Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] [External] : Re: vulnerability issues, how to find?
  • From: Ed Bratt <ed.bratt@xxxxxxxxxx>
  • Date: Thu, 3 Jun 2021 10:39:26 -0700
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9LBx90/9UtTSi+pGruHRUMmANwrofmI/ynY4s5t19w4=; b=D+wnG36y1k+Fqc7nUcJZtcxdOHQlAlPG3+OHHElTvkcRaEM4nTGGALewVMiU6LwhB1tn7hsTyvWxm3P87p47Lw8plt/15hNADbDtIZNk4rP7NGYEeZNJvFgCXnRN9+bs90Tvi+oA5ElpbFJP1GWT8zsgcH4Nn5CXwuSTacnFPptx4kGPuaIuiqPo/Gy/va3gZcT8LGF3FhZN50S6yTncPufEHGgxmqc8GwmclBrdW4jAcns8tMpuPQDhFiLmKEJvMIbGolWgioYQw17m6P6M6sdaLJV8lNCw0EeKphUaMkrK6QR5wq48aGl5vnRGgrG66oCoH71+LPaZzh6da7PbGA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bxub3AJF/zxKXhBhNyAAGRoDfFF+rj/3zB+ktnf/2smyxxsOJFNj2OWFh3QA2Q01m8mVA5uDbbKa0HqM+89Xii3924OibI12dG5IGogQ8iWVGbk0t3TCnKB+dOMTUtvs0vJj40cDbtM7TrRJa3GyoRBVz6kK1h9NqGTXY/eOE6kdxR2YCCYYwHUdii70gtsBkreSb9A9CG0ayba6kXZ4pkbDi0Y0PvN1CqqiZi5XbmGcuE96TeO6eWzwl66srQVbXLpiJM3+x68R5HDrsJdbc9Hw2kZIMiQUk6F/yOH9cYDHZqQyH9QJX/V5kqNTY7J7ojCLnSMcz9IGT9WXU420tg==
  • Delivered-to: ee4j-pmc@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/ee4j-pmc/>
  • List-help: <mailto:ee4j-pmc-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=unsubscribe>
  • User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2

+ PMC List -- continuation of the discussion that was started in the PMC meeting this morning....

My 2ยข worth ...

I will observe that, at least for me, it was not obvious that these issues would be filed under the "Community" product -- I was looking under EE4J and not having good results (but there does appear to be a single open vulnerability under GlassFish ORB). I don't know how well socialized this meta-data / search requirement is, in the EE4J working group. I would also recommend additional socialization about using bugs.eclipse.org in general since I suspect most committers focus, perhaps almost exclusively, on the GitHub issue trackers.

Are there mechanisms in place for interested persons to get on auto-notifications for bugzilla? While some of this maybe obvious to seasoned Eclipse'ers, others might now know how to be notified whenever a new issue like those from the query given below are created (I don't know how to do that, for example). For example, would it make any sense to send a "new" notification to the PMC members whenever an issue is entered? If there is to be a triage step, should that include adding the project lead(s) as 'cc'?

Yes, I agree - at the least, the product/sub-project meta-data could be nice in the subject lines -- though the issues you've listed below already include 'mojarra' in their synopsis line.

If it is a function of the PMC to perform triage of these issues as they arrive, I'd suggest that should be formalized with some starting instructions for whomever it is that agrees to take this up.

-- Ed

On 6/3/2021 9:52 AM, Wayne Beaton wrote:
The list of open issues in Bugzilla (the Community/Vulnerabilities product/component) are here. Apparently the first obvious thing that we can do is annotate these with project information to make them easier to identify (e.g., prefix the subject with "[ee4j]" or something).

Here are some specific ones:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=563784

Note that we use Bugzilla for these for historical reasons and because Bugzilla allows us to mark records as "committers only" to prevent premature disclosure. Unfortunately, Github doesn't have a notion of marking issues as confidential, but we have no specific requirement to use Bugzilla.

One thing that might be good is for the PMC to make a best practice recommendation regarding how vulnerability issues are labeled and reinforce with committers that they should use the label. We've started a conversation on including a SECURITY file that details how the project deals with vulnerabilities as well.

Can we take this discussion to the PMC mailing list?

Wayne

On Thu, Jun 3, 2021 at 12:11 PM Ed Bratt <ed.bratt@xxxxxxxxxx> wrote:

Hi Wayne,

I'm trying to assess how far behind we are, with vulnerability issues in EE4J. I did a quick scan -- I can see a couple of reports from GitHub issues about vulnerabilities --

  • EL-RI (GHSL-2020-021) - Bypass input sanitization of EL expressions EL #155
  • JAX-WS, Metro, issue with custom name vulnerability (fixed) metro-jax-ws #221
  • Bump commons-io from 2.2 to 2.7, a dependabot automated update jersey #4784

In bugs.eclipse.org -- I'm not sure what to look for. I can only find one security bug in the EE4J category against ORB 559604.

I'm guessing that I'm missing something but ... what keywords or assignment meta-data should I be looking for?

Thanks,

-- Ed



--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

Back to the top