Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30
  • From: Mark Thomas <markt@xxxxxxxxxx>
  • Date: Wed, 31 Oct 2018 18:16:33 +0000
  • Autocrypt: addr=markt@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKw W2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh 6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6KGH59oysn1NE7a2a+kZzjBSEg v23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZItqDURP24zWOodxgboldV6Y88C 3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJ tgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4j yHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/8 2oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaIl5ItBk 8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABzSJNYXJrIEUgRCBU aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+wsF3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2Ovtt weOQPYkblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lno cggwJAFejQcYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0z G1kyTp9hxvN6TbCQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tj Y4qWgd+bQvOqPWrkzL9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8i mCebcaxZnfLhGiqqX+yDa3YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24R Ql9FfjfWmvT8ZPWz8Kore1AI4UcIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWU DM3pIfxM2V4BRn1xO+j/mModhjmYLZvnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NR rrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhscsO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmM b8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5 zsFNBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5LzD/Hdt3sAp9iCfPgucO+l7U+xbo1X HTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHyQtJUH+zo84IqqfMzG8aOSdHg1y r2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+mK1qF8Wm3hTtkPE+FFSNFIa eHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0FupXiAx/+XEGn3Q7eNi2B V6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQaSL0k3RTClv7fQN HcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5hr2cycxsjF iY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6WqIAhl KOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YFDa bGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9Y S6DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABwsFfBBgBCgAJBQJK tA7pAhsMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8X eFD8cmSty72hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0 k1vr701gaat2cNTOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5Vri hN/Wx0CZBtrXGUyE4hgFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPP tFfXIoPXuctn99M7NnWBhNuGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGP kfT/c4CZFfOurZUXXuC3PvOme0DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH +U/FFNshvg9+M/ZvaKT+0lpRvBSuG5ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbC nGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbjkYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdh ZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzOa5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim 6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQHfcHaND3PRdQSn7oHYXmJl
  • Delivered-to: ee4j-pmc@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/ee4j-pmc>
  • List-help: <mailto:ee4j-pmc-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=unsubscribe>
  • Openpgp: preference=signencrypt
  • User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1

On 31/10/2018 17:48, Bill Shannon wrote:
> False positive in what sense?
> 
> The projects don't actually have the dependency?

Of a form. We often see reports for dependencies that are not present at
run time. For example, it is a build-time dependency used to generate
static web content.

> The dependency doesn't actually have the security vulnerability?

No.

> The security vulnerability doesn't actually impact the dependent project?

This one too. We ran a trial a few years ago with a static analysis tool
that, when it found a vulnerable dependency, dug deeper and looked to
see if the application actually used the vulnerable code path. In a
fairly small sample (~ 10 projects) we found that the vulnerable code
path was executed in only around 10% of cases. We didn't do the further
manual research to determine how many of those uses resulted in
vulnerabilities in the application but I'd be surprised if it was more
than 50%.

If you take all of these factors together you tend to get a false
positive rate well in excess of 95%.

> I know at Oracle our approval process assumes the vulnerability is relevant
> unless we can show otherwise.  It's often easier to update the dependency
> than to prove that it's not necessary.

Approaches vary across ASF projects. It tends to vary based on how
conservative they are about updating dependencies.

The ASF security team passes them to the relevant project but doesn't
then track what - if anything - the project decides to do with them.

I tend to view reports like this more as a general reminder to review
the dependencies for updates on a regular basis.

