+
+This means that it embeds a verification-metadata.xml file and a verification-keyring.gpg in OFBiz gradle sub-directory which is used during builds and other tasks to verify dependencies.
+
+These files are initially created using :
+
+TIP: gradlew --write-verification-metadata pgp,sha256 help +
+gradlew --write-verification-metadata pgp,sha256 --export-keys
+
+These command creates or updates the verification-metadata.xml and verification-keyring.gpg files which respectively contains the checksums for each of declared dependencies and the related keys
+
+
+Currently the status is it's incomplete in OFBiz. You get this message:
+
+* Some artifacts aren't signed or the signature couldn't be retrieved.
+* Some signature verification failed. Checksums were generated for those artifacts but you MUST check if there's an actual problem. Look for entries with the following comment: PGP verification failed
+PGP verification failed
+
+Only 6 keys are concerned. This does not prevent the verification to work using metadata, though it's better to check the situation in case of doubts (OK OTTB). You may use
+
+TIP: gradlew build --refresh-keys
+
+To recreate the keys
+
+The verification-metadata.xml file contains 2 entries that can be set to true or false to check or ignore the 2 functionalities:
+
+IMPORTANT: <verify-metadata>true</verify-metadata> +
+<verify-signatures>true</verify-signatures>
+
+
+Finally, you may refer to https://issues.apache.org/jira/browse/OFBIZ-12186 for more information.
diff --git a/framework/security/src/docs/asciidoc/security.adoc b/framework/security/src/docs/asciidoc/security.adoc
@@ -19,6 +19,28 @@ under the License.
 
 = Security
 
+== OFBiz in production
+
+In matter of security, to be sure to be up to date, the first place to look at is
+https://ofbiz.apache.org/security.html
+
+For more details you may be also interested by
+https://issues.apache.org/jira/browse/OFBIZ-1525
+
+If you look for how to handle access permissions, this page should help you:
+https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Security+Permissions
+
+
+Last but not least, you will certainly find useful, the security section of
+https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SecuritySettings[The Apache OFBiz Technical Production Setup Guide]
+
+=== Gradle Update
+OFBiz uses Gradle for many things, including building and running OFBiz.
+
+Out Of The Box (OOTB) you get versions of third parties libraries which might need to be updated from time to time.
+For that you may take as an example to follow https://issues.apache.org/jira/browse/OFBIZ-10213
+
 include::_include/sy-password-and-JWT.adoc[leveloffset=+1]
-include::_include/sy-impersonation.adoc[leveloffset=+1]
 include::_include/sy-CSRF-defense.adoc[leveloffset=+1]
+include::_include/sy-impersonation.adoc[leveloffset=+1]
+include::_include/sy-dependency-verification.adoc[leveloffset=+1]
diff --git a/gradle/verification-keyring.gpg b/gradle/verification-keyring.gpg