[groovy] 05/05: documentation: replace TBD with initial version of security info

[pa...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

paulk pushed a commit to branch GROOVY_4_0_X
in repository https://gitbox.apache.org/repos/asf/groovy.git

commit 40b0174dcd39b33c25b32ff2bef963c6fcd046b1
Author: Paul King <pa...@asert.com.au>
AuthorDate: Thu Jan 6 20:46:25 2022 +1000

    documentation: replace TBD with initial version of security info
---
 subprojects/groovy-binary/src/spec/doc/index.adoc  | 37 +++++++++++++++++++++-
 .../groovy-sql/src/spec/doc/sql-userguide.adoc     |  1 +
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/subprojects/groovy-binary/src/spec/doc/index.adoc b/subprojects/groovy-binary/src/spec/doc/index.adoc
index 9e096b7..a0ef111 100644
--- a/subprojects/groovy-binary/src/spec/doc/index.adoc
+++ b/subprojects/groovy-binary/src/spec/doc/index.adoc
@@ -55,6 +55,7 @@ include::../../../../../src/spec/doc/core-introduction.adoc[]
 :jmx:
 :tools-groovyc:
 :xml-userguide:
+:sql-userguide:
 
 include::../../../../../src/spec/doc/core-syntax.adoc[leveloffset=+2]
 
@@ -136,7 +137,41 @@ Creating Swing UIs is made easy thanks to the use of <<swingbuilder,SwingBuilder
 
 === Security
 
-(TBD)
+Security is a complex and multi-faceted issue and needs to be addressed in a holistic way.
+Groovy offers some features to improve security, but organisations
+concerned about security should already be addressing other necessary aspects
+such as network security, file-system security, operating sytem security, database security,
+passwords and potentially encryption.
+
+Also, since Groovy runs on the JDK and optionally uses other library dependencies,
+users should ensure their JDK and all depdendencies are up to date with respect to
+the latest security fixes.
+
+With regard to security issues that may affect the Groovy project itself,
+the project follows the Apache http://www.apache.org/security/committers.html[general guidelines for handling security vulnerabilities]. See also the project's
+https://github.com/apache/groovy/security/policy[security policy] and list of
+https://groovy-lang.org/security.html[past vulnerabilities].
+
+By virtue of running on the JVM and following various Java conventions, Groovy programs
+offer some of the same security features as Java programs, including:
+
+* programs cannot access arbitrary memory locations
+* final variables cannot be changed
+* array bounds are checked
+* class loaders perform bytecode verification when loading classes
+* casting cannot be done to an incompatible class
+* access is available to APIs for encryption and authentication
+
+Special security support is provided through:
+
+* gapi:groovy.lang.GroovyShell[], gapi:groovy.lang.GroovyClassLoader[] and other parts of the Groovy runtime fully support the Java security manager which allows you to sandbox script execution with a security policy. (Note: this funtionality might be scaled back in future Groovy versions or when running
+on particular JDK versions in line with https://openjdk.java.net/jeps/411[JEP 411])
+* gapi:org.codehaus.groovy.control.customizers.SecureASTCustomizer[]
+secures source code by controlling what code constructs are permitted or prohibited in a code base
+(or part of a code base)
+* Default <<{xml-userguide}#processing-xml,XML processing>> has secure processing enabled and doctype definitions disabled
+* Groovy's <<{sql-userguide}#processing-sql,SQL processing>> features provide support to guard against SQL injection
+* Temporary directory creation protects against known security vulnerabilities such as privilege escalation if scripts are stored in operating system temp directories
 
 include::../../../../../src/spec/doc/design-patterns-in-groovy.adoc[leveloffset=+2]
 
diff --git a/subprojects/groovy-sql/src/spec/doc/sql-userguide.adoc b/subprojects/groovy-sql/src/spec/doc/sql-userguide.adoc
index 6f44f8e..b9ec839 100644
--- a/subprojects/groovy-sql/src/spec/doc/sql-userguide.adoc
+++ b/subprojects/groovy-sql/src/spec/doc/sql-userguide.adoc
@@ -19,6 +19,7 @@
 
 //////////////////////////////////////////
 
+[[processing-sql]]
 = Interacting with a SQL database
 
 Groovy's `groovy-sql` module provides a higher-level abstraction over Java's JDBC technology. JDBC itself provides