Mark


> 
> 
> Mark Thomas wrote on 10/31/2018 10:40 AM:
>> You have to be an org admin.
>>
>> Experience at the ASF is that they are mostly noise due to a high false positive
>> rate.
>>
>> Mark
>>
>>
>> On 31/10/2018 17:24, Bill Shannon wrote:
>>> I'm not sure who gets these.  You may have to be a Committer on the project or
>>> an admin for the organization.
>>>
>>> Steve Millidge (Payara) wrote on 10/31/2018 02:24 AM:
>>>> Security alerts on GitHub
>>>>
>>>> I don’t get these at a PMC level.
>>>>
>>>> *From:*ee4j-pmc-bounces@xxxxxxxxxxx <ee4j-pmc-bounces@xxxxxxxxxxx> *On Behalf
>>>> Of *Bill Shannon
>>>> *Sent:* 30 October 2018 23:55
>>>> *To:* EE4J PMC Discussions <ee4j-pmc@xxxxxxxxxxx>
>>>> *Subject:* [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23
>>>> - Oct 30
>>>>
>>>> Is anyone on the PMC tracking these security alerts?
>>>>
>>>> Shouldn't someone ensure that the EE4J projects are responding to these in a
>>>> timely manner?
>>>>
>>>>
>>>> (Obviously ignore the "javaee" entries below.)
>>>>
>>>>
>>>> -------- Forwarded Message --------
>>>>
>>>> *Subject: *
>>>>
>>>>     
>>>>
>>>> Your GitHub security alerts for the week of Oct 23 - Oct 30
>>>>
>>>> *Date: *
>>>>
>>>>     
>>>>
>>>> Tue, 30 Oct 2018 17:36:28 +0000 (UTC)
>>>>
>>>> *From: *
>>>>
>>>>     
>>>>
>>>> GitHub <noreply@xxxxxxxxxx> <mailto:noreply@xxxxxxxxxx>
>>>>
>>>> *To: *
>>>>
>>>>     
>>>>
>>>> Bill Shannon <bill.shannon@xxxxxxxxxx> <mailto:bill.shannon@xxxxxxxxxx>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>     
>>>>
>>>> Explore this week on GitHub
>>>>
>>>> GitHub security alerts__
>>>>
>>>>
>>>>   GitHub <https://github.com> security alert digest
>>>>
>>>> *bshannon’s*repository security updates from the week of *Oct 23 - Oct 30*
>>>>
>>>> <https://github.com>
>>>>
>>>>     
>>>>
>>>>
>>>>       Java EE organization <https://github.com>
>>>>
>>>> Warning!
>>>>
>>>>     
>>>>
>>>>
>>>>       javaee / *metro-jaxws-commons*
>>>>       <https://github.com/javaee/metro-jaxws-commons>
>>>>
>>>> *Known security vulnerabilities detected*
>>>>
>>>> Dependencyorg.springframework:spring-core
>>>>
>>>>     
>>>>
>>>> Version> 3.2.0 < 3.2.15
>>>>
>>>>     
>>>>
>>>> Upgrade to~> 3.2.15
>>>>
>>>> Vulnerabilities
>>>>
>>>> CVE-2015-5211 High severity
>>>>
>>>> CVE-2018-1270 High severity
>>>>
>>>> CVE-2018-1275 High severity
>>>>
>>>> CVE-2015-3192 Moderate severity
>>>>
>>>> CVE-2016-5007 Moderate severity
>>>>
>>>> View 3 more
>>>> <https://github.com/javaee/metro-jaxws-commons/network/alert/spring/spring-core/pom.xml/org.springframework:spring-core/open>
>>>>
>>>>
>>>>     
>>>>
>>>> Defined inpom.xml
>>>>
>>>>     
>>>>
>>>>
>>>>     
>>>>
>>>> *Review all vulnerable dependencies*
>>>> <https://github.com/javaee/metro-jaxws-commons/network/alerts>
>>>>
>>>> Warning!
>>>>
>>>>     
>>>>
>>>>
>>>>       javaee / *javadb* <https://github.com/javaee/javadb>
>>>>
>>>> *Known security vulnerabilities detected*
>>>>
>>>> Dependencyorg.apache.axis:axis
>>>>
>>>>     
>>>>
>>>> Version<= 1.4
>>>>
>>>>     
>>>>
>>>> Vulnerabilities
>>>>
>>>> CVE-2014-3596 Moderate severity
>>>>
>>>> CVE-2018-8032 Moderate severity
>>>>
>>>>     
>>>>
>>>> Defined inpom.xml
>>>>
>>>>     
>>>>
>>>>
>>>>     
>>>>
>>>> *Review all vulnerable dependencies*
>>>> <https://github.com/javaee/javadb/network/alerts>
>>>>
>>>> Warning!
>>>>
>>>>     
