Security Policy violation Binary Artifacts #17036
Comments
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
15 similar comments
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
#17112 provides a way to remove all jar files under third_party directory. |
meteorcloudy
added
P2
|
To disable the notification, follow bazel-contrib/rules_jvm_external@4dc6737 as an example to create an allowlist. |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
2 similar comments
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
1 similar comment
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
2 similar comments
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
|
Updating issue after ping interval. See its status below. Project is out of compliance with Binary Artifacts policy: binaries present in source code Rule Description Remediation Steps First 10 Artifacts Found
Additional Information |
…nal (non-third_party) Deleting more checked in jars from third_party directory, instead we fetch them using rules_jvm_external. The number of checked in jar files under third_party was reduced to 94 from 175. After this PR, we no longer need any checked-in jar files the third_party directory to bootstrap Bazel (see the update in scripts/bootstrap/compile.sh). The rest of the checked-in jar files are only for Java tools, Android tools and Java tests, which should also be migrated later. A few changes and impacts worth noting about this PR: - We no longer duplicate the list of maven coordinates in the MODULE.bazel file, it just uses the same maven_install.json file generated by rules_jvm_external from WORKSPACE. - We had to exclude some problematic jars (check the `excluded_artifacts` in WORKSPACE). - Since we don't yet have a way to handle licenses with rules_jvm_external, this PR preserves all LICENSE files and added back some LICENSE files deleted in 205ba06. License files are merged by https://github.com/bazelbuild/bazel/blob/ab71a1002c9c53a8061336e40f91204a2a32c38e/src/main/java/com/google/devtools/build/lib/runtime/commands/license/BUILD#L15 - Since rules_jvm_external respects the declared dependencies in the jar's pom.xml file. It fetches more jars than we previously checked in. Through the `jvm_import` rule, Bazel transitively depends on more jars and it causes the size of the Bazel binary to increase (about 2%, see the change in minimal_jdk_test.sh). But the overall improvement on handling maven dependencies should be worth it. - After syncing with @fweikert , the security build for Bazel we are working on should still work with this change. Overall, it should make it easier to review Bazel's maven dependencies. Working towards: #17036 Closes #17221. PiperOrigin-RevId: 511179726 Change-Id: Ic7e99d0ef5074b45aa00d3229f6d4d8855ee2311
…hird_party) This PR basically reverts #11629 and fetch android databinding jars and their dependencies with rules_jvm_external instead. We still need to keep `third_party/java/android_databinding/v3_4_0/exec.jar` because it is custom prebuilt tool and there is no corresponding maven coordinate. Working towards: #17036 Closes #17727. PiperOrigin-RevId: 516246992 Change-Id: I122ab5e9037668ac6913ab03df186609bbc0f458
It's not used anywhere except source reference. Working towards: bazelbuild#17036
…nal (non-third_party) Deleting more checked in jars from third_party directory, instead we fetch them using rules_jvm_external. The number of checked in jar files under third_party was reduced to 94 from 175. After this PR, we no longer need any checked-in jar files the third_party directory to bootstrap Bazel (see the update in scripts/bootstrap/compile.sh). The rest of the checked-in jar files are only for Java tools, Android tools and Java tests, which should also be migrated later. A few changes and impacts worth noting about this PR: - We no longer duplicate the list of maven coordinates in the MODULE.bazel file, it just uses the same maven_install.json file generated by rules_jvm_external from WORKSPACE. - We had to exclude some problematic jars (check the `excluded_artifacts` in WORKSPACE). - Since we don't yet have a way to handle licenses with rules_jvm_external, this PR preserves all LICENSE files and added back some LICENSE files deleted in 205ba06. License files are merged by https://github.com/bazelbuild/bazel/blob/ab71a1002c9c53a8061336e40f91204a2a32c38e/src/main/java/com/google/devtools/build/lib/runtime/commands/license/BUILD#L15 - Since rules_jvm_external respects the declared dependencies in the jar's pom.xml file. It fetches more jars than we previously checked in. Through the `jvm_import` rule, Bazel transitively depends on more jars and it causes the size of the Bazel binary to increase (about 2%, see the change in minimal_jdk_test.sh). But the overall improvement on handling maven dependencies should be worth it. - After syncing with @fweikert , the security build for Bazel we are working on should still work with this change. Overall, it should make it easier to review Bazel's maven dependencies. Working towards: #17036 Closes #17221. PiperOrigin-RevId: 511179726 Change-Id: Ic7e99d0ef5074b45aa00d3229f6d4d8855ee2311 # Conflicts: # WORKSPACE # src/test/shell/integration/minimal_jdk_test.sh
…hird_party) This PR basically reverts bazelbuild#11629 and fetch android databinding jars and their dependencies with rules_jvm_external instead. We still need to keep `third_party/java/android_databinding/v3_4_0/exec.jar` because it is custom prebuilt tool and there is no corresponding maven coordinate. Working towards: bazelbuild#17036 Closes bazelbuild#17727. PiperOrigin-RevId: 516246992 Change-Id: I122ab5e9037668ac6913ab03df186609bbc0f458
It's not used anywhere except source reference. Working towards: bazelbuild#17036 Closes bazelbuild#17811. PiperOrigin-RevId: 517410193 Change-Id: Iad3ac2801d84b04b4bbeca396c4d0b6bc3199f54
It's not used anywhere except source reference. Working towards: bazelbuild#17036 Partial commit for third_party/*, see bazelbuild#17811. Signed-off-by: Yun Peng <pcloudy@google.com>
Remove checked-in jars used for `//src/test/java/...` and fetch them with rules_jvm_external instead. Working towards: bazelbuild#17036 Closes bazelbuild#17812. PiperOrigin-RevId: 518608132 Change-Id: I6a0d282febc27c538b5297054facc70a5a0ca35d
and others
This issue was automatically created by Allstar.
Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code
Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.
Remediation Steps
To remediate, remove the generated executable artifacts from the repository.
First 10 Artifacts Found
Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.
Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
The text was updated successfully, but these errors were encountered: