Sounds like you guys have a solution. But, here's some links, one that
looks like it could plugin to your Atlassian Suite, and one that looks like
it may answer the Maven question that Jim asked.
https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
https://github.com/jeremylong/DependencyCheck
Hope I helped more than got in the way.
Joe
On Thu, Jun 7, 2018 at 7:57 PM, Andrea Aime <andrea.a...@geo-solutions.it>
wrote:
> Hi Jim,
> Dave already suggested an approach.. that should not be too hard, maybe
> setting up a Jenkins build
> that reports only to the PSC... that's not the problem, it's a one time
> thing.
>
> It's upgrading the libraries that will be trouble, we depend on various
> old ones, we tried to organize
> a code sprint with many devs, but failed to get it going (when Jody
> proposed to do 2 or 3 sprints
> on different topics everybody looked elsewhere, it was just not serious,
> finding time for one co-located
> sprint a year is already hard enough).
>
> My hope is that commons-fileupload will be a seamless upgrade, but in
> general, we'll need a concerted
> effort, various devs for one week, to get widespread upgrades going (e.g.,
> many of the libs we're using
> have done API or format breaking changes, it will not be a simple "change
> the dep and rebuid" gig).
>
> Cheers
> Andrea
>
>
> On Thu, Jun 7, 2018 at 8:43 PM, Jim Hughes <jhug...@ccri.com> wrote:
>
>> Hi Joe,
>>
>> The GitHub security alerts seem to only be available for JavaScript and
>> Ruby.
>>
>> Is there a scanner which would work with a Maven/JVM project that you can
>> recommend?
>>
>> Cheers,
>>
>> Jim
>>
>>
>> On 06/07/2018 02:18 PM, Joe Murphy wrote:
>>
>> Not to try and start a huge discussion; but since the cat is out of the
>> bag so to speak, I also knew of this quite some time(1year+) ago. I don't
>> have the resources to add bugs to the JIRA, but I was able to find/fix
>> locally very easily (what you do with open source). I guess I was wondering
>> if you guys are scanning with any of the free tools, including the one
>> right on Github that would have spotted this and others.
>>
>> https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
>>
>> I used a tool called Twistlock which is a container scanner; but it draws
>> from the same NVD database as the free and Github scanners.
>>
>> All the best,
>> Joe
>>
>> On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime <andrea.a...@geo-solutions.it
>> > wrote:
>>
>>> Hi Chris,
>>> yes, master. Much appreciated!
>>>
>>> Cheers
>>> Andrea
>>>
>>> On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider <
>>> chris.sni...@polarisalpha.com> wrote:
>>>
>>>> I can try to do that this weekend. I assume master?
>>>>
>>>>
>>>>
>>>> Chris Snider
>>>>
>>>> Senior Software Engineer
>>>>
>>>> [image: cid:image001.png@01D2E6A5.9104F820]
>>>>
>>>>
>>>>
>>>> *From:* andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] *On
>>>> Behalf Of *Andrea Aime
>>>> *Sent:* Thursday, June 07, 2018 8:25 AM
>>>> *To:* Chris Snider <chris.sni...@polarisalpha.com>
>>>> *Cc:* Dave Wichers <dave.wich...@ey.com>;
>>>> geoserver-users@lists.sourceforge.net
>>>>
>>>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>>>> commons-fileupload v1.2.1, used by geoserver
>>>>
>>>>
>>>>
>>>> Hi Chris,
>>>>
>>>> that's a sensible suggestion. The web site is on gihub, any chance you
>>>> could do a pull request? I'm swamped...
>>>>
>>>>
>>>>
>>>> https://github.com/geoserver/geoserver.github.io
>>>>
>>>>
>>>>
>>>> Cheers
>>>>
>>>> Andrea
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider <
>>>> chris.sni...@polarisalpha.com> wrote:
>>>>
>>>> Andrea,
>>>>
>>>>
>>>>
>>>> It took me a second to find the security block. I completely
>>>> overlooked the blue field.
>>>>
>>>>
>>>>
>>>> Maybe add a new header under the “User List”
>>>>
>>>> <h3>User List</h3>
>>>>
>>>> This list is for end users blah blah blah
>>>>
>>>>
>>>>
>>>> <h3>Reporting Security Vulnerabilities</h3>
>>>>
>>>> If you encounter a security vulnerability blah blah blah
>>>>
>>>>
>>>>
>>>> <h3>Posting Guidelines</h3>
>>>>
>>>> Please read through etc. etc. etc.