>>>>
>>>>
>>>>       javaee / *external* <https://github.com/javaee/external>
>>>>
>>>> *Known security vulnerabilities detected*
>>>>
>>>> Dependencyorg.apache.axis:axis
>>>>
>>>>     
>>>>
>>>> Version<= 1.4
>>>>
>>>>     
>>>>
>>>> Vulnerabilities
>>>>
>>>> CVE-2014-3596 Moderate severity
>>>>
>>>> CVE-2018-8032 Moderate severity
>>>>
>>>>     
>>>>
>>>> Defined inpom.xml
>>>>
>>>>     
>>>>
>>>>
>>>>     
>>>>
>>>> *Review all vulnerable dependencies*
>>>> <https://github.com/javaee/external/network/alerts>
>>>>
>>>> <https://github.com>
>>>>
>>>>     
>>>>
>>>>
>>>>       Eclipse EE4J organization <https://github.com>
>>>>
>>>> Warning!
>>>>
>>>>     
>>>>
>>>>
>>>>       eclipse-ee4j / *tyrus* <https://github.com/eclipse-ee4j/tyrus>
>>>>
>>>> *Known security vulnerabilities detected*
>>>>
>>>> Dependencyorg.eclipse.jetty:jetty-server
>>>>
>>>>     
>>>>
>>>> Version< 9.2.25.v20180606
>>>>
>>>>     
>>>>
>>>> Upgrade to~> 9.2.25.v20180606
>>>>
>>>> Vulnerabilities
>>>>
>>>> CVE-2017-7657 Critical severity
>>>>
>>>> CVE-2017-7656 Moderate severity
>>>>
>>>>     
>>>>
>>>> Defined inpom.xml
>>>>
>>>>     
>>>>
>>>>
>>>>     
>>>>
>>>> *Review all vulnerable dependencies*
>>>> <https://github.com/eclipse-ee4j/tyrus/network/alerts>
>>>>
>>>> Warning!
>>>>
>>>>     
>>>>
>>>>
>>>>       eclipse-ee4j / *grizzly-ahc*
>>>>       <https://github.com/eclipse-ee4j/grizzly-ahc>
>>>>
>>>> *Known security vulnerabilities detected*
>>>>
>>>> Dependencyorg.eclipse.jetty:jetty-server
>>>>
>>>>     
>>>>
>>>> Version>= 9.4.0 < 9.4.11.v20180605
>>>>
>>>>     
>>>>
>>>> Upgrade to~> 9.4.11.v20180605
>>>>
>>>> Vulnerabilities
>>>>
>>>> CVE-2018-12538 Moderate severity
>>>>
>>>> CVE-2018-12536 Moderate severity
>>>>
>>>> CVE-2017-7656 Moderate severity
>>>>
>>>>     
>>>>
>>>> Defined inpom.xml
>>>>
>>>>     
>>>>
>>>>
>>>>     
>>>>
>>>> *Review all vulnerable dependencies*
>>>> <https://github.com/eclipse-ee4j/grizzly-ahc/network/alerts>
>>>>
>>>> /Always verify the validity and compatibility of suggestions with your
>>>> codebase. /
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> Unsubscribe
>>>> <https://github.com/email/unsubscribe?token=AAKLo8HMACwtuFae2pc5lUHVqhk50Feqks5ducoagaRuYW1lrXZ1bG5lcmFiaWxpdHk%3D>
>>>> · Email preferences <https://github.com/settings/emails> · Terms
>>>> <https://help.github.com/articles/github-terms-of-service> · Privacy
>>>> <https://help.github.com/articles/github-privacy-policy> · Sign into GitHub
>>>> <https://github.com/login>
>>>>
>>>> GitHub, Inc.
>>>> 88 Colin P Kelly Jr St.
>>>> San Francisco, CA 94107
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> ee4j-pmc mailing list
>>>> ee4j-pmc@xxxxxxxxxxx
>>>> To change your delivery options, retrieve your password, or unsubscribe from
>>>> this list, visit
>>>> https://www.eclipse.org/mailman/listinfo/ee4j-pmc
>>>
>>>
>>>
>>> _______________________________________________
>>> ee4j-pmc mailing list
>>> ee4j-pmc@xxxxxxxxxxx
>>> To change your delivery options, retrieve your password, or unsubscribe from
>>> this list, visit
>>> https://www.eclipse.org/mailman/listinfo/ee4j-pmc
>>>
>> _______________________________________________
>> ee4j-pmc mailing list
>> ee4j-pmc@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe from
>> this list, visit
>> https://www.eclipse.org/mailman/listinfo/ee4j-pmc



Back to the top