Include JVM version in published Dependency Graph

Question

Include JVM version in published Dependency Graph

Closed this issue 8 months ago · 3 comments

It's very likely that the version of the JVM used to build the project will match the one used in production.

It would be useful to end-users to report this so they can determine if they are using a JDK with known vulnerabilities

Answer 1 · 2023-08-09T09:50:05.000Z

It's very likely that the version of the JVM used to build the project will match the one used in production.

I actually tend to disagree. In my experience, the exact JVM distribution and patch level version is implied by what's available by the package management system you build or run on. So people usually care about nothing more than the major JVM version. That's why I don't believe that reporting the exact build JVM is of much value for runtime issues.

Answer 2 · 2023-08-11T21:48:43.000Z

I concur with @sschuberth . In the build pipelines I manage, we build with one image and run with a different base image. We obscure the patch version from our build containers (users only know they build with Java 8, 11, or 17). Users do, however, choose the patch version for their runtime containers (for now).

Our build images contain various tools that are only needed during build (git and ssh tools, for example). They are not included in our runtime images because they are unnecessary and many pose security vulnerabilities of their own.

Answer 3 · 2024-02-09T04:24:49.000Z

I don't think this adds much value. Even when the build has configured a JVM Toolchain, it's likely that this would only verify the JDK installed on the GitHub runner.