Hi, I commented in another thread about oss-fuzz and new components, maybe that could be part of the issue here.
See that thread in the archives, or TL;DR: someone is adding more Commons Components to oss-fuzz, directly as components instead of using the shared apache-commons project. This latter project in oss-fuzz has a custom policy for reporting issues that is aligned with the ASF process. No idea what is the policy of these new oss-fuzz components, who created them, nor if anyone in ASF is being notified (I monitor the project-commons issues, especially those for imaging). https://github.com/google/oss-fuzz/tree/master/projects/ (see apache-commons) I **think** the only people being notified of issues are those in the project.yaml file, e.g. https://github.com/google/oss-fuzz/blob/master/projects/apache-commons-jxpath/project.yaml It looks like whoever set up that project in oss-fuzz decided to send notifications only to @code-intelligence emails, which is not very practical. -Bruno On Tue, 11 Oct 2022 at 04:40, Mark Thomas <ma...@apache.org> wrote: > Hmm. > > There are various red flags here that suggest to me that this issue is > likely not valid. > > 1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for > Apache Tomcat and so far out of the 30+ issues raised (the majority > marked as security relevant) not one of the issues was a vulnerability. > > 2. The CNA is Google. Google is not authorised to issue CVEs for ASF > projects accept in strictly limited circumstances that do not apply here. > > 3. There is no record of CVE-2022-41852 on *ANY* ASF security list. > > The next steps are: > > - Identify the current JXPath maintainers (or some volunteers to clean > up this mess) > > - Gain access to the details of the reports > > - Assess the reports > > - Invalidate / update the CVEs as required > > I don't see meaningful commits to the repo after 2015 so I suspect we'll > be looking for volunteers. > > Mark > > > > On 10/10/2022 16:19, Mike Drob wrote: > > Howdy folks, > > > > I recently saw that there was a reported CVE[1] for Apache JXPath that > became public due to no response to the reporter over 90 days. I am > uncertain if the reporter had tried reaching out to the appropriate > security lists before-hand and was ignored, or failed to follow our > established procedures. Regardless, the issue is now public. > > > > I have not personally verified the vulnerability, nor assessed the > impact. NIST thinks it is a Big Deal, though, scoring it 9.8/10 [2] > > > > It is hard to assess impact since the project does not publish artifacts > to maven central, but I'm also taking that as an indicator of low adoption > at this point in time. Further, the project has not had a release since > 2015. There has been very limited mailing list activity, and the last 5 > years of commits have only been typo/comment fixes. > > > > If there is no community around it, is there a path to retirement? What > are the next steps? > > > > Thanks, > > Mike > > > > [1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 > > [2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
