EnvironmentVariableFilter 17.0.0 API

All Implemented Interfaces:
```
public class EnvironmentVariableFilter

                    
```
An object providing functionality to filter environments that are passed to newly created processes.
For many tasks, ORT spawns new processes using the ProcessCapture class. When creating a new process, the child process by default inherits all environment variables from the parent. This could impose a security risk, for instance if logic in build scripts could theoretically access sensitive information stored in environment variables, such as database or service credentials.
To reduce this risk, this object filters the environment variables passed to child processes based on the following criteria:
- Substrings for variable names can be defined to determine variables with sensitive information. The object provides some default strings to match variable names like "PASS", "USER", "TOKEN", etc.
- There is an allow list to include variables even if they contain one of these substrings.
So in order to determine whether a specific variable "E" can be passed to a child process, this filter applies the following steps:
- If E is contained in the allow list, it is included.
- Otherwise, E is included if and only if its name does not contain one of the exclusion substrings (ignoring case).
TODO: Find an alternative mechanism to initialize this object from the ORT configuration (maybe using dependency injection) which does not require this object to be public.

Nested Class Summary

Nested Classes
Modifier and Type	Class	Description

Field Summary

Fields
Modifier and Type	Field	Description
`private final Set<String>`	`DEFAULT_DENY_SUBSTRINGS`
`private final Set<String>`	`DEFAULT_ALLOW_NAMES`
`public final static EnvironmentVariableFilter`	`INSTANCE`

Constructor Summary

Constructors
Constructor	Description

Enum Constant Summary

Enum Constants
Enum Constant	Description

Method Summary

Modifier and Type	Method	Description
`final Unit`	`reset(Collection<String> denySubstrings, Collection<String> allowNames)`	Reset this filter to use the given denySubstrings and allowNames.
`final Boolean`	`isAllowed(String name)`	Test whether the variable with the given name can be passed to a child process according to the criteria described in the header comment.
`final Map<String, String>`	`filter(Map<String, String> environment)`	Remove all keys from environment that do not pass this filter.
`final Set<String>`	`getDEFAULT_DENY_SUBSTRINGS()`	A set with substrings contained in variable names that are denied by default.
`final Set<String>`	`getDEFAULT_ALLOW_NAMES()`	A set of known variable names that are allowed despite being matched by deny substrings.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
- Method Detail
  - reset
```
 final Unit reset(Collection<String> denySubstrings, Collection<String> allowNames)
```
    Reset this filter to use the given denySubstrings and allowNames.
  - isAllowed
```
 final Boolean isAllowed(String name)
```
    Test whether the variable with the given name can be passed to a child process according to the criteria described in the header comment.
  - filter
```
 final Map<String, String> filter(Map<String, String> environment)
```
    Remove all keys from environment that do not pass this filter.
  - getDEFAULT_DENY_SUBSTRINGS
```
 final Set<String> getDEFAULT_DENY_SUBSTRINGS()
```
    A set with substrings contained in variable names that are denied by default. All variables containing one of these strings (ignoring case) are not propagated to child processes.
  - getDEFAULT_ALLOW_NAMES
```
 final Set<String> getDEFAULT_ALLOW_NAMES()
```
    A set of known variable names that are allowed despite being matched by deny substrings.