Implement version security checks #103
Comments
|
Currently it seems that only |
ignore cves list, remove some analyzers, more test for version ranges like >, some cpe vendors and products to updaters
…implement-version-security-checks # Conflicts: # cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
…e-with-open-intervals' into feature/devonfw#103-implement-version-security-checks # Conflicts: # cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
if a single warning affects all versions, it is ignored
also SecurityRiskInteraction returns configured version and latest version when possible. conversion between cpe and ulr version more rebust by using map and inverse function where map fails. Added asciidoc
- changed pom.xml - getCpeEdition now has argument, since there is only a single UrlUpdater for multiple editions of a tool - some cleanup
…evonfw#103-implement-version-security-checks # Conflicts: # cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java # cli/src/main/java/com/devonfw/tools/ide/version/BoundaryType.java # cli/src/main/java/com/devonfw/tools/ide/version/VersionRange.java # cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
- fixed pom bug - fixed bug in BuildSecurityJsonFiles due to moved method that was introduced in the merge of main into this branch
…ty-checks # Conflicts: # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java # cli/src/test/resources/ide-projects/basic/_ide/urls/mvn/mvn/security.json
added missing answers param to newContext
fixed pom versions applied reformat
renamed retrievePath to getPath renamed addPath to setPath
added javadocs
removed warnings from security json
added missing CPE vendors/products
adjusted getCpeVendor and getCpeProduct to return the tool name instead of an empty string removed unused urlEdition param from getCpeEdition added workaround for intellij #1378 fixed NPE's (added checks for missing UrlUpdaters)
|
I've added a first batch of security files in this PR: devonfw/ide-urls#15 |
…ty-checks # Conflicts: # cli/pom.xml # cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java # cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java # documentation/LICENSE.adoc
added missing answers to IdeTestContext
renamed SAFE_LATEST to LATEST
|
After discussing this issue we have to answer following questions.
|
Definetly, yes.
There are general two options:
We started with the latter approach but already added too many CVEs with that and then questioned the entire approach. To be honest it does not seem an easy decision what would be the best way to go.
Yes, but most probably we want to stay with the OWASP one that is already integrated and open-source.
In the 2. case, we should give more freedom if we want to support the security analysis of a git code repository with the help of IDEasy. There we could integrate such tools and also support commerical ones. However, this is a totally different story. See e.g. https://github.com/devonfw/ide/issues/1278[ide#1278 (snyk)]
With the approach of the With all the complexity that arose in PR #190 and related aspects, I started questioning the entire approach.
Exactly a good question that is a big pro for option 1 and con of option 2. As I stated above, I therefore tend to go for option 1. |
hohwille
added
the
Epic
As a IDEasy user, I want to get security warnings if I am using outdated software with critical known CVEs so that I can keep my software secure.
This is the devonfw-ide story 1106 to be implemented for IDEasy.
ATTENTION: There is a specialty for
gitthat is not typically managed by IDEasy (what might change see #47). For this also have a look at the old PR implementing this story in devonfw-ide.Design
We have decided that we need to create our own source of information for this.
The reason is that the public CVE databases are generic for every software and therefore extremely large and without a paid subscription the APIs are rate limited.
Therefore a simple solution to directly access the CVE databases e.g. from NVD in IDEasy (e.g. via owasp-dependency-check library) will not work smooth. When installing IDEasy the entire CVE database has to be downloaded by every user of IDEasy and that will not work because due to rate limits it will fail and has to be continued the other day so the database might only be available after weeks. We also tried various other alternatives or online search APIs.
However, we came to the point that we want to do the following:
In our ide-urls repository we want to have potential
security.jsonfiles per tool/edition (analog todependency.json- see #131). So for a specific tool, likegit,javaormaven, we would have such a file containing all the CVEs for that tool. Since we only manage a very small subset of tools we will end up with a small fraction from the large generic CVE database. Further, we do not need a view properties out of that:(0,10.0]where 0 would be no risk and 10 would mean highest risk with catastrophic impact)From the ID we can already generate an URL to the CVE (e.g. https://nvd.nist.gov/vuln/detail/CVE-2024-32002) where the user can find all the further details with description, etc. so we do not need to store that (saving storage and bandwidth) nor maintain it (e.g. if the description may be updated with more details).
So my suggestion for the JSON would therefore be (example for
git/git/security.json):{ issues: [ {"id":"CVE-2024-32002", "severity":9.0, "versions":[ "(0,2.39.4)", "[2.40.0,2.40.2)" ]} ] }The top-level object with only the property
issuescould be omitted but is there for potential future extensions. Other unknown properties should threrefore be ignored without causing an error.The
issuesproperty is an array with any number of CVEs known for the tool/edition.(it could also be an object where the key is the CVE-ID and the value are the other properties but this is more complex to parse and map to Java)
A CVE can have multiple version ranges affected and also for a given version of a tool multiple CVEs can apply.
Therefore the earlier JSON schema did not fit perfectly to solve the problem.
With this JSON schema defined, we can divide this story into two independent parts that share the JSON schema as their only API and dependency. See the sub-issues for that and further details.
The text was updated successfully, but these errors were encountered: