On Jul 23, 2008, at 3:15 PM, Joe Bohn wrote:
Kevan Miller wrote:
All,
There was a recent report by Fortify on Open Source Security --
http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
The report says there were some number of potential vulnerabilities
identified in Geronimo. No details of the vulnerabilities have been
reported to us (although the tests seem to have been run some time
ago...). Once we understand what the potential vulnerabilities are,
we can start to assess...
The report does identify concerns that we could be doing a better
job of reporting security vulnerabilities and letting users know
how they can report security vulnerabilities to our project. I
agree with this.
As noted here -- http://www.apache.org/foundation/contact.html --
any ASF security concerns can be safely relayed with an email to [EMAIL PROTECTED]
.
It probably makes sense for us to create a [EMAIL PROTECTED]
mailing list. Project-specific security mailing lists are
automatically relayed to the [EMAIL PROTECTED] mailing list. A
project-specific list will reduce spam and allow us to focus on
Geronimo issues, rather than Apache-wide issues.
+1
I also think that we should create a security page on our web site
(e.g. geronimo.apache.org/security). This page could be used to
describe how any potential vulnerabilities should be reported. It
should also be used to report vulnerabilities as they are fixed.
This allows users to easily identify what security exposures a
particular version of Geronimo might have.
+1
Thoughts on the mailing list and web site? Assuming we're in
general agreement, I'd like to see us working on these in the near
future.
I think they are both good ideas.
I'm going to be working on making the above items happen: creating a
security mailing list and a security page on our web site.
Finally, I've learned that there are a few potential sources for
running static code analysis scans against our codebase:
https://opensource.fortify.com/teamserver/welcome.fhtml
http://scan.coverity.com/
I think we should take a look at these and decide if it's something
we want to take advantage of. Thoughts?
It's probably worth taking a look. Looking at the fortify site and
the "rungs" on the coverity site got me thinking about the packages
we include. Some of them are listed but many are not. I wonder how
valuable running scans on Geronimo would be if the dependent
packages are not also participating. We might end up being the
middleman for reporting security issues in a number of other
projects. I guess that's still good as long as they are caught ...
but it might be a good bit of effort.
I'll investigate these as a lower priority task. Still haven't heard
any specifics on any vulnerabilities.
--kevan