>>>>
>>>> Thought I’d say blah again didn’t you
>>>>
>>>>
>>>>
>>>> <h3>Developer Lists</h3>
>>>>
>>>> The rest of the page, and so on
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This might draw attention?
>>>>
>>>>
>>>>
>>>> Chris Snider
>>>>
>>>> Senior Software Engineer
>>>>
>>>> [image: cid:image001.png@01D2E6A5.9104F820]
>>>>
>>>>
>>>>
>>>> *From:* Andrea Aime [mailto:andrea.a...@geo-solutions.it]
>>>> *Sent:* Thursday, June 07, 2018 12:23 AM
>>>> *To:* Dave Wichers <dave.wich...@ey.com>
>>>> *Cc:* geoserver-users@lists.sourceforge.net
>>>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>>>> commons-fileupload v1.2.1, used by geoserver
>>>>
>>>>
>>>>
>>>> The comm page, where I believe you found info on registering for the
>>>> user list,
>>>>
>>>> has a clear warning not to post security vulnerabilities:
>>>>
>>>>
>>>>
>>>> http://geoserver.org/comm/
>>>>
>>>>
>>>>
>>>> "If you encounter a security vulnerability in GeoServer please take
>>>> care to report the issue in a responsible fashion. Do not use the mailing
>>>> list, go intead to the Jira bug tracker instead and follow the "Responsible
>>>> disclosure" instructions there."
>>>>
>>>>
>>>>
>>>> How do we make it more plain and evident so that grave mistakes do not
>>>> occur anymore in the future?
>>>>
>>>> Maybe we should switch the background color of that box to red...
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Andrea
>>>>
>>>>
>>>>
>>>> <removed>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Regards, Andrea Aime == GeoServer Professional Services from the
>>>> experts! Visit http://goo.gl/it488V for more information. == Ing.
>>>> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di
>>>> Montramito 3/A 55054 Massarosa
>>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
>>>> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
>>>> http://www.geo-solutions.it http://twitter.com/geosolutions_it
>>>> ------------------------------------------------------- *Con
>>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE
>>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
>>>> precisa che ogni circostanza inerente alla presente email (il suo
>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>>> This email is intended only for the person or entity to which it is
>>>> addressed and may contain information that is privileged, confidential or
>>>> otherwise protected from disclosure. We remind that - as provided by
>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
>>>> e-mail or the information herein by anyone other than the intended
>>>> recipient is prohibited. If you have received this email by mistake, please
>>>> notify us immediately by telephone or e-mail.*
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards, Andrea Aime == GeoServer Professional Services from the
>>> experts! Visit http://goo.gl/it488V for more information. == Ing.
>>> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito
>>> 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob:
>>> +39 339 8844549 http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>> -------------------------------------------------------
>>> *Con riferimento alla normativa sul trattamento dei dati personali (Reg.
>>> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
>>> precisa che ogni circostanza inerente alla presente email (il suo
>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>> This email is intended only for the person or entity to which it is
>>> addressed and may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. We remind that - as provided by
>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
>>> e-mail or the information herein by anyone other than the intended
>>> recipient is prohibited. If you have received this email by mistake, please
>>> notify us immediately by telephone or e-mail.*
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Geoserver-users mailing list
>>>
>>> Please make sure you read the following two resources before posting to
>>> this list:
>>> - Earning your support instead of buying it, but Ian Turton:
>>> http://www.ianturton.com/talks/foss4g.html#/
>>> - The GeoServer user list posting guidelines:
>>> http://geoserver.org/comm/userlist-guidelines.html
>>>
>>> If you want to request a feature or an improvement, also see this:
>>> https://github.com/geoserver/geoserver/wiki/Successfully-req
>>> uesting-and-integrating-new-features-and-improvements-in-GeoServer
>>>
>>>
>>> Geoserver-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to this
>> list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>> Geoserver-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-req
>> uesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>>
>
>
> --
>
> Regards, Andrea Aime == GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
> ------------------------------------------------------- *Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.*
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
