Security Policy violation Binary Artifacts

[google-allstar-prod]

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

---

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[google-allstar-prod]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[shs96c]

Thanks for letting us know, but the binary artefacts included in this release have been reviewed by the contributors.

[google-allstar-prod]

Reopening issue. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

First 10 Artifacts Found

• private/tools/prebuilt/hasher_deploy.jar
• private/tools/prebuilt/list_packages_deploy.jar
• private/tools/prebuilt/outdated_deploy.jar
• third_party/jetifier/jetifier-standalone/lib/annotations-13.0.jar
• third_party/jetifier/jetifier-standalone/lib/asm-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-analysis-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-commons-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-tree-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/asm-util-8.0.1.jar
• third_party/jetifier/jetifier-standalone/lib/commons-cli-1.3.1.jar
• Run a Scorecards scan to see full list.

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[shs96c]

I'm sorry. I don't know who you are, and you've given no justification about why an Open Source project should adhere to "Allstar"'s security policy. I am closing this issue (again), and would ask that a human come and talk to the committers of the project on the Bazel #java Slack channel, providing additional context and justifications.

I am closing this issue. Again. Please do not passive-aggressively open this again.

[sventiffe]

Apologies Simon and thank you for flagging. Allstar is a project by the Google Open Source Program Office and enforced on all Google organizations. As mentioned in the boilerplate text, binaries are considered a security risk and the bot will reopen the issue until mora^H^H^H^Hpreconditions are met, I assume.

Asides from removing the binaries, there are two ways to silent the alert for the time being (to my knowledge):

Create a .allstar/binary_artifacts.yaml file in your repo, and add the full paths to any files that should be ignored.

# Ignore reason: <example> These artifacts are used in integration tests...
ignorePaths:
- path/to/binary.jar
- path/to/another/binary.so

To expempt the entire repo, create the below .allstar/binary_artifacts.yaml file in your repo. In the yaml add a comment with a description of why the repo is exempt.

# Exemption reason: <example>This repo uses binary artifacts for integration tests...
# Exemption timeframe: permanent/temporary
optConfig:
  optOut: true

Jin has been faster, but for completeness I will still add my comment :)

[jin]

Thanks Sven for the pointer and clarification!

[shs96c]

Thanks for the update and the explanation. That makes things a lot clearer. Knowing that we can opt out of various parts of this is most helpful.

I suspect that other repos are likely to also ignore the stricture on binary artefacts: given the way that repo rules work, packaging select binaries in the repo makes some use cases a lot simpler. The alternative of downloading binaries uploaded as assets to releases suffers from the same lack of transparency, but lacks the opportunity for a code review, so while passing the letter of the security constraint massively violates the spirit of it.