Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fips builds don't pass forbidden api tests #33179

Closed
nik9000 opened this issue Aug 27, 2018 · 3 comments · Fixed by #33202
Closed

fips builds don't pass forbidden api tests #33179

nik9000 opened this issue Aug 27, 2018 · 3 comments · Fixed by #33202
Assignees
@alpar-t @jkakavas
Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team

Comments

@nik9000
Copy link
Member

nik9000 commented Aug 27, 2018
edited
Loading

Ever since 82d10b4 the forbidden API checks have been failing on the fips builds. It isn't clear if this is a problem with the build or it is revealing a real problem with our fips compliance. I'm assigning to @atorok to investigate because he made the commit that broke the builds. If it turns out that this is a problem with our compliance he'll pass it off to someone who knows more about that stuff.

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+matrix-java-periodic/ES_BUILD_JAVA=java10,ES_RUNTIME_JAVA=java8fips,nodes=virtual&&linux/263/console
@nik9000 nik9000 added the :Delivery/Build Build or test infrastructure label Aug 27, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@jkakavas jkakavas self-assigned this Aug 28, 2018
@jkakavas
Copy link
Member

:x-pack:plugin:security:cli: is the only module that has a compile and runtime dependency in BouncyCastle ( it was split out of security for that exact reason ).

We already do not run tests in a FIPS JVM,

elasticsearch/x-pack/plugin/security/cli/build.gradle

Lines 23 to 25 in 71d5c66

if (inFipsJvm) {
test.enabled = false
}

so should we also disable forbiddenApi ?

@alpar-t
Copy link
Contributor

alpar-t commented Aug 28, 2018

Forbidden APIs used to be ran with the JVM running Gradle and I switched to running it with run-time java, which in this case is FIPS. I would like to understand why the forbidden patterns are triggered, maybe we could selectively disable rules instead of disabling it all.

alpar-t added a commit to alpar-t/elasticsearch that referenced this issue Aug 28, 2018
@alpar-t
Fix forbidden apis on FIPS
2cc1057 
- third party audit detects jar hell with JDK so we disable it
- jdk non portable in forbiddenapis detects classes being used from the
JDK ( for fips ) that are not portable, this is intended so we don't
scan for it on fips.
- different exclusion rules for third party audit on fips

Closes elastic#33179
@alpar-t alpar-t mentioned this issue Aug 28, 2018
Merged
alpar-t added a commit that referenced this issue Aug 29, 2018
@alpar-t
Fix forbidden apis on FIPS (#33202)
3828ec6 
- third party audit detects jar hell with JDK so we disable it
- jdk non portable in forbiddenapis detects classes being used from the
JDK ( for fips ) that are not portable, this is intended so we don't
scan for it on fips.
- different exclusion rules for third party audit on fips

Closes #33179
alpar-t added a commit that referenced this issue Aug 29, 2018
@alpar-t
Fix forbidden apis on FIPS (#33202)
b5345b0 
- third party audit detects jar hell with JDK so we disable it
- jdk non portable in forbiddenapis detects classes being used from the
JDK ( for fips ) that are not portable, this is intended so we don't
scan for it on fips.
- different exclusion rules for third party audit on fips

Closes #33179
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alpar-t alpar-t

@jkakavas jkakavas

Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix forbidden apis on FIPS alpar-t/elasticsearch
5 participants
@nik9000 @alpar-t @mark-vieira @jkakavas @elasticmachine