Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-j24h-xcpc-9jw8] Add org.eclipse.core.resources and org.eclipse.help as affected #4862

Conversation

@github-actions github-actions bot changed the base branch from main to guidobonomi/advisory-improvement-4862 October 2, 2024 11:11
@guidobonomi guidobonomi changed the title Add org.eclipse.core.resources and org.eclipse.help as affected by GHSA-j24h-xcpc-9jw8 [GHSA-j24h-xcpc-9jw8] Add org.eclipse.core.resources and org.eclipse.help as affected Oct 2, 2024
@darakian
Copy link
Contributor

darakian commented Oct 2, 2024

Hey @guidobonomi, thanks for the PR but can I ask for a few more details? How are those packages being marked as vulnerable?

@guidobonomi
Copy link
Author

guidobonomi commented Oct 3, 2024

hey @darakian, here the links to the eclipse advisory:

A bunch of eclipse libraries are vulnerable by this vulnerability. While some other sources properly report these two additional packages as vulnerable (i.e. maven), some reports these packages as vulnerable but erroneously reports the IDE version as fix version - like Gitlab here for org.eclipse.core.resources where it erroneously reports 4.29 as fix version while it should be 3.19.100 (as also per maven & sonatype ossindex) while version 3.19.0 of core.resources is affected as per maven & sonatype ossindex.

Here we are already reporting the proper vulnerable packages like org.eclipse.platform:org.eclipse.platform < 4.29.0 but we are missing the 2 packages in the scope of this PR. I hope this helps

@darakian
Copy link
Contributor

darakian commented Oct 3, 2024

You're gonna have to help me out a little more. I'm not seeing anything in either https://gitlab.eclipse.org/security/cve-assignement/-/issues/8 or https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 that seems to indicate that org.eclipse.platform:org.eclipse.core.resources or org.eclipse.platform:org.eclipse.help are affected.

Is there a particular commit/PR/comment that I should be reading?

Copy link

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Oct 19, 2024
@guidobonomi
Copy link
Author

guidobonomi commented Oct 21, 2024

hey @darakian I am struggling a bit understanding which kind of info can help here. As a reference, can you please advise which info have been reported to flag org.eclipse.platform:org.eclipse.core.runtime < 3.29.0 for this vuln?

@darakian
Copy link
Contributor

Sure, it looks like this commit
eclipse-platform/eclipse.platform@5dc372a
is the origin for the core runtime artifact

@github-actions github-actions bot removed the Stale label Oct 22, 2024
Copy link

github-actions bot commented Nov 7, 2024

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Nov 7, 2024
@github-actions github-actions bot closed this Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants