geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <kevan.mil...@gmail.com>
Subject Re: [DISCUSS] Handling of Security Exposures in Geronimo
Date Fri, 08 Aug 2008 19:09:10 GMT

On Jul 23, 2008, at 3:15 PM, Joe Bohn wrote:

> Kevan Miller wrote:
>> All,
>> There was a recent report by Fortify on Open Source Security -- http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
>> The report says there were some number of potential vulnerabilities  
>> identified in Geronimo. No details of the vulnerabilities have been  
>> reported to us (although the tests seem to have been run some time  
>> ago...). Once we understand what the potential vulnerabilities are,  
>> we can start to assess...
>> The report does identify concerns that we could be doing a better  
>> job of reporting security vulnerabilities and letting users know  
>> how they can report security vulnerabilities to our project. I  
>> agree with this.
>> As noted here -- http://www.apache.org/foundation/contact.html --  
>> any ASF security concerns can be safely relayed with an email to security@apache.org

>> .
>> It probably makes sense for us to create a security@geronimo.apache.org 
>>  mailing list. Project-specific security mailing lists are  
>> automatically relayed to the security@apache.org mailing list. A  
>> project-specific list will reduce spam and allow us to focus on  
>> Geronimo issues, rather than Apache-wide issues.
>
> +1
>
>> I also think that we should create a security page on our web site  
>> (e.g. geronimo.apache.org/security). This page could be used to  
>> describe how any potential vulnerabilities should be reported. It  
>> should also be used to report vulnerabilities as they are fixed.  
>> This allows users to easily identify what security exposures a  
>> particular version of Geronimo might have.
>
> +1
>
>> Thoughts on the mailing list and web site? Assuming we're in  
>> general agreement, I'd like to see us working on these in the near  
>> future.
>
> I think they are both good ideas.

I'm going to be working on making the above items happen: creating a  
security mailing list and a security page on our web site.

>
>> Finally, I've learned that there are a few potential sources for  
>> running static code analysis scans against our codebase:
>>   https://opensource.fortify.com/teamserver/welcome.fhtml
>>   http://scan.coverity.com/
>> I think we should take a look at these and decide if it's something  
>> we want to take advantage of. Thoughts?
>
> It's probably worth taking a look.  Looking at the fortify site and  
> the "rungs" on the coverity site got me thinking about the packages  
> we include.  Some of them are listed but many are not.  I wonder how  
> valuable running scans on Geronimo would be if the dependent  
> packages are not also participating.  We might end up being the  
> middleman for reporting security issues in a number of other  
> projects.  I guess that's still good as long as they are caught ...  
> but it might be a good bit of effort.


I'll investigate these as a lower priority task. Still haven't heard  
any specifics on any vulnerabilities.

--kevan


Mime
View raw message