Bug 409439

Summary: Security Vulnarabilities in BIRT 4.2.2
Product: z_Archived Reporter: Bill Thrall <bill.thrall>
Component: BIRTAssignee: Birt-ReportEngine-inbox <Birt-ReportEngine-inbox>
Status: NEW --- QA Contact:
Severity: major    
Priority: P3 CC: wayne.beaton
Version: 4.2.2Keywords: security
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Attachments:
Description Flags
List of issues found in BIRT jar files none

Description Bill Thrall CLA 2013-05-29 20:18:05 EDT 
We have integrated the BIRT viewer and report engine into an internal GE Capital application to generate a context-sensitive report from application data.  When we had the GE Security COE run a mandatory bi-annual security scan on the application code, they flagged a total of 103 instances across 11 types of vulnerabilities and code issues within the BIRT library included in our code base.  
Attached is the summary of the BIRT-related findings from that security review.  I need to know ASAP which of these items you are both willing and able to resolve, and the timeline for that remediation effort, plus explanations as to why you cannot resolve any that you don't plan to remediate as we are required to get all identified vulnerabilities remediated if possible.
Note that some of these vulnerabilities may actually be false positives, and that is a valid explanation if that is truly the case; you are certainly not obligated to cripple the tool to 'resolve' valid and necessary sections of code.
Comment 1 Bill Thrall CLA 2013-05-29 20:19:21 EDT 
Created attachment 231730 [details]
List of issues found in BIRT jar files