5561: Support for Crypto Events in JMC#686
5561: Support for Crypto Events in JMC#686Suchitainf wants to merge 13 commits intoopenjdk:masterfrom
Conversation
|
👋 Welcome back schaturvedi! A progress list of the required criteria for merging this PR into |
|
@Suchitainf This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 4 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Webrevs
|
|
|
||
| <context id="security"> | ||
| <description></description> | ||
| <topic href="PLUGINS_ROOT/org.openjdk.jmc.docs/html/GUID-4F885E48-A548-4140-B985-74B1685BEDEA.htm" label="Using the Security Page" /> |
There was a problem hiding this comment.
This seems to link to the exact same page as Using the TLAB Allocations Page. Copy/Paste error?
There was a problem hiding this comment.
Should perhaps the messages be more action oriented?
- Certificate with id x expired t days ago. It should be replaced.
- Certificate with id y is using SHA-1. It should be updated to use SHA-256 or SHA-512.
There was a problem hiding this comment.
This seems to link to the exact same page as Using the TLAB Allocations Page. Copy/Paste error?
Yes, I have added that link as placeholder for the respective html help page then forgot to update it. Is there any tool to generate the html help page or any other easy way? OR we need to write that completely from scratch.
There was a problem hiding this comment.
These were previously handled by the documentation team at Oracle, but they aren't anymore. You'll have to add a documentation page from scratch.
|
@Suchitainf this pull request can not be integrated into git checkout 5561
git fetch https://git.openjdk.org/jmc.git master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push |
openjdk
Bot
added
the
merge-conflict
|
Hi @thegreystone I have updated the action items in the Rules as per your suggestion. However, for HTML page I would need some help from docs team. As they are designed in some different way. Meanwhile, I have added a placeholder page and I have created a new ticket to track it separately. https://bugs.openjdk.org/browse/JMC-8487 Request you to kindly approve this PR if you dont have any other suggestions. |
openjdk
Bot
removed
the
merge-conflict
|
@Suchitainf This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a |
| return icon; | ||
| } | ||
|
|
||
| public static String getCryptoRuleResult( |
There was a problem hiding this comment.
There is a lot of code duplication. How about separating out some of the key functionality, e.g. :
private static boolean isWeakSignatureAlgorithm(String signatureAlgorithm) {
return signatureAlgorithm.contains("MD2") || signatureAlgorithm.contains("MD5");
}
There was a problem hiding this comment.
Both MD2 and MD5 have different logics of handling. Hence, i don't think we can merge them together.
| return remark; | ||
| } | ||
|
|
||
| public static String getCryptoIcon( |
There was a problem hiding this comment.
Splitting up the determination of the severity level and then deciding at the icon at the end might be cleaner. Perhaps using an enum for the severity level.
There was a problem hiding this comment.
Icon is just a string here which will be used later to show the specific icon.
|
@Suchitainf This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a |
|
/touch |
|
@Suchitainf The pull request is being re-evaluated and the inactivity timeout has been reset. |
|
|
| <div class="ind"><a id="SecurityPage" name="SecurityPage"></a><!-- End Header --> | ||
| <h1 id="JMCOH-SecurityPage" class="sect1">Using the Security Page</h1> | ||
| <div><p>The security page is designed to display information related to certificates used. It mainly displays the information derived from X509Certificate events. </p> | ||
| <p>There is one table which shows information related to the cryptographic algorithm. For ex: Signature Algorithm, Key type, Key length, Certificate Valid from, Certificate expiring on, Certificate Id and Issuer details. </p> |
There was a problem hiding this comment.
Unnecessary abbreviation. Just write out example.
| <li>Attention Needed. SHA-1 signature. It should be updated to use SHA-256 or SHA-512.</li> | ||
| </ul> | ||
| </div> | ||
| <p>If everything is fine we are displaying OK as crypto remark.</p> |
There was a problem hiding this comment.
How about "Certificates with no issues are marked with an OK status in the Crypto Remark column."?
| }; | ||
|
|
||
| public static final IAttribute<IQuantity> VALID_FROM = new Attribute<IQuantity>("validFrom", //$NON-NLS-1$ | ||
| Messages.getString(Messages.ATTR_VALID_FROM), Messages.getString(Messages.ATTR_RSS_PEAK_DESC), TIMESTAMP) { |
There was a problem hiding this comment.
Wrong description! (Messages.ATTR_RSS_PEAK_DESC)
| }; | ||
|
|
||
| public static final IAttribute<IQuantity> VALID_UNTIL = new Attribute<IQuantity>("validUntil", //$NON-NLS-1$ | ||
| Messages.getString(Messages.ATTR_VALID_UNTIL), Messages.getString(Messages.ATTR_RSS_PEAK_DESC), TIMESTAMP) { |
There was a problem hiding this comment.
Wrong description! (Messages.ATTR_RSS_PEAK_DESC)
| IQuantity duration = expiryDate.subtract(UnitLookup.EPOCH_MS.quantity(System.currentTimeMillis())); | ||
| long expiringInDays = TimeUnit.MILLISECONDS.toDays(duration.longValue()); | ||
|
|
||
| if ((expiringInDays > 0) && (expiringInDays < 90)) { |
There was a problem hiding this comment.
Should perhaps expiry warning threshold be configurable?
| .build(); | ||
| } else { | ||
| return ResultBuilder.createFor(CryptoSecurityRule.this, valueProvider).setSeverity(Severity.OK) | ||
| .setSummary("OK").build(); |
There was a problem hiding this comment.
Nit: Should this be hardcoded?
|
/integrate |
|
Going to push as commit bde624e.
Your commit was automatically rebased without conflicts. |
|
@Suchitainf Pushed as commit bde624e. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
2 participants
This PR enhances the JMC UI for adding new information related to crypto events: specifically X509CertificateEvent.
This PR adds a new rule with respect to X509CertificateEvent which provides alert related to expired/expiring certificates and weak signature algorithms or weak key length or key type. The rule gives a basic overview of all the certificate ids which needs action or attention, however complete details are provided as part of a new screen - Security.
Attaching the screenshots here for better reference:
Rule Page:
Security Screen Page:
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jmc.git pull/686/head:pull/686$ git checkout pull/686Update a local copy of the PR:
$ git checkout pull/686$ git pull https://git.openjdk.org/jmc.git pull/686/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 686View PR using the GUI difftool:
$ git pr show -t 686Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jmc/pull/686.diff
Using Webrev
Link to Webrev Comment