Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#103 added initial CVE files #15

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jan-vcapgemini
Copy link

Addresses: #103

Implements:

added cve security json files

added cve security json files
@jan-vcapgemini jan-vcapgemini changed the title #103 added initial files #103 added initial CVE files Feb 29, 2024
Copy link
Member

@hohwille hohwille left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jan-vcapgemini thank you so much for this CVE and for improving the CVE-tool that @MattesMrzik initially created. This is very valuable 👍

However, before we merge this, we should discuss what feature we really want to create.
While this is very rich and detailed information here, I see the following risks:

  • we are further flooding our ide-urls repository. My initial intention was to keep this repo as small as possible. Every IDE installation needs to clone this repo and every IDE call needs to pull updates from this repo. I see a tendency that we are creating a kind of blockchain that continuously grows to a monster.
  • all we really need is to get a warning for a tool version that is considered as seriously insecure and ideally the information which next available version the user can upgrade to in order to fix the vulnerability.
  • here we are creating a solution that is as powerful as existing CVE checker tools like OWASP dependency-check or dependency-track. While it seems great to have powerful support like this, I am slightly unsure if we can maintain this over years or decades:
  • Will we have to integrate the update of all the security.json files together with the rest of the ide-urls automatically every night?
  • Will we flood the users with warnings about CVEs because every tool is vulnerable in the end and sometimes all versions including the latest version will be vulnerable?
  • My fear is that in the latter case we will educate our users to simply ignore such warnings on the long run.
  • I see a big difference from the CVE that allowed remote-code-execution via a hacked Git repo or the CVE that allowed to break out of the docker container sandbox and gain full access to the host machine with an attack inside a container from e.g. CVE-2021-26291.
  • Do not get me wrong. This is all great work and the ability to inform the end-user about all known CVEs of the used tool versions is a promising feature.
  • However, if the latter is our goal then why don't we integrate a standard CVE scanner tool into IDEasy that can download its own metadata and can be called on demand?
  • My initial intention was to mark all old versions of some tool affected by a very critical CVE as insecure and render a FAT WARNING and potential user confirmation before installation and before execution. Therefore we do not need the details and we especially do not know what other CVEs are additionally in that same version. So more or less all versions of git before 2.39.0 are insecure and shall not be used anymore.

All I want to say is let us discuss first and not merge this blindly. Maybe we decide to merge this as is and also the according IDEasy PR...

@jan-vcapgemini jan-vcapgemini self-assigned this Nov 19, 2024
@jan-vcapgemini jan-vcapgemini added the enhancement New feature or request label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Team Review
Development

Successfully merging this pull request may close these issues.

2 participants