New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WET potential security vulnerabilities #8794
Comments
There are some issues that have been open for a while, but have not been completed yet. Migration to jQuery 3 (WET 4) - #8557 MathJax - #8717 Also MathJax does have a minor update 2.7.4 and a major 3, but the major update is incomplete. @duboisp @GormFrank @EricDunsworth I am just a volunteer on this GitHub project. |
Feel free to share your list of those vulnerability through this issue. We could work together to assess the legitimacy and proceed with a possible remediation. |
While we're on the subject, I'm reading through the TBS publication released yesterday: Guide for Publishing Open Source Code. A recommended best practice is,
EDIT: |
Aren't there hundreds of vulnerabilities of varying levels of severity in WET/GCWeb's build dependencies? Should be possible to view them all by running |
Thanks @RobJohnston for the info, I will add the SECURITY.md file to our project. @jdoyle19 if the vulnerability is too sensible to be posted on github, you can send it to the Principal Publisher for my attention, or you can send it directly to me. You can find my info on gcconnex or you can send me an IM. |
@duboisp Were you planning on adding this file? Then, @jdoyle19 if you consider this issue completed, feel free to close it |
@RobJohnston I don't see the SECURITY.md file anywhere yet. Was this to be added? |
Apparently SECURITY.md hasn't been added yet. I wasn't going to do it... don't know what it should say. |
Sorry @RobJohnston misread the message above. @duboisp looks like you had indicated you would add the file. Any update on that? We have something security related that I need to pass on to you... |
Hello,
Not sure if the Issues forum is the best place for this, but its where I get sent for Questions/Comments.
As part of the development activities for our department, we leverage the Fortify security software to do vulnerability scans on our solutions. Given we use WET for a number of our applications, in some instances the Fortify solution identifies possible security vulnerabilities in the WET code. While I cannot say these represent legitimate vulnerabilities, we were wondering if the details of these vulnerabilities should be shared back to this community for review and possible remediation. If so, what would be the best process to do so.
Thanks in advance.
The text was updated successfully, but these errors were encountered: