How to increase Bamboo Specs security
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article covers some features that help increase security when using Bamboo Specs.
Solution
Here are some features which contribute to Specs security:
POM sanitization
This feature ensures that, if users add external dependencies to their project, these dependencies will not be downloaded to the server. The way this works is that, instead of using the pom.xml file downloaded from the repository, it uses the <BAMBOO_INSTALL>/atlassian-bamboo/WEB-INF/classes/bamboo-specs-pom.xml instead. This means that even if users define custom dependencies, they will not be downloaded/used.
This is explained in more detail in the Bamboo Specs troubleshooting documentation.
This feature can be disabled by adding the following system property to the JVM startup in the <BAMBOO_INSTALL>/bin/setenv file:
-Dbamboo.repository.stored.specs.pom.sanitization.enabled=falseSecurity manager for Java Specs processing
This feature is enabled by default since Bamboo version 6.3 and, unless explicitly disabled, Bamboo enables a custom Java Security Manager which does not allow network access, execution of other applications, or reading/writing files outside of the working directory by Java code. This means that if users add dependencies to their POM files (And POM sanitization is disabled), Bamboo will not allow these dependencies to be downloaded from the internet.
This feature can be disabled by adding the following system property to the JVM startup in the <BAMBOO_INSTALL>/bin/setenv file:
-Dbamboo.repository.stored.specs.security.manager.enabled=falseSpecs Docker Runner
If the feature 'Process Bamboo Specs in Docker' is enabled on Bamboo UI cog icon > Overview > Security > Security settings, Bamboo will build the specs project inside a Docker container (by default, it uses an Atlassian-maintained docker image: bamboo-specs-runner). If the projects need to use external dependencies, they will not be downloaded/executed in the server environment, but inside a Docker container instead, preventing them from compromising Bamboo.
Please take a look at the Bamboo Specs docs documentation as a reference.