Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement version security checks #103

Open
hohwille opened this issue Oct 17, 2023 · 3 comments · May be fixed by #119
Open

Implement version security checks #103

hohwille opened this issue Oct 17, 2023 · 3 comments · May be fixed by #119
Assignees
@jan-vcapgemini
Labels
enhancement New feature or request

Comments

@hohwille
Copy link
Member

As a IDEasy user, I want to get security warnings if I am using outdated software with critical known CVEs so that I can keep my software secure.

This is the devonfw-ide story 1106 to be implemented for IDEasy.

ATTENTION: There is a specialty for git that is not typically managed by IDEasy (what might change see #47). For this also have a look at the old PR implementing this story in devonfw-ide.
@hohwille hohwille added the enhancement New feature or request label Oct 17, 2023
@hohwille hohwille added this to the release:2024.01.001 milestone Oct 17, 2023
@MattesMrzik MattesMrzik self-assigned this Oct 24, 2023
@MattesMrzik
Copy link
Contributor

MattesMrzik commented Oct 25, 2023
edited

Currently it seems that only VersionRange entries are allowed inside the security file. Should we also allow a VersionIdentifier? Should there also be a commandlet that lets you add versions to the security file?

MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Oct 25, 2023
@MattesMrzik
devonfw#103: security warning for CVEs in file tool/edition/security
2237158
@MattesMrzik MattesMrzik linked a pull request Oct 25, 2023 that will close this issue
Open
@tobka777 tobka777 linked a pull request Oct 26, 2023 that will close this issue
#103: security warning for CVEs in file tool/edition/security #119
Open
@tobka777 tobka777 removed a link to a pull request Oct 26, 2023
#103: security warning for CVEs in file tool/edition/security #119
Open
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 15, 2023
@MattesMrzik
devonfw#103: url analyzer works and vulnerabilities are retrieved
e5c70e7
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 16, 2023
@MattesMrzik
devonfw#103: Security Entry and determination of version Range for vu…
34febf5 
…lnerability
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 24, 2023
@MattesMrzik
devonfw#103: writing security json file
ae0558b
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 5, 2023
@MattesMrzik
devonfw#103: test interaction and getVersionRangeFromInterval
ba87b95
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 6, 2023
@MattesMrzik
devonfw#103: refinements
ba694ab
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 14, 2023
@MattesMrzik
devonfw#103: more refinement
81b8586 
 ignore cves list, remove some analyzers, more test for version ranges like >, some cpe vendors and products to updaters
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
@MattesMrzik
Merge remote-tracking branch 'upstream/main' into feature/devonfw#103-…
7e2023e 
…implement-version-security-checks

# Conflicts:
#	cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
@MattesMrzik
Merge remote-tracking branch 'origin/feature/devonfw#158-version-rang…
64c8454 
…e-with-open-intervals' into feature/devonfw#103-implement-version-security-checks

# Conflicts:
#	cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
@MattesMrzik
devonfw#103: removed duplicate VersionRange.equals
5518138
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
@MattesMrzik
devonfw#103: versionRange with open interval
4fbef6e
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
@MattesMrzik
devonfw#103: updated urlSecJsonFile.contains
1b9224b 
if a single warning affects all versions, it is ignored
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 21, 2023
@MattesMrzik
devonfw#103: rephrase interaction, mapUtil, LICENCE
9a86e34 
also SecurityRiskInteraction returns configured version and latest version when possible.

conversion between cpe and ulr version more rebust by using map and inverse function where map fails.

Added asciidoc
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 22, 2023
@MattesMrzik
devonfw#103: moved urlSecurityJson to its own class
fe9109f
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 22, 2023
@MattesMrzik
devonfw#103: fixed write json bug, and more
b19b877 
 - changed pom.xml
 - getCpeEdition now has argument, since there is only a single UrlUpdater for multiple editions of a tool
 - some cleanup
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 2, 2024
@MattesMrzik
devonfw#103: some final cleanup
fd64100
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 2, 2024
@MattesMrzik
devonfw#103: updated to be in line with devonfw#158
312afdd
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
@MattesMrzik
Merge branch 'main' of https://github.com/devonfw/IDEasy into feature/d…
37122ff 
…evonfw#103-implement-version-security-checks

# Conflicts:
#	cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java
#	cli/src/main/java/com/devonfw/tools/ide/version/BoundaryType.java
#	cli/src/main/java/com/devonfw/tools/ide/version/VersionRange.java
#	cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
@MattesMrzik
devonfw#103: fixed small bug due to merged main
9b28679
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
@MattesMrzik
devonfw#103: fixed bugs
1389057 
- fixed pom bug
- fixed bug in BuildSecurityJsonFiles due to moved method that was introduced in the merge of main into this branch
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
@MattesMrzik
devonfw#103: fixed bug
98b3da3 
- bug when creating version range from single version was fixed
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 21, 2024
@MattesMrzik
devonfw#103: added logging test
06cc433
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 21, 2024
@MattesMrzik
devonfw#103: refactored code
80ab231 
- renamed methods in SystemPath
- split long method securityRiskInteraction into componets
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 25, 2024
@MattesMrzik
Merge branch 'feature/devonfw#103-implement-version-security-checks' of
c78aad4 
https://www.github.com/MattesMrzik/IDEasy into feature/devonfw#103-implement-version-security-checks

