Hello all,
In XWiki 15.5RC1 we released a first (MVP) version of the listing of security issues inside the wiki.
This listing contains only installed extensions (i.e., not core extension). And, it is conveniently empty on 15.5RC1 (at least we a standard distribution).
We’d now like to also list core extensions. And, this brings some additional complexity. If we don’t do anything special, the following kinds of extensions will be listed:
- False-positive. For instance we depend on
xstream
which have known vulnerabilities. But, we know that we are not vulnerable. - Libraries provided by the servlet engines (e.g., jetty, tomcat). They are are accessible from the classpath, and can be used, but are not always in our control (except for the jetty demo archive, and the docker containers).
Having those extensions listed can convey a wrong message:
- in the case of false-positive it’s adding noise, and might lead to admins being needlessly afraid (remember log4j)
- in the case of core extension, admins might have the false impression that fixing the servlet related vulnerabilities is our responsibility (which is not always the case)
For both cases, I can see several options:
- fully hide them
- List them in separate Live Data (LD) in the administration page (with some specific explanations above the LDs)
My initial impression is that we should apply option 1 to false-positive, and option 2 for servlet libraries (as they can still be exploited from the wiki). But, I’d like to have your opinion.
Thanks
PS: We’ll also need to discuss where and how to define the list of false positives but that’s another topic.