| [orbit-dev] Add versions without CVEs? |
|
Hi orbit-dev! My team maintains an Eclipse product and we had been using orbit for most of our dependencies, but recently we underwent a security audit and found that some of the dependency versions available in orbit are
affected by CVEs. For our organization, we were required to replace these dependencies. Due to our release timing we were forced to supplement orbit with local P2 repositories containing come dependencies, which means this is not a blocker for us. I’d like to know if we could add CVE-fix versions of dependencies to orbit. Here is a partial list of what I’d like to add: Guava 24.1.1 (fixes https://nvd.nist.gov/vuln/detail/CVE-2018-10237) Commons-compress 1.1.8 (fixes https://www.cvedetails.com/cve/CVE-2018-11771/) Jackson 2.9.8 (fixes https://nvd.nist.gov/vuln/detail/CVE-2018-19360,
https://nvd.nist.gov/vuln/detail/CVE-2018-19361,
https://nvd.nist.gov/vuln/detail/CVE-2018-19362) com.fasterxml.jackson.core.jackson-annotations 2.9.8 com.fasterxml.jackson.core.jackson-core 2.9.8 com.fasterxml.jackson.core.jackson-databind 2.9.8 com.fasterxml.jackson.datatype.jackson-datatype-guava 2.9.8 com.fasterxml.jackson.jaxrs.jackson-jaxrs-base 2.9.8 com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider 2.9.8 Dom4j 2.1.1 (fixes
https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 - this CVE is disputed, but it would be great to make the putative fix version available) I’d be willing to do the work to make these available in orbit, but I have not contributed to orbit or other eclipse projects before but I have my ECA. If you are receptive to this, I can explore what I would need to do to contribute code – any guidance would be welcome. Thanks! Tony Homer |