Implement version security checks

[hohwille]

As a IDEasy user, I want to get security warnings if I am using outdated software with critical known CVEs so that I can keep my software secure.

This is the devonfw-ide story 1106 to be implemented for IDEasy.

ATTENTION: There is a specialty for git that is not typically managed by IDEasy (what might change see #47). For this also have a look at the old PR implementing this story in devonfw-ide.

[MattesMrzik]

Currently it seems that only VersionRange entries are allowed inside the security file. Should we also allow a VersionIdentifier? Should there also be a commandlet that lets you add versions to the security file?

[jan-vcapgemini]

I've added a first batch of security files in this PR: devonfw/ide-urls#15

[jan-vcapgemini]

After discussing this issue we have to answer following questions.

• Should we use these CVE's to decide internally if a tool version is to be considered as good or bad (based on the severity of its CVE's)?
• Should the severity threshold be adjustable by the user of IDEAsy?
• Are there different CVE tools which can check at runtime if a tool version is not safe?
• What about identically CVE's in different versions of the same tool?
• What about modified CVE descriptions, how to handle the diffs and where?

[hohwille]

Should we use these CVE's to decide internally if a tool version is to be considered as good or bad (based on the severity of its CVE's)?

Definetly, yes.

Should the severity threshold be adjustable by the user of IDEasy?

There are general two options:

• We use the standard OWASP tool directly inside IDEasy to check for CVEs. This will imply that before every tool download the entire CVE database has to be updated what takes time and slows down the process. However, this will give lots of flexibility (user can then configure the severity threshold and this question is to be answered with "yes") and most recent CVEs and most accurate results.
• We have an internal process that does the CVE checks in our UpdateURLs workflow every night. The end user only deals with security.json files that we add to ide-urls repository and works independent of OWASP tooling. Here I thought of a fixed severity threshold that is rather high to avoid annoying warnings to every user - Then the answer is "no". What has been implemented is however containing the severities and that seems smarter since this way we can implement such user-configuration so the answer would also be "yes" then. However, this will also mean that our security.json files will grow large and update frequently, what I initially wanted to avoid (if a user wants to check a tool version, we need to pull ide-urls and if that has not happened for a while, it will pull a lot of changes and that takes time. Also the initial clone will then take long).

We started with the latter approach but already added too many CVEs with that and then questioned the entire approach.
As you can see in https://github.com/devonfw/ide-urls/pull/15/files we are somehow duplicating the CVE database for our tools and add a complex process transforming the CVE database to our own format. The benefit is obviously that we only need to download the CVEs for the tools we care about what is probably 1% or less of the CVE database that contains all software worldwide.

To be honest it does not seem an easy decision what would be the best way to go.
I still see pros and cons in both approaches.
However, after revisiting everything, I tend for the first option. We can make it configurable and therefore potentially could even allow the security check to be switched off saving performance (wait times for CVE DB).
If we go for it, we could still integrate OWASP tooling directly into IDEasy as maven dependency increasing our code base or we could do it as a local or global tool. Then we would first install that owasp-dependency-check tool and from that point on, use it and just ask it if «tool» + «edition» + «version» is fine or there are CVEs that should prevent the installation or at least require user-confirmation. The tighter integration would allow direct processing of the found CVEs, threshold filtering, and more control of what we display to the end-user and what questions to ask or options to give. However, if the CVE-DB format changes or the library itself is buggy or has security flaws, we are responsible and need to implement changes and deploy updated releases while if we call the tool as something external (black-box), we have less such responsibility.

Are there different CVE tools which can check at runtime if a tool version is not safe?

Yes, but most probably we want to stay with the OWASP one that is already integrated and open-source.
There are also other tools with advanced features that require a commercial license.
I distinguish two totally different aspects:

1. Analyze IDEasy and the tools it installs for a project
2. Analyze the product that some project is building and that project team may happen to use IDEasy.

In the 2. case, we should give more freedom if we want to support the security analysis of a git code repository with the help of IDEasy. There we could integrate such tools and also support commerical ones. However, this is a totally different story. See e.g. https://github.com/devonfw/ide/issues/1278[ide#1278 (snyk)]

What about identically CVE's in different versions of the same tool?

With the approach of the security.json we more or less wanted to define versions/-ranges that are "bad" (that is what devonfw-ide supported with security files and what I planned to reimplement in IDEasy).
Only for information and curiosity of the user, we wanted to give further details.
However, with PR #190 we took various rounds how the structure of security.json should be.
Current state is that somehow there are entries for version ranges but those only refer to a specific CVE (but since it is only a String it could also be multiple CVEs or we could redesign to a JSON array).

With all the complexity that arose in PR #190 and related aspects, I started questioning the entire approach.
Should we instead integrate OWASP dependency check directly (option 1) instead of creating our own dependency.json format managed in ide-urls (option 2 and original design)?

What about modified CVE descriptions, how to handle the diffs and where?

Exactly a good question that is a big pro for option 1 and con of option 2.
Original plan was that then security.json file will be updated by rerunning our tool and diff gets distributed to the users.

As I stated above, I therefore tend to go for option 1.
My suggestion would be to do a first PoC to see if that can be done rather easily and works well without blocking the user with hours of CVE-DB downloads, etc. - created story #547 for this.