Updating Bazel's embedded JDK and remote_JDK

[Gunnar Wagenknecht]

Hi,

Our security folks started to flag Bazel because of a version it downloads in to the .cache folder as well as its embedded JDK being a version with known security vulnerabilities. What is the process for updating those?

We are getting flagged for both - the embedded one and the remote_jdk11 (--javabase=@bazel_tools//tools/jdk:remote_jdk11).

Any pointers are appreciated.

Thanks!

-Gunnar

--
Gunnar Wagenknecht
gun...@wagenknecht.org, http://guw.io/

[Philipp Wollermann]

Hi Gunnar,

I have upgraded the embedded and remote host JDK to the latest version of Azul Zulu 11 in these commits:

• https://github.com/bazelbuild/bazel/commit/3ac4af43acf82126968566bd76bda5c02cb34858
• https://github.com/bazelbuild/bazel/commit/8b1ef42bef4fca4e5b33f9a2d5ea5ea07c004d8d

Unfortunately, it was one day after the baseline for 2.2.0 was picked, so it will only be part of Bazel 3.0, which will hopefully be released very soon now.

If you want to build your own Bazel release with the newer embedded JDK, it should be enough to just cherry-pick that commit and rebuild it. You can verify the JDK version afterwards via "bazel info".

Could you share some more information about the security vulnerability that affects Bazel? We might want to create patch releases for older versions then.

Cheers,

Philipp

--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/7F65DC25-6560-4089-A9CA-EA591BF5103D%40wagenknecht.org.

--

Philipp Wollermann | Software Engineer | phi...@google.com
Google Germany GmbH | Erika-Mann-Straße 33 | 80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

[Gunnar Wagenknecht]

Hi Phillipp,

Thanks for the response.

I don't have insights into the full list of vulnerabilities. Based on the information I have (examples from the report) it looks like the scanning tool is detecting the version of Java and then reporting it as one with known vulnerabilities.

Example:

On Linux:
~/.cache/bazel/_bazel_<user>/install/<hash>/_embedded_binaries/embedded_tools/jdk/
Installed version: 1.11.0_2
Fixed version: 1.11.0_5

or
~/.cache/bazel/_bazel_<user>/install/<hash>/external/remotejdk_linux/
Installed version: 1.11.0_1
Fixed version: 1.11.0_2

-Gunnar

--
Gunnar Wagenknecht
gun...@wagenknecht.org, http://guw.io/

[Philipp Wollermann]

Hi Gunnar,

I see, thanks! Can you somehow verify that Bazel 3.0rc1 is not marked as vulnerable using your tool? That would help us make sure that the release actually contains the fixes you need :)

Cheers,

Philipp

[John Cater]

3.0.0rc2 is the latest RC. (https://releases.bazel.build/3.0.0/rc2/index.html)

To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CA%2BAhZogj%3DB88vHJnC_ACE_zuoKfjcVF6WMG4oezP4rjumb2eWw%40mail.gmail.com.