VA Technical Reference Model v 25.5

The following reference(s) are associated with this entry:

Note: This list may not be complete. No component, listed or unlisted, may be used outside of the technology in which it is released. The usage decision for a component is found in the Decision and Decision Constraints.

• This entry is available as an open source technology.

• macOS - Authorized w/ Constraints
• Red Hat Enterprise Linux (RHEL) - Authorized w/ Constraints
• Windows Client - Authorized w/ Constraints
• Windows Server - Authorized w/ Constraints

Runtime Dependencies:

• Apache Hypertext Transfer Protocol (HTTP) Server - Authorized w/ Constraints
• Apache Tomcat - Authorized w/ Constraints
• JDK - Oracle Java Standard Edition (SE) Development Kit - Authorized w/ Constraints
• Kubernetes - Authorized w/ Constraints
• Microsoft Internet Information Services (IIS) - Authorized w/ Constraints
• Mirantis Container Runtime (MCR) - Authorized w/ Constraints

Optional Dependencies:

• No optional dependencies have been identified.

Comparable Technologies:

• Apache ZooKeeper - Authorized w/ Constraints
• BMC AMI DevX Code Pipeline - Authorized w/ Constraints
• CruiseControl.NET - Authorized w/ Constraints (DIVEST)
• Gradle - Authorized w/ Constraints
• Hudson Continuous Integration (CI) - Authorized w/ Constraints (POA&M)
• Planview Tasktop Hub - Authorized w/ Constraints (DIVEST)
• RegexBuddy - Authorized w/ Constraints
• Sonatype Nexus Repository - Authorized w/ Constraints
• TeamCity - Authorized w/ Constraints (POA&M)
• The Source Code Control System (SCCS) - Authorized w/ Constraints
• Travis Continuous Integration (CI) Enterprise - Authorized w/ Constraints (POA&M)

Companion Technologies/Supported Standards:

• Hypertext Markup Language (HTML) - Authorized
• Hypertext Transfer Protocol (HTTP) - Authorized w/ Constraints
• Java Enterprise Edition (Java EE) - Authorized w/ Constraints
• Java SE - Authorized w/ Constraints
• JavaScript - Authorized
• Lightweight Directory Access Protocol (LDAP) - Authorized w/ Constraints
• Open Java Development Kit (OpenJDK) - Authorized w/ Constraints (POA&M)
• Secure Sockets Layer (SSL) - Authorized w/ Constraints (POA&M)
• Transmission Control Protocol (TCP) - Authorized
• Virtualization and Consolidation of Servers (Server Virtualize First) - Authorized w/ Constraints

Adoption Benefits

• This is a well-documented technology.
• This technology is available at no cost through open-source licensing and supports VA's open-source initiative.
• This technology may improve productivity for specific staff whose responsibilities include software development.

Adoption Risks

• Due to the rapid release schedule of this technology, the VA may be unable to update to the most recent patch and may require a deployment model requiring the use of specific versions.
• As open-source software, this product may be left without clearly defined support options which may result in suboptimal enterprise level support.
• There are known Common Vulnerabilities and Exposures (CVEs) associated with this technology. Please see https://nvd.NIST.gov/vuln/search for more details.
• This technology relies on Java Development Kit (JDK) - Oracle, which has a rapid release and update schedule.
• There are other authorized solutions that provide similar functionality available on the TRM. The use of several similar solutions may increase organization requirements for support and maintenance.
• This technology can be implemented with Kubernetes. At the time of writing, Kubernetes is limited to on premises VA Enterprise Cloud implementations on Amazon Web Services (AWS) Servers. Other uses of this technology requires a POA&M for use on the VA network.
• This technology can potentially use Secure Sockets Layer (SSL), a protocol which requires a POA&M for use on the VA network.
• This technology can potentially use Open Java Development Kit (OpenJDK), a protocol which requires a POA&M for use on the VA network.
• The potential exists to store Personally Identifiable Information (PII), Protected Health Information (PHI) and/or VA Sensitive data and proper security standards must be followed in these cases.
• There are Threat & Assessment Analysis Portal (TAAP) bulletins associated with this technology.
• IPR/SAR Adoption Risk - Container solutions require a VA standard configuration baseline for deployment.
• IPR/SAR Adoption Risk - Jenkins Continuous Integration Server is not Federal Information Processing Standards (FIPS) 140-2 (or its successor) certified. Per vendor’s site: “In the default configuration of Jenkins 1.x, Jenkins does not perform any security checks. This means the ability of Jenkins to launch processes and access local files are available to anyone who can access the Jenkins web UI. Securing Jenkins has two aspects to it: *Access control, which ensures users are authenticated when accessing Jenkins and their activities are authorized. *Protecting Jenkins against external threats.
• IPR/SAR Adoption Risk - This technology undergoes frequent version changes and software updatestypically every month; its lifespan may cease without warning; its end-of-life maintenance is not guaranteed; updates may be offered on an irregular basis and the updates may not properly address vulnerabilities. All these are inherent security risks as patches should be executed in an expedient manner.
• IPR/SAR Adoption Risk - Jenkins Continuous Integration Server can be deployed in the cloud.
• IPR/SAR Adoption Risk - Jenkins Continuous Integration Server is an open source product obtained at no cost and is freely available to users. It will require a third-party technical support for its implementation in an Enterprise environment. If commercial support is not available, the product will be without clearly defined support options which may result in no enterprise level support.

Architectural Benefits

• This technology is portable as it runs on multiple TRM-authorized operating systems.

Architectural Risks

• This technology includes cloud-based functionality which has potential information security risks.