[aries-rsa] Re: Vulnerable Dependency Versions (karaf 4.0.4 Snyk warning)
I just noticed, I think the Karaf dependency in that Pom can be removed completely, it seems to be not used anymore: the Karaf tooling is commented out. Maybe someone from Aries can comment what that module is supposed to produce. Gruss Bernd -- http://bernd.eckenfels.net Von: Jean-Baptiste Onofré Gesendet: Friday, April 8, 2022 8:24:41 AM An: dev@aries.apache.org Betreff: Re: Vulnerable Dependency Versions (karaf 4.0.4 Snyk warning) Hi Bernd, I'm not a big fan of all auto tests like dependbot, sonar, snyk, etc. IMHO, it's better to run it on demand/manually. Anyway, back to the point, I don't see issue with RSA karaf features in regards of the karaf version used: https://github.com/apache/aries-rsa/blob/master/features/src/main/resources/features.xml Here, the features repo doesn't mention karaf features repositories, so it works with any karaf version at runtime, from 4.0.x to 4.3.x. Karaf version is used to verify the features repository and run tests. So, not a vulnerability issue in distribution or runtime. About zookeeper and other dependencies, I'm part of the committer duty to verify the dependencies (in Karaf, SMX or other projects, I have my own tool/script to do that, I don't work on Aries RSA). To summarize, I don't see an issue with aries rsa in regard of karaf version. Regards JB On Tue, Apr 5, 2022 at 3:13 AM Bernd Eckenfels wrote: > > Hello, > > I got a lot of security issues of karaf 4.0.4 (mostly embedded Tomcat) > reported by the Snyk scan service for Aries-rsa dependency (feature/pom.xml). > Snyk claims it is fixed with karaf 4.1.1. I understand that this minimum > version is mostly to be compatible with older karaf versions api. > > So I Wonder do you have a policy when to bump up those versions, especially > if the existing ones are with known vulnerabilities? It’s not so much an > issue of the delivery, I guess - given that users would have to pick unsafe > old karaf versions and can easily deploy into an up-to-date container - if I > see that correctly? But it does endorse somewhat know-bad versions. > > I have here in our ‘fork’ the open Snyk reports (not sure if they all apply > to upstream master but they do apply for feature/Pom.xml (karaf 4.0.4): > https://github.com/seeburger-ag/aries-rsa/pulls > > Is it also an option to enable that directly on the asf Repo? > > Gruss > Bernd > -- > http://bernd.eckenfels.net
[aries-rsa] Re: Vulnerable Dependency Versions (karaf 4.0.4 Snyk warning)
Hello JB, the Snyk finding is about the POM dependency here: https://github.com/apache/aries-rsa/blob/6cc09749e600b5c96fe4995e6b677df91aafeeeb/features/pom.xml#L44 I guess I will just submit a bug/pullrequest to bump it up. I am not so sure how that would influence the applicability of the feature, Christian mentioned it’s more a example anyway so it should be fine to be recent (only). Gruss Bernd -- http://bernd.eckenfels.net Von: Jean-Baptiste Onofré Gesendet: Freitag, April 8, 2022 8:25 AM An: dev@aries.apache.org Betreff: Re: Vulnerable Dependency Versions (karaf 4.0.4 Snyk warning) Hi Bernd, I'm not a big fan of all auto tests like dependbot, sonar, snyk, etc. IMHO, it's better to run it on demand/manually. Anyway, back to the point, I don't see issue with RSA karaf features in regards of the karaf version used: https://github.com/apache/aries-rsa/blob/master/features/src/main/resources/features.xml Here, the features repo doesn't mention karaf features repositories, so it works with any karaf version at runtime, from 4.0.x to 4.3.x. Karaf version is used to verify the features repository and run tests. So, not a vulnerability issue in distribution or runtime. About zookeeper and other dependencies, I'm part of the committer duty to verify the dependencies (in Karaf, SMX or other projects, I have my own tool/script to do that, I don't work on Aries RSA). To summarize, I don't see an issue with aries rsa in regard of karaf version. Regards JB On Tue, Apr 5, 2022 at 3:13 AM Bernd Eckenfels wrote: > > Hello, > > I got a lot of security issues of karaf 4.0.4 (mostly embedded Tomcat) > reported by the Snyk scan service for Aries-rsa dependency (feature/pom.xml). > Snyk claims it is fixed with karaf 4.1.1. I understand that this minimum > version is mostly to be compatible with older karaf versions api. > > So I Wonder do you have a policy when to bump up those versions, especially > if the existing ones are with known vulnerabilities? It’s not so much an > issue of the delivery, I guess - given that users would have to pick unsafe > old karaf versions and can easily deploy into an up-to-date container - if I > see that correctly? But it does endorse somewhat know-bad versions. > > I have here in our ‘fork’ the open Snyk reports (not sure if they all apply > to upstream master but they do apply for feature/Pom.xml (karaf 4.0.4): > https://github.com/seeburger-ag/aries-rsa/pulls > > Is it also an option to enable that directly on the asf Repo? > > Gruss > Bernd > -- > http://bernd.eckenfels.net
