Hi Jim,
Dave already suggested an approach.. that should not be too hard, maybe
setting up a Jenkins build
that reports only to the PSC... that's not the problem, it's a one time
thing.
It's upgrading the libraries that will be trouble, we depend on various old
ones, we tried to organize
a code sprint with many devs, but failed to get it going (when Jody
proposed to do 2 or 3 sprints
on different topics everybody looked elsewhere, it was just not serious,
finding time for one co-located
sprint a year is already hard enough).
My hope is that commons-fileupload will be a seamless upgrade, but in
general, we'll need a concerted
effort, various devs for one week, to get widespread upgrades going (e.g.,
many of the libs we're using
have done API or format breaking changes, it will not be a simple "change
the dep and rebuid" gig).
Cheers
Andrea
On Thu, Jun 7, 2018 at 8:43 PM, Jim Hughes <jhug...@ccri.com> wrote:
> Hi Joe,
>
> The GitHub security alerts seem to only be available for JavaScript and
> Ruby.
>
> Is there a scanner which would work with a Maven/JVM project that you can
> recommend?
>
> Cheers,
>
> Jim
>
>
> On 06/07/2018 02:18 PM, Joe Murphy wrote:
>
> Not to try and start a huge discussion; but since the cat is out of the
> bag so to speak, I also knew of this quite some time(1year+) ago. I don't
> have the resources to add bugs to the JIRA, but I was able to find/fix
> locally very easily (what you do with open source). I guess I was wondering
> if you guys are scanning with any of the free tools, including the one
> right on Github that would have spotted this and others.
>
> https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
>
> I used a tool called Twistlock which is a container scanner; but it draws
> from the same NVD database as the free and Github scanners.
>
> All the best,
> Joe
>
> On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime <andrea.a...@geo-solutions.it>
> wrote:
>
>> Hi Chris,
>> yes, master. Much appreciated!
>>
>> Cheers
>> Andrea
>>
>> On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider <
>> chris.sni...@polarisalpha.com> wrote:
>>
>>> I can try to do that this weekend. I assume master?
>>>
>>>
>>>
>>> Chris Snider
>>>
>>> Senior Software Engineer
>>>
>>> [image: cid:image001.png@01D2E6A5.9104F820]
>>>
>>>
>>>
>>> *From:* andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] *On Behalf
>>> Of *Andrea Aime
>>> *Sent:* Thursday, June 07, 2018 8:25 AM
>>> *To:* Chris Snider <chris.sni...@polarisalpha.com>
>>> *Cc:* Dave Wichers <dave.wich...@ey.com>; geoserver-users@lists.sourcefo
>>> rge.net
>>>
>>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>>> commons-fileupload v1.2.1, used by geoserver
>>>
>>>
>>>
>>> Hi Chris,
>>>
>>> that's a sensible suggestion. The web site is on gihub, any chance you
>>> could do a pull request? I'm swamped...
>>>
>>>
>>>
>>> https://github.com/geoserver/geoserver.github.io
>>>
>>>
>>>
>>> Cheers
>>>
>>> Andrea
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider <
>>> chris.sni...@polarisalpha.com> wrote:
>>>
>>> Andrea,
>>>
>>>
>>>
>>> It took me a second to find the security block. I completely overlooked
>>> the blue field.
>>>
>>>
>>>
>>> Maybe add a new header under the “User List”
>>>
>>> <h3>User List</h3>
>>>
>>> This list is for end users blah blah blah
>>>
>>>
>>>
>>> <h3>Reporting Security Vulnerabilities</h3>
>>>
>>> If you encounter a security vulnerability blah blah blah
>>>
>>>
>>>
>>> <h3>Posting Guidelines</h3>
>>>
>>> Please read through etc. etc. etc.
>>>
>>> Thought I’d say blah again didn’t you
>>>
>>>
>>>
>>> <h3>Developer Lists</h3>
>>>
>>> The rest of the page, and so on
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> This might draw attention?
>>>
>>>
>>>
>>> Chris Snider
>>>
>>> Senior Software Engineer
>>>
>>> [image: cid:image001.png@01D2E6A5.9104F820]
>>>
>>>
>>>
>>> *From:* Andrea Aime [mailto:andrea.a...@geo-solutions.it]
>>> *Sent:* Thursday, June 07, 2018 12:23 AM
>>> *To:* Dave Wichers <dave.wich...@ey.com>
>>> *Cc:* geoserver-users@lists.sourceforge.net
>>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>>> commons-fileupload v1.2.1, used by geoserver
>>>
>>>
>>>
>>> The comm page, where I believe you found info on registering for the
>>> user list,
>>>
>>> has a clear warning not to post security vulnerabilities:
>>>
>>>
>>>
>>> http://geoserver.org/comm/
>>>
>>>
>>>
>>> "If you encounter a security vulnerability in GeoServer please take care
>>> to report the issue in a responsible fashion. Do not use the mailing list,
>>> go intead to the Jira bug tracker instead and follow the "Responsible
>>> disclosure" instructions there."
>>>
>>>
>>>
>>> How do we make it more plain and evident so that grave mistakes do not
>>> occur anymore in the future?
>>>
>>> Maybe we should switch the background color of that box to red...
>>>
>>>
>>>
>>> Regards
>>>
>>> Andrea
>>>
>>>
>>>
>>> <removed>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards, Andrea Aime == GeoServer Professional Services from the
>>> experts! Visit http://goo.gl/it488V for more information. == Ing.
>>> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di
>>> Montramito 3/A 55054 Massarosa
>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
>>> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
>>> http://www.geo-solutions.it http://twitter.com/geosolutions_it
>>> ------------------------------------------------------- *Con
>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE
>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
>>> precisa che ogni circostanza inerente alla presente email (il suo
>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>> This email is intended only for the person or entity to which it is
>>> addressed and may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. We remind that - as provided by
>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
>>> e-mail or the information herein by anyone other than the intended
>>> recipient is prohibited. If you have received this email by mistake, please
>>> notify us immediately by telephone or e-mail.*
>>>
>>
>>
>>
>> --
>>
>> Regards, Andrea Aime == GeoServer Professional Services from the experts!
>> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
>> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
>> ------------------------------------------------------- *Con riferimento
>> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
>> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
>> circostanza inerente alla presente email (il suo contenuto, gli eventuali
>> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
>> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
>> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
>> sarei comunque grato se potesse darmene notizia. This email is intended
>> only for the person or entity to which it is addressed and may contain
>> information that is privileged, confidential or otherwise protected from
>> disclosure. We remind that - as provided by European Regulation 2016/679
>> “GDPR” - copying, dissemination or use of this e-mail or the information
>> herein by anyone other than the intended recipient is prohibited. If you
>> have received this email by mistake, please notify us immediately by
>> telephone or e-mail.*
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-req
>> uesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to this
> list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
> Geoserver-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
