Sounds like you guys have a solution. But, here's some links, one that
looks like it could plugin to your Atlassian Suite, and one that looks
like it may answer the Maven question that Jim asked.
https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
https://github.com/jeremylong/DependencyCheck
Hope I helped more than got in the way.
Joe
On Thu, Jun 7, 2018 at 7:57 PM, Andrea Aime
<andrea.a...@geo-solutions.it <mailto:andrea.a...@geo-solutions.it>>
wrote:
Hi Jim,
Dave already suggested an approach.. that should not be too hard,
maybe setting up a Jenkins build
that reports only to the PSC... that's not the problem, it's a one
time thing.
It's upgrading the libraries that will be trouble, we depend on
various old ones, we tried to organize
a code sprint with many devs, but failed to get it going (when
Jody proposed to do 2 or 3 sprints
on different topics everybody looked elsewhere, it was just not
serious, finding time for one co-located
sprint a year is already hard enough).
My hope is that commons-fileupload will be a seamless upgrade, but
in general, we'll need a concerted
effort, various devs for one week, to get widespread upgrades
going (e.g., many of the libs we're using
have done API or format breaking changes, it will not be a simple
"change the dep and rebuid" gig).
Cheers
Andrea
On Thu, Jun 7, 2018 at 8:43 PM, Jim Hughes <jhug...@ccri.com
<mailto:jhug...@ccri.com>> wrote:
Hi Joe,
The GitHub security alerts seem to only be available for
JavaScript and Ruby.
Is there a scanner which would work with a Maven/JVM project
that you can recommend?
Cheers,
Jim
On 06/07/2018 02:18 PM, Joe Murphy wrote:
Not to try and start a huge discussion; but since the cat is
out of the bag so to speak, I also knew of this quite some
time(1year+) ago. I don't have the resources to add bugs to
the JIRA, but I was able to find/fix locally very easily
(what you do with open source). I guess I was wondering if
you guys are scanning with any of the free tools, including
the one right on Github that would have spotted this and others.
https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
<https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/>
I used a tool called Twistlock which is a container scanner;
but it draws from the same NVD database as the free and
Github scanners.
All the best,
Joe
On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime
<andrea.a...@geo-solutions.it
<mailto:andrea.a...@geo-solutions.it>> wrote:
Hi Chris,
yes, master. Much appreciated!
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider
<chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>> wrote:
I can try to do that this weekend. I assume master?
Chris Snider
Senior Software Engineer
cid:image001.png@01D2E6A5.9104F820
*From:* andrea.a...@gmail.com
<mailto:andrea.a...@gmail.com>
[mailto:andrea.a...@gmail.com
<mailto:andrea.a...@gmail.com>] *On Behalf Of *Andrea
Aime
*Sent:* Thursday, June 07, 2018 8:25 AM
*To:* Chris Snider <chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>>
*Cc:* Dave Wichers <dave.wich...@ey.com
<mailto:dave.wich...@ey.com>>;
geoserver-users@lists.sourceforge.net
<mailto:geoserver-users@lists.sourceforge.net>
*Subject:* Re: [Geoserver-users] Known vulnerability
in commons-fileupload v1.2.1, used by geoserver
Hi Chris,
that's a sensible suggestion. The web site is on
gihub, any chance you could do a pull request? I'm
swamped...
https://github.com/geoserver/geoserver.github.io
<https://github.com/geoserver/geoserver.github.io>
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider
<chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>> wrote:
Andrea,
It took me a second to find the security block.
I completely overlooked the blue field.
Maybe add a new header under the “User List”
<h3>User List</h3>
This list is for end users blah blah blah
<h3>Reporting Security Vulnerabilities</h3>
If you encounter a security vulnerability blah
blah blah
<h3>Posting Guidelines</h3>
Please read through etc. etc. etc.
Thought I’d say blah again didn’t you
<h3>Developer Lists</h3>
The rest of the page, and so on
This might draw attention?