# Conflicts:
#	security/src/main/java/com/devonfw/tools/security/BuildSecurityJsonFiles.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 25, 2024
@MattesMrzik
devonfw#103: added tests
6a20d3c 
for BuildSecurityJsonFiles.addVulnerabilityToSecurityFile
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 25, 2024
@MattesMrzik
devonfw#103: test for UrlSecurityJson
cbe086d
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 26, 2024
@MattesMrzik
devonfw#103: last small changes
20fecc3 
- removed this.paths.add(path) in method SystemPath.addPath()
- linked new issue to TODO
- added some java doc
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
47ae5b7 
…ty-checks

# Conflicts:
#	cli/src/main/java/com/devonfw/tools/ide/tool/LocalToolCommandlet.java
#	cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
#	cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java
#	documentation/LICENSE.asciidoc
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
@jan-vcapgemini
devonfw#103: code reformat & cleanup
ae52292
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
@jan-vcapgemini
devonfw#103: implemented requested changes
f66c7ea 
removed default getEdition override from tools
changed getEdition to non abstract
made getIntellijJsonRelease public
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
@jan-vcapgemini
devonfw#103: applied reformat
7628cc9
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
@jan-vcapgemini
devonfw#103: implemented requested changes
db6e276 
added dependencyManagement to root pom.xml
added owasp version property to root pom.xml
renamed security artifact to ide-security
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
6da9066 
…ty-checks

# Conflicts:
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
#	cli/src/test/resources/ide-projects/basic/_ide/urls/mvn/mvn/security.json
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
@jan-vcapgemini
devonfw#103: fixed merge issues
2862e6b 
added missing answers param to newContext
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
@jan-vcapgemini
devonfw#103: some fixes
be3ec96 
fixed pom versions
applied reformat
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
097bbdc 
…ty-checks
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
@jan-vcapgemini
devonfw#103: implemented requested changes
a7d686c 
renamed retrievePath to getPath
renamed addPath to setPath
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
@jan-vcapgemini
devonfw#103: implemented requested changes
a299504 
added javadocs
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
@jan-vcapgemini
devonfw#103: implemented requested changes
0f3596f 
removed warnings from security json
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 26, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
30d5bf2 
…ty-checks
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
@jan-vcapgemini
devonfw#103: fixed intellij and vscode
69e1fdd 
added missing CPE vendors/products
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
@jan-vcapgemini
devonfw#103: fixed NPEs and other issues
4d6766c 
adjusted getCpeVendor and getCpeProduct to return the tool name instead of an empty string
removed unused urlEdition param from getCpeEdition
added workaround for intellij #1378
fixed NPE's (added checks for missing UrlUpdaters)
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
f162e09 
…ty-checks
@jan-vcapgemini jan-vcapgemini mentioned this issue Feb 29, 2024
Open
@jan-vcapgemini
Copy link
Contributor

I've added a first batch of security files in this PR: devonfw/ide-urls#15

jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
3834ce8 
…ty-checks

# Conflicts:
#	cli/pom.xml
#	cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java
#	cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
#	documentation/LICENSE.adoc
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
@jan-vcapgemini
devonfw#103 fixed tests
ba4bc07 
added missing answers to IdeTestContext
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
@jan-vcapgemini
Merge branch 'main' into feature/devonfw#103-implement-version-securi…
d794e67 
…ty-checks
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
@jan-vcapgemini
devonfw#103 implemented requested changes
998387d 
renamed SAFE_LATEST to LATEST
@jan-vcapgemini
Copy link
Contributor

jan-vcapgemini commented Apr 10, 2024
edited

After discussing this issue we have to answer following questions.

  • Should we use these CVE's to decide internally if a tool version is to be considered as good or bad (based on the severity of its CVE's)?
  • Should the severity threshold be adjustable by the user of IDEAsy?
  • Are there different CVE tools which can check at runtime if a tool version is not safe?
  • What about identically CVE's in different versions of the same tool?
  • What about modified CVE descriptions, how to handle the diffs and where?

@hohwille hohwille removed this from the release:2024.03.001 milestone May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-vcapgemini jan-vcapgemini

Labels
enhancement New feature or request
Projects
IDEasy board
Status: Research
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#103: security warning for CVEs in file tool/edition/security MattesMrzik/IDEasy
3 participants
@hohwille @MattesMrzik @jan-vcapgemini