Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30 
False positive in what sense?

The projects don't actually have the dependency?

The dependency doesn't actually have the security vulnerability?

The security vulnerability doesn't actually impact the dependent project?

I know at Oracle our approval process assumes the vulnerability is relevant
unless we can show otherwise.  It's often easier to update the dependency
than to prove that it's not necessary.


Mark Thomas wrote on 10/31/2018 10:40 AM:
> You have to be an org admin.
> 
> Experience at the ASF is that they are mostly noise due to a high false positive
> rate.
> 
> Mark
> 
> 
> On 31/10/2018 17:24, Bill Shannon wrote:
>> I'm not sure who gets these.  You may have to be a Committer on the project or
>> an admin for the organization.
>>
>> Steve Millidge (Payara) wrote on 10/31/2018 02:24 AM:
>>> Security alerts on GitHub
>>>
>>> I don’t get these at a PMC level.
>>>
>>> *From:*ee4j-pmc-bounces@xxxxxxxxxxx <ee4j-pmc-bounces@xxxxxxxxxxx> *On Behalf
>>> Of *Bill Shannon
>>> *Sent:* 30 October 2018 23:55
>>> *To:* EE4J PMC Discussions <ee4j-pmc@xxxxxxxxxxx>
>>> *Subject:* [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23
>>> - Oct 30
>>>
>>> Is anyone on the PMC tracking these security alerts?
>>>
>>> Shouldn't someone ensure that the EE4J projects are responding to these in a
>>> timely manner?
>>>
>>>
>>> (Obviously ignore the "javaee" entries below.)
>>>
>>>
>>> -------- Forwarded Message --------
>>>
>>> *Subject: *
>>>
>>>     
>>>
>>> Your GitHub security alerts for the week of Oct 23 - Oct 30
>>>
>>> *Date: *
>>>
>>>     
>>>
>>> Tue, 30 Oct 2018 17:36:28 +0000 (UTC)
>>>
>>> *From: *
>>>
>>>     
>>>
>>> GitHub <noreply@xxxxxxxxxx> <mailto:noreply@xxxxxxxxxx>
>>>
>>> *To: *
>>>
>>>     
>>>
>>> Bill Shannon <bill.shannon@xxxxxxxxxx> <mailto:bill.shannon@xxxxxxxxxx>
>>>
>>>
>>>
>>>
>>>
>>>     
>>>
>>> Explore this week on GitHub
>>>
>>> GitHub security alerts__
>>>
>>>
>>>   GitHub <https://github.com> security alert digest
>>>
>>> *bshannon’s*repository security updates from the week of *Oct 23 - Oct 30*
>>>
>>> <https://github.com>
>>>
>>>     
>>>
>>>
>>>       Java EE organization <https://github.com>
>>>
>>> Warning!
>>>
>>>     
>>>
>>>
>>>       javaee / *metro-jaxws-commons*
>>>       <https://github.com/javaee/metro-jaxws-commons>
>>>
>>> *Known security vulnerabilities detected*
>>>
>>> Dependencyorg.springframework:spring-core
>>>
>>>     
>>>
>>> Version> 3.2.0 < 3.2.15
>>>
>>>     
>>>
>>> Upgrade to~> 3.2.15
>>>
>>> Vulnerabilities
>>>
>>> CVE-2015-5211 High severity
>>>
>>> CVE-2018-1270 High severity
>>>
>>> CVE-2018-1275 High severity
>>>
>>> CVE-2015-3192 Moderate severity
>>>
>>> CVE-2016-5007 Moderate severity
>>>
>>> View 3 more
>>> <https://github.com/javaee/metro-jaxws-commons/network/alert/spring/spring-core/pom.xml/org.springframework:spring-core/open>
>>>
>>>
>>>     
>>>
>>> Defined inpom.xml
>>>
>>>     
>>>
>>>
>>>     
>>>
>>> *Review all vulnerable dependencies*
>>> <https://github.com/javaee/metro-jaxws-commons/network/alerts>
>>>
>>> Warning!
>>>
>>>     
>>>
>>>
>>>       javaee / *javadb* <https://github.com/javaee/javadb>
>>>
>>> *Known security vulnerabilities detected*
>>>
>>> Dependencyorg.apache.axis:axis
>>>
>>>     
>>>
>>> Version<= 1.4
>>>
>>>     
>>>
>>> Vulnerabilities
>>>
>>> CVE-2014-3596 Moderate severity
