Skip to content

automated security warnings #1054

New issue
New issue
Closed
#1083
Closed
automated security warnings#1054
#1083
Assignees
hohwilleCREITZ25
Labels
enhancementNew feature or requestsecurityrelated to IT-Security (e.g. vulnerability)softwaresoftware-package with 3rd party productsupdaterelated to updating software or the entire devonfw-ide
Milestone
release:2023.04.001
@hohwille

Description

@hohwille
hohwille
opened on Feb 3, 2023

Already devonfw-ide does a great job to automated tool installations and meanwhile supports automatic updates to recent versions.
However, IT security gets more and more important. As recent vulnerabilities like CVE-2022-23521 and CVE-2022-41903 show, it would be great if devonfw-ide could automatically warn users if he using outdated and vulnerable software. In case of the specified CVEs it would be git that is about the only tool we do not install and manage. However, during setup we could check the version and raise a fat and red warning if the version is vulnerable. Also projects can and for stability also want to pin the versions of tools to get a reliable and reproduce environment for their team. So to spin this further, it would be great if in the context of #941 we could introduce some kind of configuration file that marks versions that are vulnerable. So we could add the tool and edition for git as git/git/security with something like:

>2.39.0

So when we setup a tool (or for git in case we setup the ide itself) we can check the installed version and test if that version is marked as vulnerable. In that case we would render a fat and red warning to the end-user notifying him to take action:

******** ATTENTION ********
You are using the tool git in version 2.38.0 that has vulnerabilities. Please update the tool to state safe and secure.
For further details and recent information have a look at the following webpage:
https://github.com/devonfw/ide/blob/master/documentation/vulnerabilities.asciidoc

Obviously we would also create this asciidoc documentation page and explain how to update git and how to update tools maintained by devonfw-ide and how to proceed depending on your team role (developer should inform ide admin or provide PR for settings while settings admin should directly push the change and inform the team to call devon ide update).

To explain an advanced use-case:
Maybe a tool maintains several major versions and vulnerabilities only apply to 1.x versions up to 1.11.0 and to 2.x versions up to 2.0.23 we can write this to the security file:

1.0>1.11.0
2.0>2.0.23

This would mean that the versions 1.0-1.11.0 and 2.0-2.0.23 are considered vulnerable.
If we instead write this:

>1.11.0
2.0>2.0.23

This would mean that the versions 0-1.11.0 and 2.0-2.0.23 are considered vulnerable - so also 0.x versions are included.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestsecurityrelated to IT-Security (e.g. vulnerability)softwaresoftware-package with 3rd party productsupdaterelated to updating software or the entire devonfw-ide

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions