Hello all,
The results below are following a discussion we had with @caubin, @lucaa, and @tmortagne.
Currently, the identified issues blocking Security Vulnerabilities Application as part of XS are:
- the notification bell turns red as soon as a CVE is published, before we have time to review it
- the notification bell turns red even if there is nothing they can do (i.e., there is no fix release)
This is leading to confusion for admins, which then turn to this forum, or commercial support for explanations.
The general idea is: only show the red bell when an upgrade action can be realized by the admins:
- upgrading an extension from the EM
- upgrading the XWiki instance to a newer version
Proposed changes:
In the UI
- By default, CVEs without an applicable upgrade are hidden, a toggle allows making them visible
- Introduction of a configuration of the latest accepted version of the core
- default: empty ā all stable versions are accepted
- LTS: all āx.10.zā versions are accepted
- x.y.z: all version up to x.y.z are accepted (this can allow an instance admin to limit the notifications to a version range they control)
In the security scan
At the end of each scan, looks for a compatible higher version where the CVEs cannot be found.
To do so we first list all the direct dependencies which are directly of indirectly impacted by a CVE.
For each we check for the most recent compatible version, and propose to upgrade if at least one CVE is removed by the upgrade (we should list the CVE actually removed by the upgrade, and which remains).
For installed extensions, we propose to upgrade manually through the EM.
- If this lead to changing the major version, a warning must be displayed
- If this lead to only a partial fix (i.e., some CVEs remains), a warning must be displayed
The notification bell turns red only if at least one extension is found with an applicable upgrade.
Let me know if something else needs to be done in order to make this extension recommended again. And, of course, if you have some remarks or questions regarding this proposal.
PS: In addition to this technical proposal, Iāll make some smaller proposals with textual explanation to make the UI more self-explanatory in the following days.
PS2: We will still keep the automated test we are currently running to keep upgrading dependencies as soon as possible, and document the false-positive.