[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Are we distributing software with known security issues?

Hi,

Thanks for the pointer Roland. It seems there is also a Jenkins plugin. It would be nice if that could be made available.

https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

Cheers,

Wim


On Tue, Jan 3, 2017 at 6:03 PM, Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:
> "*Yes*, we are distributing software with known security issues", is the
> answer to the subject question.

So much for Betteridge's law :)


> To walk through one example, the article named org.apache.commons.fileupload
> version 1.2.1 as being often redistributed, even though known security issue
> (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required to
> avoid it. Version 1.3.2 is the most recent Apache version.
>
>
> That 'fileupload' package sounded familiar so I began to look around and I
> found that in the Platform's repository they are re-distributing version
> 1.2.2 of that package but (luckily?) in the Sim Release repo we have version
> 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an
> optional prereq on "fileupload" and in Sim Release, it is RAP, apparently,
> that is "pulling in" version 1.3.1.
>
> = = = = = =
> I call out this flaw in our release practices, here on cross-project list,
> for several reasons:
>
> 1) I wanted to open a bug on the Platform and Equinox to update that prereq
> (bug 509388 ), but I see that "fileupload" Version 1.3.1 is not available
> from Orbit. *Why not?* That alone appears to be a Simultaneous Releases "no
> no".

I saw your post a while back and thought of
https://www.owasp.org/index.php/OWASP_Dependency_Check . It's available as a
maven-plugin so it should be pretty easy to run such a thing in a separate HIPP.
Seems like Orbit could benefit from such a report and maybe even as one of the
sanity checks done on platform ?

In fact, after running it on the Orbit bundles we ship, fileupload was one of
the high severity ones discovered. I see all of this (OWASP) has already been
suggested on 509389 so this seems like the right thing to do.


Cheers,
--
Roland Grunberg
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev