Hi devs,
In an effort for our users to be safe and thus upgrade to XS version that fix security issues, I’d like to propose the idea of developing an extension bundled in XS that would display somewhere (to be defined, see below for options) the list of security issues that exist for the current wiki.
The list would be computed using:
- The list of published advisories on GitHub (using GH’s REST API). See Repository security advisories - GitHub Docs
- The current wiki version. Note that even if the wiki has been patched to fix/work around a given security issue, it’ll still be listed since the wiki version will not have changed.
Some options/things to consider:
- Only list security issues having a CVSS > some value. For example 9 which represents critical issues. Optional: this score could be configurable.
- Where to display the warning
- Option 1: As a after header UIX on all pages when the logged in user has Admin rights
- Option 2: By introducing a new UIXP in the Admin UI (or revisiting the Admin UI home page which could be improved as it currently displays some icons, listing the same options as the vertical menu on the left).
- We’ll need to ensure that advisories use some syntax when defining the affected XWiki version since we’ll need to parse this field. Example of returned value:
"vulnerable_version_range": ">= 1.0.0, < 1.0.1"
WDYT?
Thanks
PS: FTR initially I was suggesting to include security disclosures as part of our What’s New feature, but after discussing with @MichaelHamann , I’ve agreed with him that displaying the list of advisories that applies to the current wiki is a better alternative.