SAP Knowledge Base Article - Public

3491316 - Outdated Bootstrap.js library - Recruiting Marketing

Symptom

SAP Recruiting Career Site is currently utilizing Bootstrap 3.4.1, this is the most recent version of framework 3. Bootstrap has introduced two major framework revisions since 3, versions 4 and 5. 

The purpose of this document is to provide information and perspectives on the continued use of the Bootstrap version 3 responsive web framework in the SuccessFactors Recruiting Career Site Module, namely :

  • Is there a security issue?
  • Is there a need for operational homogenization?
  • Is there a functional gap in the current technology?

 For more context, below is a high-level architecture diagram, indicating where the Bootstrap library is in use within the Candidate Experience 


Environment

SAP SuccessFactors Recruiting Marketing

Resolution

The continued use of Bootstrap 3 should not be interpreted as a failure of SAP to maintain technology libraries, or a lack of investment in this product area. There are several critical technology upgrade projects currently underway in the Career Site product. The decision to prioritize a technology upgrade is driven by multiple considerations. Making the correct decisions is critical to ensuring sufficient engineering capacity is reserved to improve product functionality.

Considerations:

  • Backwards compatibility
    • Bootstrap makes significant framework revisions in their major release versions. Major release versions are not backwards compatible with previous major versions. Introducing a new major version requires reviewing and possibly reimplementing every UI component available on the Career Site.
    • Additionally, customers will need to review any custom components which they have developed. These custom components will require adjustments or reimplementation.
      
  • Functionality:  Bootstrap 3 is currently meeting our product need to provide a responsive web experience.
  • Security: SAP Security experts have reviewed the open-source library and the current Career Site implementation of this library and found no security gaps. All open-source libraries are subject to full security reviews with every major release. If a security gap with Bootstrap 3 surfaces in the future, it will be detected. Here are some examples of external security evaluations:   

Note the approach, effort, and timelines for a major Bootstrap version upgrade are currently being evaluated by SAP Engineering.

Keywords

vulnerability, security, library , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , LOD-SF-RMK-PSI , Security , Problem

Product

SAP SuccessFactors Recruiting all versions