Adding secure mode option to build scripting

This mode will eventually be used to disable a range of build script functionality that raises the potential security risk level during the build process. After this commit is merged, we will need to add the flag to the pipeline job configurations in order to pass it into build jobs. Signed-off-by: Adam Farley <[email protected]>
adoptium · Dec 4, 2024 · 3ed9424 · 3ed9424
1 parent 267756b
commit 3ed9424
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh
@@ -63,6 +63,7 @@ DISABLE_ADOPT_BRANCH_SAFETY
 DOCKER_FILE_PATH
 DOCKER_SOURCE_VOLUME_NAME
 ENABLE_SBOM_STRACE
+ENABLE_SECURE_MODE
 FREETYPE
 FREETYPE_DIRECTORY
 FREETYPE_FONT_BUILD_TYPE_PARAM
@@ -299,6 +300,9 @@ function parseConfigurationArguments() {
         "--enable-sbom-strace" )
         BUILD_CONFIG[ENABLE_SBOM_STRACE]=true;;
 
+        "--enable-secure-mode" )
+        BUILD_CONFIG[ENABLE_SECURE_MODE]=true;;
+
         "--freetype-dir" | "-f" )
         BUILD_CONFIG[FREETYPE_DIRECTORY]="$1"; shift;;
 
@@ -558,6 +562,9 @@ function configDefaults() {
 
   BUILD_CONFIG[ENABLE_SBOM_STRACE]="false"
 
+  # Set default value to "false", for maximum user convenience. "false" enables potentially-insecure functionality, like the dynamic download of boot JDKs.
+  BUILD_CONFIG[ENABLE_SECURE_MODE]="false"
+
   # The default behavior of whether we want to create a separate source archive
   BUILD_CONFIG[CREATE_SOURCE_ARCHIVE]="false"