Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8264010

Add Gradle dependency verification

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: openjfx17
    • Fix Version/s: openjfx17
    • Component/s: javafx
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      Add dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. The verification file documents the dependencies and guarantees the integrity of the JAR and POM files downloaded during the build.

      SYSTEM / OS / JAVA RUNTIME INFORMATION

      Ubuntu 20.04.2 LTS
        $ uname -srm
        Linux 5.4.0-67-generic x86_64

      macOS 11.2.3 (Big Sur)
        $ uname -srm
        Darwin 20.3.0 x86_64

      Microsoft Windows 10 Pro Version 10.0.19042
        $ uname -srm
        CYGWIN_NT-10.0 3.1.7(0.340/5/3) x86_64

      Oracle OpenJDK 15.0.2
        $ java --version
        openjdk 15.0.2 2021-01-19
        OpenJDK Runtime Environment (build 15.0.2+7-27)
        OpenJDK 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)

      STEPS TO REPRODUCE

      Reproduce the problem in two steps:

      1. Modify the JAR file of a dependency in the Gradle cache:
        $ strip-nondeterminism $(find ~/.gradle -name ST4-4.1.jar)

      2. Build JavaFX:
        $ bash gradlew sdk jmods

      I made a non-destructive change to the 'ST4-4.1.jar' file with the Linux 'strip-nondeterminism' command, which modifies the order and modification times of the files in the archive.

      EXPECTED RESULTS

        $ bash gradlew sdk jmods
        ...
        > Task :graphics:generateGrammarSource FAILED

        FAILURE: Build failed with an exception.

        * What went wrong:
        Execution failed for task ':graphics:generateGrammarSource'.
        > Dependency verification failed for configuration ':graphics:antlr'
          One artifact failed verification: ST4-4.1.jar (org.antlr:ST4:4.1)
          from repository MavenRepo
          This can indicate that a dependency has been compromised.
          Please carefully verify the checksums.
        ...
        BUILD FAILED in 1s
        5 actionable tasks: 2 executed, 3 up-to-date

      ACTUAL RESULT

        $ bash gradlew sdk jmods
        ...
        BUILD SUCCESSFUL in 1m 41s
        134 actionable tasks: 134 executed

      SOURCE CODE FOR AN EXECUTABLE TEST CASE

      None.

      WORKAROUND

      None.

        Attachments

        1. Incorrect_checksum.png
          27 kB
          John Neffenger
        2. Verification_report.png
          62 kB
          John Neffenger

          Issue Links

            Activity

              People

              Assignee:
              jgneff John Neffenger
              Reporter:
              jgneff John Neffenger
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: