Source of CVEs for the security dashboard

mleduc · June 5, 2023, 1:09pm

In the context of the listing of known security issues, we need to choose the source we will query to retrieve the CVEs.

Proposed source https://osv.dev/

List of pros:

the maven ids are computed correctly
is is possible to query for issues in batch (minimizing the number of outgoing http queries)
it seems possible to keep using it even if we stop using github for our advisories (see FAQ | OSV)

Known limitations:

We don’t publish the artifact of xwiki-platform on maven central, it seems to lead to a failure of the impacted versions computation. Until this is fixes, we will not be able to query for a specific version of xwiki-platform maven modules. Instead, we will need to request for all CVEs of for a given maven id, and filter for the current version locally.

Other known source with an API: https://nvd.nist.gov/

WDYT?

Related discussions:

Related design page List security issues inside XS (Proposal.ListSecurityIssuesInsideXS) - XWiki

surli · June 5, 2023, 1:14pm

Just to clarify: you’re not planning to base any API of the new module for listing security vulnerabilities on this source right? There will be just a component for fetching the data and for converting the results to a dedicated format defined by our own APIs: so if we need to switch to another source we can just implement another component.

Based on that +1 to start by implementing osv.dev as our primary source. In case of problem in the future, we could always implement another one to use NVD for example.

mleduc · June 5, 2023, 1:16pm

Yes, there will be a level of encapsulation to make it easier to switch to another source.
But it’s always better to start with the right source and avoid switching to another one later

tmortagne · June 5, 2023, 1:19pm

+1

vmassol · June 6, 2023, 1:15pm

Sounds good to me, thanks.

<a bit offtopic but somewhat related>
Note that when the source is available we need to properly display it in the UI (for example with a “Last update” date/time and some error icon in case of an error, which can be clicked by the user to see the error text). Also, we need to be able to disable the feature in the Admin UI in case the source URL is blacklisted or not available (which is the case in an XWiki installed offline with no access to internet for example).
</a bit offtopic but somewhat related>

mleduc · June 7, 2023, 9:33am

FYI, confirmed by the maintainers

I can confirm the reason why those modules do not appear on deps.dev is because we presently only index the Maven Central, Jenkins, and Google registries. We’re working on support for other registries. We’ll let you know as soon as this is possible.

mleduc · June 19, 2023, 2:31pm

Thanks for your inputs. https://osv.dev is now used as the security vulnerability source for Loading...

MichaelHamann · August 3, 2023, 1:59pm

I know this has been implemented already, but I’ve just seen that there is a new alternative: There is a very new REST API on GitHub to get security advisories, see Get global security advisories via REST API - The GitHub Blog. I tested it and it seems to support getting advisories for specific versions of packages even for xwiki-platform:

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  'https://api.github.com/advisories?ecosystem=maven&affects=org.xwiki.platform:xwiki-platform-livetable-ui@15.1'

This gives me exactly one advisory, which is Obfuscated email addresses should not be sorted · CVE-2023-38509 · GitHub Advisory Database · GitHub which I think is accurate so it seems like this fixes the limitation we currently have with the osv.dev API.

mleduc · August 17, 2023, 7:19am

Thanks for the update. I’ve created Loading... for this.