Kevan Miller wrote:
All,
There was a recent report by Fortify on Open Source Security --
http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
The report says there were some number of potential vulnerabilities
identified in Geronimo. No details of the vulnerabilities have been
reported to us (although the tests seem to have been run some time
ago...). Once we understand what the potential vulnerabilities are, we
can start to assess...
The report does identify concerns that we could be doing a better job of
reporting security vulnerabilities and letting users know how they can
report security vulnerabilities to our project. I agree with this.
As noted here -- http://www.apache.org/foundation/contact.html -- any
ASF security concerns can be safely relayed with an email to
[EMAIL PROTECTED]
It probably makes sense for us to create a [EMAIL PROTECTED]
mailing list. Project-specific security mailing lists are automatically
relayed to the [EMAIL PROTECTED] mailing list. A project-specific list
will reduce spam and allow us to focus on Geronimo issues, rather than
Apache-wide issues.
+1
I also think that we should create a security page on our web site (e.g.
geronimo.apache.org/security). This page could be used to describe how
any potential vulnerabilities should be reported. It should also be used
to report vulnerabilities as they are fixed. This allows users to easily
identify what security exposures a particular version of Geronimo might
have.
+1
Thoughts on the mailing list and web site? Assuming we're in general
agreement, I'd like to see us working on these in the near future.
I think they are both good ideas.
Finally, I've learned that there are a few potential sources for running
static code analysis scans against our codebase:
https://opensource.fortify.com/teamserver/welcome.fhtml
http://scan.coverity.com/
I think we should take a look at these and decide if it's something we
want to take advantage of. Thoughts?
It's probably worth taking a look. Looking at the fortify site and the
"rungs" on the coverity site got me thinking about the packages we
include. Some of them are listed but many are not. I wonder how
valuable running scans on Geronimo would be if the dependent packages
are not also participating. We might end up being the middleman for
reporting security issues in a number of other projects. I guess that's
still good as long as they are caught ... but it might be a good bit of
effort.
Joe