-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-j24h-xcpc-9jw8] Add org.eclipse.core.resources and org.eclipse.help as affected #4862
Conversation
guidobonomi
commented
Oct 2, 2024
- core.resources is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.core.resources/3.19.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.core.resources/3.19.0
- help is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.help/3.10.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.help/3.10.0
Hey @guidobonomi, thanks for the PR but can I ask for a few more details? How are those packages being marked as vulnerable? |
hey @darakian, here the links to the eclipse advisory:
A bunch of eclipse libraries are vulnerable by this vulnerability. While some other sources properly report these two additional packages as vulnerable (i.e. maven), some reports these packages as vulnerable but erroneously reports the IDE version as fix version - like Gitlab here for Here we are already reporting the proper vulnerable packages like |
You're gonna have to help me out a little more. I'm not seeing anything in either https://gitlab.eclipse.org/security/cve-assignement/-/issues/8 or https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 that seems to indicate that Is there a particular commit/PR/comment that I should be reading? |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
hey @darakian I am struggling a bit understanding which kind of info can help here. As a reference, can you please advise which info have been reported to flag |
Sure, it looks like this commit |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |