Hi Joe,
The GitHub security alerts seem to only be available for JavaScript and
Ruby.
Is there a scanner which would work with a Maven/JVM project that you
can recommend?
Cheers,
Jim
On 06/07/2018 02:18 PM, Joe Murphy wrote:
Not to try and start a huge discussion; but since the cat is out of
the bag so to speak, I also knew of this quite some time(1year+) ago.
I don't have the resources to add bugs to the JIRA, but I was able to
find/fix locally very easily (what you do with open source). I guess I
was wondering if you guys are scanning with any of the free tools,
including the one right on Github that would have spotted this and
others.
https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
I used a tool called Twistlock which is a container scanner; but it
draws from the same NVD database as the free and Github scanners.
All the best,
Joe
On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime
<andrea.a...@geo-solutions.it <mailto:andrea.a...@geo-solutions.it>>
wrote:
Hi Chris,
yes, master. Much appreciated!
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider
<chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>> wrote:
I can try to do that this weekend. I assume master?
Chris Snider
Senior Software Engineer
cid:image001.png@01D2E6A5.9104F820
*From:* andrea.a...@gmail.com <mailto:andrea.a...@gmail.com>
[mailto:andrea.a...@gmail.com <mailto:andrea.a...@gmail.com>]
*On Behalf Of *Andrea Aime
*Sent:* Thursday, June 07, 2018 8:25 AM
*To:* Chris Snider <chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>>
*Cc:* Dave Wichers <dave.wich...@ey.com
<mailto:dave.wich...@ey.com>>;
geoserver-users@lists.sourceforge.net
<mailto:geoserver-users@lists.sourceforge.net>
*Subject:* Re: [Geoserver-users] Known vulnerability in
commons-fileupload v1.2.1, used by geoserver
Hi Chris,
that's a sensible suggestion. The web site is on gihub, any
chance you could do a pull request? I'm swamped...
https://github.com/geoserver/geoserver.github.io
<https://github.com/geoserver/geoserver.github.io>
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider
<chris.sni...@polarisalpha.com
<mailto:chris.sni...@polarisalpha.com>> wrote:
Andrea,
It took me a second to find the security block. I
completely overlooked the blue field.
Maybe add a new header under the “User List”
<h3>User List</h3>
This list is for end users blah blah blah
<h3>Reporting Security Vulnerabilities</h3>
If you encounter a security vulnerability blah blah blah
<h3>Posting Guidelines</h3>
Please read through etc. etc. etc.
Thought I’d say blah again didn’t you
<h3>Developer Lists</h3>
The rest of the page, and so on
This might draw attention?
Chris Snider
Senior Software Engineer
cid:image001.png@01D2E6A5.9104F820
*From:* Andrea Aime [mailto:andrea.a...@geo-solutions.it
<mailto:andrea.a...@geo-solutions.it>]
*Sent:* Thursday, June 07, 2018 12:23 AM
*To:* Dave Wichers <dave.wich...@ey.com
<mailto:dave.wich...@ey.com>>
*Cc:* geoserver-users@lists.sourceforge.net
<mailto:geoserver-users@lists.sourceforge.net>
*Subject:* Re: [Geoserver-users] Known vulnerability in
commons-fileupload v1.2.1, used by geoserver
The comm page, where I believe you found info on
registering for the user list,
has a clear warning not to post security vulnerabilities:
http://geoserver.org/comm/
"If you encounter a security vulnerability in GeoServer
please take care to report the issue in a responsible
fashion. Do not use the mailing list, go intead to the
Jira bug tracker instead and follow the "Responsible
disclosure" instructions there."
How do we make it more plain and evident so that grave
mistakes do not occur anymore in the future?
Maybe we should switch the background color of that box to
red...
Regards
Andrea
<removed>
--
Regards, Andrea Aime == GeoServer Professional Services from
the experts! Visit http://goo.gl/it488V for more information.
== Ing. Andrea Aime @geowolf Technical Lead GeoSolutions
S.A.S. Via di Montramito 3/A 55054 Massarosa
<https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
(LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
------------------------------------------------------- /Con
riferimento alla normativa sul trattamento dei dati personali
(Reg. UE 2016/679 - Regolamento generale sulla protezione dei
dati “GDPR”), si precisa che ogni circostanza inerente alla
presente email (il suo contenuto, gli eventuali allegati,
etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è
giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse
darmene notizia. This email is intended only for the person or
entity to which it is addressed and may contain information
that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European
Regulation 2016/679 “GDPR” - copying, dissemination or use of
this e-mail or the information herein by anyone other than the
intended recipient is prohibited. If you have received this
email by mistake, please notify us immediately by telephone or
e-mail./
--
Regards, Andrea Aime == GeoServer Professional Services from the
experts! Visit http://goo.gl/it488V for more information. == Ing.
Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di
Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax:
+39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
------------------------------------------------------- /Con
riferimento alla normativa sul trattamento dei dati personali
(Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati
“GDPR”), si precisa che ogni circostanza inerente alla presente
email (il suo contenuto, gli eventuali allegati, etc.) è un dato
la cui conoscenza è riservata al/i solo/i destinatario/i indicati
dallo scrivente. Se il messaggio Le è giunto per errore, è
tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei
comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may
contain information that is privileged, confidential or otherwise
protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or
use of this e-mail or the information herein by anyone other than
the intended recipient is prohibited. If you have received this
email by mistake, please notify us immediately by telephone or
e-mail./
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
<https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer>
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
<https://lists.sourceforge.net/lists/listinfo/geoserver-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
