Symptom
SAP Recruiting Career Site is currently utilizing Bootstrap 3.4.1, this is the most recent version of framework 3. Bootstrap has introduced two major framework revisions since 3, versions 4 and 5.
The purpose of this document is to provide information and perspectives on the continued use of the Bootstrap version 3 responsive web framework in the SuccessFactors Recruiting Career Site Module, namely :
- Is there a security issue?
- Is there a need for operational homogenization?
- Is there a functional gap in the current technology?
For more context, below is a high-level architecture diagram, indicating where the Bootstrap library is in use within the Candidate Experience
Environment
SAP SuccessFactors Recruiting Marketing
Resolution
The continued use of Bootstrap 3 should not be interpreted as a failure of SAP to maintain technology libraries, or a lack of investment in this product area. There are several critical technology upgrade projects currently underway in the Career Site product. The decision to prioritize a technology upgrade is driven by multiple considerations. Making the correct decisions is critical to ensuring sufficient engineering capacity is reserved to improve product functionality.
Considerations:
- Backwards compatibility:
- Bootstrap makes significant framework revisions in their major release versions. Major release versions are not backwards compatible with previous major versions. Introducing a new major version requires reviewing and possibly reimplementing every UI component available on the Career Site.
- Additionally, customers will need to review any custom components which they have developed. These custom components will require adjustments or reimplementation.
- Functionality: Bootstrap 3 is currently meeting our product need to provide a responsive web experience.
- Security: SAP Security experts have reviewed the open-source library and the current Career Site implementation of this library and found no security gaps. All open-source libraries are subject to full security reviews with every major release. If a security gap with Bootstrap 3 surfaces in the future, it will be detected. Here are some examples of external security evaluations:
Note the approach, effort, and timelines for a major Bootstrap version upgrade are currently being evaluated by SAP Engineering.
Keywords
vulnerability, security, library , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , LOD-SF-RMK-PSI , Security , Problem