From 0313a6e79cd5a0900680c6e654d63e8707aa2b18 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 31 Jan 2020 12:26:52 +0200 Subject: [PATCH] Adjust jarHell and 3rd party audit exclusions Now that the FIPS 140 security provider is simply a test dependency we don't need the thirdPartyAudit exceptions, but plugin-cli and transport-netty4 do need jarHell disabled as they use the non fips BouncyCastle security provider as a test dependency too. --- distribution/tools/plugin-cli/build.gradle | 6 ------ modules/transport-netty4/build.gradle | 8 -------- plugins/ingest-attachment/build.gradle | 2 +- plugins/transport-nio/build.gradle | 8 -------- x-pack/plugin/security/cli/build.gradle | 5 +---- 5 files changed, 2 insertions(+), 27 deletions(-) diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle index f274973cf8f40..b6af1c18ac6ed 100644 --- a/distribution/tools/plugin-cli/build.gradle +++ b/distribution/tools/plugin-cli/build.gradle @@ -42,12 +42,6 @@ test { systemProperty 'tests.security.manager', 'false' } -thirdPartyAudit.onlyIf { - // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, - // rather than provide a long list of exclusions, disable the check on FIPS. - BuildParams.inFipsJvm == false -} - /* * these two classes intentionally use the following JDK internal APIs in order to offer the necessary * functionality diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle index d7b4d56569970..0c9346e6b308e 100644 --- a/modules/transport-netty4/build.gradle +++ b/modules/transport-netty4/build.gradle @@ -195,11 +195,3 @@ thirdPartyAudit { 'io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator' ) } - -if (BuildParams.inFipsJvm == false) { - // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in - // a FIPS JVM with BouncyCastleFIPS Provider - thirdPartyAudit.ignoreMissingClasses( - 'org.bouncycastle.asn1.x500.X500Name' - ) -} diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle index 292f8c7595ed2..c88bd2ee4f59d 100644 --- a/plugins/ingest-attachment/build.gradle +++ b/plugins/ingest-attachment/build.gradle @@ -88,7 +88,7 @@ thirdPartyAudit { ignoreMissingClasses() } -thirdPartyAudit.onlyIf { +jarHell.onlyIf { // FIPS JVM includes many classes from bouncycastle which count as jar hell for the third party audit, // rather than provide a long list of exclusions, disable the check on FIPS. BuildParams.inFipsJvm == false diff --git a/plugins/transport-nio/build.gradle b/plugins/transport-nio/build.gradle index 5ee0295fc9fed..00e099fec82d0 100644 --- a/plugins/transport-nio/build.gradle +++ b/plugins/transport-nio/build.gradle @@ -156,11 +156,3 @@ thirdPartyAudit { ) } -if (BuildParams.inFipsJvm == false) { - // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in - // a FIPS JVM with BouncyCastleFIPS Provider - thirdPartyAudit.ignoreMissingClasses( - 'org.bouncycastle.asn1.x500.X500Name' - ) -} - diff --git a/x-pack/plugin/security/cli/build.gradle b/x-pack/plugin/security/cli/build.gradle index 116f089d70b46..f24d5f49d11f8 100644 --- a/x-pack/plugin/security/cli/build.gradle +++ b/x-pack/plugin/security/cli/build.gradle @@ -26,14 +26,11 @@ forbiddenPatterns { if (BuildParams.inFipsJvm) { test.enabled = false + jarHell.enabled = false testingConventions.enabled = false // Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are // not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS. tasks.withType(CheckForbiddenApis) { bundledSignatures -= "jdk-non-portable" } - // FIPS JVM includes many classes from bouncycastle which count as jar hell for the third party audit, - // rather than provide a long list of exclusions, disable the check on FIPS. - thirdPartyAudit.enabled = false - }