WET potential security vulnerabilities

[jdoyle19]

Hello,

Not sure if the Issues forum is the best place for this, but its where I get sent for Questions/Comments.

As part of the development activities for our department, we leverage the Fortify security software to do vulnerability scans on our solutions. Given we use WET for a number of our applications, in some instances the Fortify solution identifies possible security vulnerabilities in the WET code. While I cannot say these represent legitimate vulnerabilities, we were wondering if the details of these vulnerabilities should be shared back to this community for review and possible remediation. If so, what would be the best process to do so.

Thanks in advance.

[ghost]

There are some issues that have been open for a while, but have not been completed yet.

Migration to jQuery 3 (WET 4) - #8557

MathJax - #8717

Also MathJax does have a minor update 2.7.4 and a major 3, but the major update is incomplete.

@duboisp @GormFrank @EricDunsworth

I am just a volunteer on this GitHub project.

[duboisp]

Feel free to share your list of those vulnerability through this issue. We could work together to assess the legitimacy and proceed with a possible remediation.

[RobJohnston]

While we're on the subject, I'm reading through the TBS publication released yesterday: Guide for Publishing Open Source Code.

A recommended best practice is,

a SECURITY.md file explaining security policy as well as procedures for reporting security vulnerabilities.

EDIT:
This is how I handled the same problem that the OP has: #7350. I posted that I thought there was a vulnerability and then send an e-mail with the details of how to exploit it. It was then patched in #7379.

[EricDunsworth]

Aren't there hundreds of vulnerabilities of varying levels of severity in WET/GCWeb's build dependencies?

Should be possible to view them all by running npm audit.

[duboisp]

Thanks @RobJohnston for the info, I will add the SECURITY.md file to our project.

@jdoyle19 if the vulnerability is too sensible to be posted on github, you can send it to the Principal Publisher for my attention, or you can send it directly to me. You can find my info on gcconnex or you can send me an IM.

[GormFrank]

Thanks @RobJohnston for the info, I will add the SECURITY.md file to our project.

@duboisp Were you planning on adding this file?

Then, @jdoyle19 if you consider this issue completed, feel free to close it

[GarthMartin]

@RobJohnston I don't see the SECURITY.md file anywhere yet. Was this to be added?

[RobJohnston]

Apparently SECURITY.md hasn't been added yet. I wasn't going to do it... don't know what it should say.

[GarthMartin]

Apparently SECURITY.md hasn't been added yet. I wasn't going to do it... don't know what it should say.

Sorry @RobJohnston misread the message above. @duboisp looks like you had indicated you would add the file. Any update on that? We have something security related that I need to pass on to you...