-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement version security checks #103
Comments
Currently it seems that only |
ignore cves list, remove some analyzers, more test for version ranges like >, some cpe vendors and products to updaters
…implement-version-security-checks # Conflicts: # cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
…e-with-open-intervals' into feature/devonfw#103-implement-version-security-checks # Conflicts: # cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
if a single warning affects all versions, it is ignored
also SecurityRiskInteraction returns configured version and latest version when possible. conversion between cpe and ulr version more rebust by using map and inverse function where map fails. Added asciidoc
- changed pom.xml - getCpeEdition now has argument, since there is only a single UrlUpdater for multiple editions of a tool - some cleanup
…evonfw#103-implement-version-security-checks # Conflicts: # cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java # cli/src/main/java/com/devonfw/tools/ide/version/BoundaryType.java # cli/src/main/java/com/devonfw/tools/ide/version/VersionRange.java # cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
- fixed pom bug - fixed bug in BuildSecurityJsonFiles due to moved method that was introduced in the merge of main into this branch
removed default getEdition override from tools changed getEdition to non abstract made getIntellijJsonRelease public
added dependencyManagement to root pom.xml added owasp version property to root pom.xml renamed security artifact to ide-security
…ty-checks # Conflicts: # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java # cli/src/test/resources/ide-projects/basic/_ide/urls/mvn/mvn/security.json
added missing answers param to newContext
fixed pom versions applied reformat
renamed retrievePath to getPath renamed addPath to setPath
added javadocs
removed warnings from security json
added missing CPE vendors/products
adjusted getCpeVendor and getCpeProduct to return the tool name instead of an empty string removed unused urlEdition param from getCpeEdition added workaround for intellij #1378 fixed NPE's (added checks for missing UrlUpdaters)
I've added a first batch of security files in this PR: devonfw/ide-urls#15 |
…ty-checks # Conflicts: # cli/pom.xml # cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java # cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java # cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java # documentation/LICENSE.adoc
added missing answers to IdeTestContext
renamed SAFE_LATEST to LATEST
After discussing this issue we have to answer following questions.
|
Definetly, yes.
There are general two options:
We started with the latter approach but already added too many CVEs with that and then questioned the entire approach. To be honest it does not seem an easy decision what would be the best way to go.
Yes, but most probably we want to stay with the OWASP one that is already integrated and open-source.
In the 2. case, we should give more freedom if we want to support the security analysis of a git code repository with the help of IDEasy. There we could integrate such tools and also support commerical ones. However, this is a totally different story. See e.g. https://github.com/devonfw/ide/issues/1278[ide#1278 (snyk)]
With the approach of the With all the complexity that arose in PR #190 and related aspects, I started questioning the entire approach.
Exactly a good question that is a big pro for option 1 and con of option 2. As I stated above, I therefore tend to go for option 1. |
As a IDEasy user, I want to get security warnings if I am using outdated software with critical known CVEs so that I can keep my software secure.
This is the devonfw-ide story 1106 to be implemented for IDEasy.
ATTENTION: There is a specialty for
git
that is not typically managed by IDEasy (what might change see #47). For this also have a look at the old PR implementing this story in devonfw-ide.The text was updated successfully, but these errors were encountered: