fluo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Koshakow <kosh...@gmail.com>
Subject Re: Security References
Date Mon, 16 Dec 2019 01:35:49 GMT
The comments on that JCommander issue seem to indicate that the issue was
resolved but never closed. I looked at
https://github.com/cbeust/jcommander/blob/master/build.gradle.kts and it
seems like they now use https for sonatype which is where the issue
originated from. I left a comment on their issue to confirm with the
developers if it was resolved.

I have a PR open that upgrades us to JCommander version 1.78 (
https://github.com/apache/fluo/pull/1083/files) which is the most recent in
maven. Hopefully that resolves the issue for us.

-Joe

On Sat, Dec 14, 2019 at 12:23 PM Kenneth McFarland <
kennethmcfarland@apache.org> wrote:

> Here is a small example I found very fast out of curiosity. Jcommander is
> susceptible to MITM.
>
> https://github.com/cbeust/jcommander/issues/465
>
> This is still open afaik. I'll be digging more for things like zipslip etc
> and transient vulns. I still would appreciate any advice.
>
> Auditing Fluo will probably mean working inspecting other projects more
> than Fluo itself.
>
>
>
> On Fri, Dec 13, 2019, 11:27 AM Kenneth McFarland <
> kennethmcfarland@apache.org> wrote:
>
> > Hi guys,
> >
> > I have found I'm pretty interested in security.
> >
> > I'd like to get some experience with Fluo and it's dependencies auditing
> > them. I'm doing my own research but it's always best to leverage others
> > experience.
> >
> > If you have any good references, advice or tips for me please let me
> know.
> > I'll also be looking through the commit logs and checking accumulo.
> >
> > I wasn't sure where else to ask this since it's not really an issue until
> > something is found. Thanks!
> >
> > Kenny
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message