Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21722

Disable or Enable only one type of Specs: Java or YAML

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Bamboo Specs, Security
    • None
    • 1
    • 2

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      As an Admin, for security purposes, I want to be able to enable, or disable, one type of Specs

      Suggested Solution

      I would like an option to control what type of Specs is accepted by the Bamboo Server.

      Why this is important

      The reason why we are looking to disable Java Spec is the spec pom may contains dependencies which may have vulnerable versions of jar and if we allow then it install such vulnerable versions of jar in Bamboo server.

          Form Name

            [BAM-21722] Disable or Enable only one type of Specs: Java or YAML

            Alexey Chystoprudov added a comment -

            bacec7182c91 , when dev team worked at Java Specs feature security was our main focus. There're few layers of isolation of harmful code from Bamboo Server environment:

            • Docker image to execute Maven process. All downloaded dependencies are stored inside that Docker image and don't spoil .m2 repository of Bamboo Server
            • Restrictive security manager used to execute Maven process: Java Specs code can't read files outside of source folder, can't execute additional processes etc
            • Safe pom.xml version. Bamboo doesn't use provided by user pom.xml and copies dependencies from it to stock pom.xml bundled with Bamboo. It allows to avoid usage of unsecure settings like compiler flags or external plugins and file processors.

            If you believe it's not enough secure solution please let us know what we can improve to make your organisation confident and use full power of Bamboo Java Specs.

            Alexey Chystoprudov added a comment - bacec7182c91 , when dev team worked at Java Specs feature security was our main focus. There're few layers of isolation of harmful code from Bamboo Server environment: Docker image to execute Maven process. All downloaded dependencies are stored inside that Docker image and don't spoil .m2 repository of Bamboo Server Restrictive security manager used to execute Maven process: Java Specs code can't read files outside of source folder, can't execute additional processes etc Safe pom.xml version. Bamboo doesn't use provided by user pom.xml and copies dependencies from it to stock pom.xml bundled with Bamboo. It allows to avoid usage of unsecure settings like compiler flags or external plugins and file processors. If you believe it's not enough secure solution please let us know what we can improve to make your organisation confident and use full power of Bamboo Java Specs.

            Anuroop Kottamparambil added a comment - - edited

            @Alexey Chystoprudov - We cannot allow Java Spec repositories to be scanned in Bamboo Server. I am ok if it is scanned in Bamboo Agents instead. The reason users have their own Java Specs in which I see their project POMs have vulnerable versions of dependencies(ex: log4j-1.x). If we allow such scans then these vulnerable versions of jars will be installed in Bamboo Server under .m2 repository of the service account of Bamboo. The enterprise Qualys will scan regularly and will be flagged Bamboo as vulnerable.  I don't find a reason why Java Spec scan is opted to scan in Bamboo Server instead of user agents. Either we need an option to choose whether to allow or not or the scan must happens on agents not bamboo server. Right now users cannot use Java Specs since the port to maven central repo is not enabled in Bamboo server. Moreover, we have not installed Maven executable to perform such scans.

            Anuroop Kottamparambil added a comment - - edited @Alexey Chystoprudov - We cannot allow Java Spec repositories to be scanned in Bamboo Server. I am ok if it is scanned in Bamboo Agents instead. The reason users have their own Java Specs in which I see their project POMs have vulnerable versions of dependencies(ex: log4j-1.x). If we allow such scans then these vulnerable versions of jars will be installed in Bamboo Server under .m2 repository of the service account of Bamboo. The enterprise Qualys will scan regularly and will be flagged Bamboo as vulnerable.  I don't find a reason why Java Spec scan is opted to scan in Bamboo Server instead of user agents. Either we need an option to choose whether to allow or not or the scan must happens on agents not bamboo server. Right now users cannot use Java Specs since the port to maven central repo is not enabled in Bamboo server. Moreover, we have not installed Maven executable to perform such scans.

            Alexey Chystoprudov added a comment -

            bacec7182c91 what would you setting if this feature is implemented? Can you please explain why it's important for your organization?

            Alexey Chystoprudov added a comment - bacec7182c91 what would you setting if this feature is implemented? Can you please explain why it's important for your organization?

            Anuroop Kottamparambil added a comment -

            We need this feature to be implemented or else we need scan must happens on agents instead of Bamboo server it self. 

            Anuroop Kottamparambil added a comment - We need this feature to be implemented or else we need scan must happens on agents instead of Bamboo server it self. 

              Unassigned Unassigned
              3d4680c1a479 Five Lamb (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: