Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30 
Mark Thomas wrote on 10/31/2018 11:16 AM:
> On 31/10/2018 17:48, Bill Shannon wrote:
>> False positive in what sense?
>>
>> The projects don't actually have the dependency?
> 
> Of a form. We often see reports for dependencies that are not present at
> run time. For example, it is a build-time dependency used to generate
> static web content.

Yes, at least one of the recently reported alerts is in a test case.

>> The dependency doesn't actually have the security vulnerability?
> 
> No.
> 
>> The security vulnerability doesn't actually impact the dependent project?
> 
> This one too. We ran a trial a few years ago with a static analysis tool
> that, when it found a vulnerable dependency, dug deeper and looked to
> see if the application actually used the vulnerable code path. In a
> fairly small sample (~ 10 projects) we found that the vulnerable code
> path was executed in only around 10% of cases. We didn't do the further
> manual research to determine how many of those uses resulted in
> vulnerabilities in the application but I'd be surprised if it was more
> than 50%.
> 
> If you take all of these factors together you tend to get a false
> positive rate well in excess of 95%.

It sure would be nice if such a tool was available!  Wouldn't it be great
if each one of these vulnerabilities was turned into a SpotBugs plugin
that could detect whether your code was actually vulnerable?

>> I know at Oracle our approval process assumes the vulnerability is relevant
>> unless we can show otherwise.  It's often easier to update the dependency
>> than to prove that it's not necessary.
> 
> Approaches vary across ASF projects. It tends to vary based on how
> conservative they are about updating dependencies.
> 
> The ASF security team passes them to the relevant project but doesn't
> then track what - if anything - the project decides to do with them.
> 
> I tend to view reports like this more as a general reminder to review
> the dependencies for updates on a regular basis.

Right, and so my question to the PMC is, what do you want to do about these?

Is security a major factor for EE4J projects, such that we should be
conservative and always address these alerts quickly?

Or is security mostly left to vendors who deliver products based on EE4J
and we leave it to them to decide whether these alerts are relevant or not?

Back to the top