[wildfly-dev] Implementing enforce-victims-rule in wildfly builds

David Jorm djorm at redhat.com
Thu May 30 20:08:38 EDT 2013


> > Network lookup: By default, the plugin synchronizes a local h2 database
> > with the canonical database hosted on victi.ms. The sync is
> > differential. At the moment, the initial sync is > 50MB and could take a
> > minute or two.
> 
> 50MB?  Holy meatballs... is that a simple text listing of compromised
> GAVs?  If so, that is truly terrifying.

At the moment the DB has 349 entries, so each entry is on average 140 KB. The data consists of individual checksums for each class file in the known-vulnerable JAR (actually it is more than just a checksum, the class is pre-processed to remove compiler marks and to resolve lookup table entries, but that is a whole other topic). This enables us to identify various builds from the same source. Say for example foobar 1.2 is vulnerable, and we generated a database entry for Red Hat's internally built copy of foobar 1.2. The same entry should also catch a rebuild of foobar 1.2 using a different JDK, the upstream bits, the maven central bits and a superset JAR that includes foobar, foobar-thing and foobar-otherthing all packed together in foobar-all.jar.

Thanks
David


More information about the wildfly-dev mailing list