Chris Snider
Senior Software Engineer
cid:image001.png@01D2E6A5.9104F820
*From:* Andrea Aime
[mailto:andrea.a...@geo-solutions.it
<mailto:andrea.a...@geo-solutions.it>]
*Sent:* Thursday, June 07, 2018 12:23 AM
*To:* Dave Wichers <dave.wich...@ey.com
<mailto:dave.wich...@ey.com>>
*Cc:* geoserver-users@lists.sourceforge.net
<mailto:geoserver-users@lists.sourceforge.net>
*Subject:* Re: [Geoserver-users] Known
vulnerability in commons-fileupload v1.2.1, used
by geoserver
The comm page, where I believe you found info on
registering for the user list,
has a clear warning not to post security
vulnerabilities:
http://geoserver.org/comm/
"If you encounter a security vulnerability in
GeoServer please take care to report the issue in
a responsible fashion. Do not use the mailing
list, go intead to the Jira bug tracker instead
and follow the "Responsible disclosure"
instructions there."
How do we make it more plain and evident so that
grave mistakes do not occur anymore in the future?
Maybe we should switch the background color of
that box to red...
Regards
Andrea
<removed>
--
Regards, Andrea Aime == GeoServer Professional
Services from the experts! Visit http://goo.gl/it488V
for more information. == Ing. Andrea Aime @geowolf
Technical Lead GeoSolutions S.A.S. Via di Montramito
3/A 55054 Massarosa
<https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
(LU) phone: +39 0584 962313 fax: +39 0584 1660272
mob: +39 339 8844549 http://www.geo-solutions.it
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
-------------------------------------------------------
/Con riferimento alla normativa sul trattamento dei
dati personali (Reg. UE 2016/679 - Regolamento
generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente
email (il suo contenuto, gli eventuali allegati,
etc.) è un dato la cui conoscenza è riservata al/i
solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a
cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This
email is intended only for the person or entity to
which it is addressed and may contain information
that is privileged, confidential or otherwise
protected from disclosure. We remind that - as
provided by European Regulation 2016/679 “GDPR” -
copying, dissemination or use of this e-mail or the
information herein by anyone other than the intended
recipient is prohibited. If you have received this
email by mistake, please notify us immediately by
telephone or e-mail./
--
Regards, Andrea Aime == GeoServer Professional Services
from the experts! Visit http://goo.gl/it488V for more
information. == Ing. Andrea Aime @geowolf Technical Lead
GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa
(LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob:
+39 339 8844549 http://www.geo-solutions.it
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
-------------------------------------------------------
/Con riferimento alla normativa sul trattamento dei dati
personali (Reg. UE 2016/679 - Regolamento generale sulla
protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui
conoscenza è riservata al/i solo/i destinatario/i
indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è
illecita. Le sarei comunque grato se potesse darmene
notizia. This email is intended only for the person or
entity to which it is addressed and may contain
information that is privileged, confidential or otherwise
protected from disclosure. We remind that - as provided
by European Regulation 2016/679 “GDPR” - copying,
dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is
prohibited. If you have received this email by mistake,
please notify us immediately by telephone or e-mail./
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources
before posting to this list:
- Earning your support instead of buying it, but Ian
Turton: http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also
see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
<https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer>
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to
this list:
- Earning your support instead of buying it, but Ian
Turton:http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting
guidelines:http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also see
this:https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
<https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer>
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also see
this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
<https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer>
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
--
Regards, Andrea Aime == GeoServer Professional Services from the
experts! Visit http://goo.gl/it488V for more information. == Ing.
Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di
Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax:
+39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
------------------------------------------------------- /Con
riferimento alla normativa sul trattamento dei dati personali
(Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati
“GDPR”), si precisa che ogni circostanza inerente alla presente
email (il suo contenuto, gli eventuali allegati, etc.) è un dato
la cui conoscenza è riservata al/i solo/i destinatario/i indicati
dallo scrivente. Se il messaggio Le è giunto per errore, è
tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei
comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may
contain information that is privileged, confidential or otherwise
protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or
use of this e-mail or the information herein by anyone other than
the intended recipient is prohibited. If you have received this
email by mistake, please notify us immediately by telephone or
e-mail./
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
<https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer>
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
