Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing integrity check in Dragonwell Dockerfile #999

Closed
steelhead31 opened this issue Apr 9, 2024 · 0 comments · Fixed by #1000
Closed

Missing integrity check in Dragonwell Dockerfile #999

steelhead31 opened this issue Apr 9, 2024 · 0 comments · Fixed by #1000
Assignees
@steelhead31
Labels
docker dragonwell/alibaba secure-dev

Comments

@steelhead31
Copy link
Contributor

Found as part of TrailOfBits Audit:

Ref: TOB-TEMURIN-6

The Dragonwell Dockerfile downloads and installs the Dragonwell software without
verifying its integrity. The integrity should be verified using a hashsum like SHA256 to
ensure the integrity of the download, and ensure that the system is receiving the same
data across multiple downloads.

See ToB report for further details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steelhead31 steelhead31

Labels
docker dragonwell/alibaba secure-dev
Projects
No open projects
2024 2Q Adoptium Plan
Status: Done
Milestone
No milestone
1 participant
@steelhead31