Offizielle Bezeichnung:[gelöscht]
Ort: Leipzig
NUTS-Code: DED51 Leipzig, Kreisfreie Stadt
Land: Deutschland
Kontaktstelle(n):[gelöscht]
E-Mail: [gelöscht]
Internet-Adresse(n):
Hauptadresse: https://sovereigntechfund.de/

Andere: Beneficiary

Andere Tätigkeit: Software

Log4j

Dienstleistungen

Logging, the act of keeping a record of what has happened in an application, is a ubiquitous software component. Developers use logging libraries to keep this record. Log4j is one of the

most widely deployed logging libraries used by almost every Java-based software in the wild at massive scale.

Recent Log4j vulnerabilities (aka. Log4Shell) severely affecting billions of applications and services all over the world (Amazon, Alibaba, Twitter, Microsoft, Steam, etc.) reminded of the crucial role Log4j plays in the world’s IT infrastructure. Contrary to the scale of its deployment, Log4j is a free and open source project developed by a handful of volunteers.

Aufteilung des Auftrags in Lose: nein

Wert ohne MwSt.: 596 160.00 EUR

NUTS-Code: DED51 Leipzig, Kreisfreie Stadt

Logging, the act of keeping a record of what has happened in an application, is a ubiquitous software component. Developers use logging libraries to keep this record. Log4j is one of the

most widely deployed logging libraries used by almost every Java-based software in the wild at massive scale.

Recent Log4j vulnerabilities (aka. Log4Shell) severely affecting billions of applications and services all over the world (Amazon, Alibaba, Twitter, Microsoft, Steam, etc.) reminded of the crucial role Log4j plays in the world’s IT infrastructure. Contrary to the scale of its deployment, Log4j is a free and open source project developed by a handful of volunteers.

This proposal aims to improve the release pipeline, documentation, source code repository structure, efficiency (garbage-free source location capture and unified memory management), introduce fuzz testing, a performance testbed, etc. Next to being functional improvement, these all have security related implications: improved release pipeline enables quick releases for security vulnerabilities, fuzz testing allows early vulnerability detection, etc.

The following milestones are planned:

August-December 2023

● Milestone 1: Migrating to a multi-repository structure

○ Prepare Repositories, set up authentication credentials (secrets), set up Nexus

repository, and align documentation.

○ Create first release, prepare code sources

● Milestone 2: Modernization

○ Upgrade Core Dependencies

○ Set up Spotless (code formatter) and set up static code analysis tools.

● Milestone 3: Software Bill of Materials (SBOM)

○ Implementation and Evaluation of SBOM

● Milestone 4: Unified Memory Management

○ Refactor recycler, and replace ThreadLocals outside of the core and api implementations

○ Replace ThreadLocals in the core and api implementations.

○ Clean up remaining code, fix configuration, improve documentation for new Recycler

January - December 2024

● Milestone 5: Code and documentation generation from API

○ Implement code/documentation generation from API

● Milestone 6: Online configuration validation tool

○ Auto-Generate Schemas

○ Provide online tool to validate user configurations.

● Milestone 7: Rewriting Manual

○ New Website, Javadoc, Security, Download, and Support pages

○ Create auto-generate content from source code

○ Manual introduction and Architect’s guide

○ Configuration manual

○ User’s Guide

○ Developer’s Guide

○ Committer’s guide

● Milestone 8: Google OSS Fuzz

○ Implementation and evaluation of proof of concept.

○ Test core implementation, and complete reports

● Milestone 9: Native Compilation support

○ Create Reflection Points, Attack Plan, Attack Plan Validation

○ Fix issues in log4j-core implementation

○ Fix popular modules (log4j-layout-template)

○ Complete Native Compilation support

● Milestone 10: Unified date-time formatting

○ Move instant formatter to core implementation

○ Fix layouts, deprecate old code, release new version.

● Milestone 11: Automatic migration tools

○ Research and Implement Source Migration

○ Research and Implement Byte Code migration

● Milestone 12: Fix API compatibility checks

○ Fix all API compatibility issues, also resorts as some buffer

Optionen: nein

Der Auftrag steht in Verbindung mit einem Vorhaben und/oder Programm, das aus Mitteln der EU finanziert wird: nein

Auftragsvergabe ohne vorherige Bekanntmachung eines Aufrufs zum Wettbewerb im Amtsblatt der Europäischen Union (für die unten aufgeführten Fälle)

Erläuterung:

As a research and development service, the contract is excluded from the scope of application of public procurement law (cf. Section 116 (1) No. 2 Act against Restraints on Competition).

Der Auftrag fällt unter das Beschaffungsübereinkommen: nein

30/05/2023

Der Auftrag wurde an einen Zusammenschluss aus Wirtschaftsteilnehmern vergeben: nein

Offizielle Bezeichnung:[gelöscht]
Ort: Langerringen
NUTS-Code: DE276 Augsburg, Landkreis
Land: Deutschland

Der Auftragnehmer/Konzessionär wird ein KMU sein: ja

Gesamtwert des Auftrags/des Loses/der Konzession: 596 160.00 EUR

Offizielle Bezeichnung:[gelöscht]
Ort: Bonn
Land: Deutschland

12/06/2023