>>>
>>> CVE-2018-8032 Moderate severity
>>>
>>>     
>>>
>>> Defined inpom.xml
>>>
>>>     
>>>
>>>
>>>     
>>>
>>> *Review all vulnerable dependencies*
>>> <https://github.com/javaee/javadb/network/alerts>
>>>
>>> Warning!
>>>
>>>     
>>>
>>>
>>>       javaee / *external* <https://github.com/javaee/external>
>>>
>>> *Known security vulnerabilities detected*
>>>
>>> Dependencyorg.apache.axis:axis
>>>
>>>     
>>>
>>> Version<= 1.4
>>>
>>>     
>>>
>>> Vulnerabilities
>>>
>>> CVE-2014-3596 Moderate severity
>>>
>>> CVE-2018-8032 Moderate severity
>>>
>>>     
>>>
>>> Defined inpom.xml
>>>
>>>     
>>>
>>>
>>>     
>>>
>>> *Review all vulnerable dependencies*
>>> <https://github.com/javaee/external/network/alerts>
>>>
>>> <https://github.com>
>>>
>>>     
>>>
>>>
>>>       Eclipse EE4J organization <https://github.com>
>>>
>>> Warning!
>>>
>>>     
>>>
>>>
>>>       eclipse-ee4j / *tyrus* <https://github.com/eclipse-ee4j/tyrus>
>>>
>>> *Known security vulnerabilities detected*
>>>
>>> Dependencyorg.eclipse.jetty:jetty-server
>>>
>>>     
>>>
>>> Version< 9.2.25.v20180606
>>>
>>>     
>>>
>>> Upgrade to~> 9.2.25.v20180606
>>>
>>> Vulnerabilities
>>>
>>> CVE-2017-7657 Critical severity
>>>
>>> CVE-2017-7656 Moderate severity
>>>
>>>     
>>>
>>> Defined inpom.xml
>>>
>>>     
>>>
>>>
>>>     
>>>
>>> *Review all vulnerable dependencies*
>>> <https://github.com/eclipse-ee4j/tyrus/network/alerts>
>>>
>>> Warning!
>>>
>>>     
>>>
>>>
>>>       eclipse-ee4j / *grizzly-ahc*
>>>       <https://github.com/eclipse-ee4j/grizzly-ahc>
>>>
>>> *Known security vulnerabilities detected*
>>>
>>> Dependencyorg.eclipse.jetty:jetty-server
>>>
>>>     
>>>
>>> Version>= 9.4.0 < 9.4.11.v20180605
>>>
>>>     
>>>
>>> Upgrade to~> 9.4.11.v20180605
>>>
>>> Vulnerabilities
>>>
>>> CVE-2018-12538 Moderate severity
>>>
>>> CVE-2018-12536 Moderate severity
>>>
>>> CVE-2017-7656 Moderate severity
>>>
>>>     
>>>
>>> Defined inpom.xml
>>>
>>>     
>>>
>>>
>>>     
>>>
>>> *Review all vulnerable dependencies*
>>> <https://github.com/eclipse-ee4j/grizzly-ahc/network/alerts>
>>>
>>> /Always verify the validity and compatibility of suggestions with your
>>> codebase. /
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Unsubscribe
>>> <https://github.com/email/unsubscribe?token=AAKLo8HMACwtuFae2pc5lUHVqhk50Feqks5ducoagaRuYW1lrXZ1bG5lcmFiaWxpdHk%3D>
>>> · Email preferences <https://github.com/settings/emails> · Terms
>>> <https://help.github.com/articles/github-terms-of-service> · Privacy
>>> <https://help.github.com/articles/github-privacy-policy> · Sign into GitHub
>>> <https://github.com/login>
>>>
>>> GitHub, Inc.
>>> 88 Colin P Kelly Jr St.
>>> San Francisco, CA 94107
>>>
>>>
>>>
>>> _______________________________________________
>>> ee4j-pmc mailing list
>>> ee4j-pmc@xxxxxxxxxxx
>>> To change your delivery options, retrieve your password, or unsubscribe from
>>> this list, visit
>>> https://www.eclipse.org/mailman/listinfo/ee4j-pmc
>>
>>
>>
>> _______________________________________________
>> ee4j-pmc mailing list
>> ee4j-pmc@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe from
>> this list, visit
>> https://www.eclipse.org/mailman/listinfo/ee4j-pmc
>>
> _______________________________________________
> ee4j-pmc mailing list
> ee4j-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://www.eclipse.org/mailman/listinfo/ee4j-pmc

Back to the top