Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement version security checks #103

Open
hohwille opened this issue Oct 17, 2023 · 4 comments · May be fixed by #119
Open

Implement version security checks #103

hohwille opened this issue Oct 17, 2023 · 4 comments · May be fixed by #119
Labels
enhancement New feature or request

Comments

@hohwille
Copy link
Member

hohwille commented Oct 17, 2023

As a IDEasy user, I want to get security warnings if I am using outdated software with critical known CVEs so that I can keep my software secure.

This is the devonfw-ide story 1106 to be implemented for IDEasy.

ATTENTION: There is a specialty for git that is not typically managed by IDEasy (what might change see #47). For this also have a look at the old PR implementing this story in devonfw-ide.

@hohwille hohwille added the enhancement New feature or request label Oct 17, 2023
@hohwille hohwille added this to the release:2024.01.001 milestone Oct 17, 2023
@github-project-automation github-project-automation bot moved this to 🆕 New in IDEasy board Oct 17, 2023
@MattesMrzik MattesMrzik self-assigned this Oct 24, 2023
@MattesMrzik MattesMrzik moved this from 🆕 New to 🏗 In progress in IDEasy board Oct 24, 2023
@MattesMrzik
Copy link
Contributor

MattesMrzik commented Oct 25, 2023

Currently it seems that only VersionRange entries are allowed inside the security file. Should we also allow a VersionIdentifier? Should there also be a commandlet that lets you add versions to the security file?

MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 15, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 16, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Nov 24, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 5, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 6, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 14, 2023
 ignore cves list, remove some analyzers, more test for version ranges like >, some cpe vendors and products to updaters
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
…implement-version-security-checks

# Conflicts:
#	cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
…e-with-open-intervals' into feature/devonfw#103-implement-version-security-checks

# Conflicts:
#	cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 19, 2023
if a single warning affects all versions, it is ignored
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 21, 2023
also SecurityRiskInteraction returns configured version and latest version when possible.

conversion between cpe and ulr version more rebust by using map and inverse function where map fails.

Added asciidoc
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 22, 2023
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Dec 22, 2023
 - changed pom.xml
 - getCpeEdition now has argument, since there is only a single UrlUpdater for multiple editions of a tool
 - some cleanup
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 2, 2024
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 2, 2024
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
…evonfw#103-implement-version-security-checks

# Conflicts:
#	cli/src/main/java/com/devonfw/tools/ide/url/updater/UpdateManager.java
#	cli/src/main/java/com/devonfw/tools/ide/version/BoundaryType.java
#	cli/src/main/java/com/devonfw/tools/ide/version/VersionRange.java
#	cli/src/test/java/com/devonfw/tools/ide/version/VersionRangeTest.java
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
MattesMrzik added a commit to MattesMrzik/IDEasy that referenced this issue Jan 20, 2024
- fixed pom bug
- fixed bug in BuildSecurityJsonFiles due to moved method that was introduced in the merge of main into this branch
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
removed default getEdition override from tools
changed getEdition to non abstract
made getIntellijJsonRelease public
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 19, 2024
added dependencyManagement to root pom.xml
added owasp version property to root pom.xml
renamed security artifact to ide-security
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
…ty-checks

# Conflicts:
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
#	cli/src/test/resources/ide-projects/basic/_ide/urls/mvn/mvn/security.json
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
added missing answers param to newContext
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 22, 2024
fixed pom versions
applied reformat
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
renamed retrievePath to getPath
renamed addPath to setPath
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 23, 2024
removed warnings from security json
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 26, 2024
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
added missing CPE vendors/products
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
adjusted getCpeVendor and getCpeProduct to return the tool name instead of an empty string
removed unused urlEdition param from getCpeEdition
added workaround for intellij #1378
fixed NPE's (added checks for missing UrlUpdaters)
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Feb 29, 2024
@jan-vcapgemini
Copy link
Contributor

I've added a first batch of security files in this PR: devonfw/ide-urls#15

jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
…ty-checks

# Conflicts:
#	cli/pom.xml
#	cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java
#	cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
#	cli/src/test/java/com/devonfw/tools/ide/context/AbstractIdeContextTest.java
#	documentation/LICENSE.adoc
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
added missing answers to IdeTestContext
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
jan-vcapgemini added a commit to MattesMrzik/IDEasy that referenced this issue Apr 2, 2024
renamed SAFE_LATEST to LATEST
@jan-vcapgemini
Copy link
Contributor

jan-vcapgemini commented Apr 10, 2024

After discussing this issue we have to answer following questions.

  • Should we use these CVE's to decide internally if a tool version is to be considered as good or bad (based on the severity of its CVE's)?
  • Should the severity threshold be adjustable by the user of IDEAsy?
  • Are there different CVE tools which can check at runtime if a tool version is not safe?
  • What about identically CVE's in different versions of the same tool?
  • What about modified CVE descriptions, how to handle the diffs and where?

@hohwille hohwille removed this from the release:2024.03.001 milestone May 21, 2024
@hohwille hohwille moved this from 🏗 In progress to Research in IDEasy board May 21, 2024
@hohwille hohwille self-assigned this Aug 20, 2024
@hohwille
Copy link
Member Author

hohwille commented Aug 20, 2024

Should we use these CVE's to decide internally if a tool version is to be considered as good or bad (based on the severity of its CVE's)?

Definetly, yes.

Should the severity threshold be adjustable by the user of IDEasy?

There are general two options:

  • We use the standard OWASP tool directly inside IDEasy to check for CVEs. This will imply that before every tool download the entire CVE database has to be updated what takes time and slows down the process. However, this will give lots of flexibility (user can then configure the severity threshold and this question is to be answered with "yes") and most recent CVEs and most accurate results.
  • We have an internal process that does the CVE checks in our UpdateURLs workflow every night. The end user only deals with security.json files that we add to ide-urls repository and works independent of OWASP tooling. Here I thought of a fixed severity threshold that is rather high to avoid annoying warnings to every user - Then the answer is "no". What has been implemented is however containing the severities and that seems smarter since this way we can implement such user-configuration so the answer would also be "yes" then. However, this will also mean that our security.json files will grow large and update frequently, what I initially wanted to avoid (if a user wants to check a tool version, we need to pull ide-urls and if that has not happened for a while, it will pull a lot of changes and that takes time. Also the initial clone will then take long).

We started with the latter approach but already added too many CVEs with that and then questioned the entire approach.
As you can see in https://github.com/devonfw/ide-urls/pull/15/files we are somehow duplicating the CVE database for our tools and add a complex process transforming the CVE database to our own format. The benefit is obviously that we only need to download the CVEs for the tools we care about what is probably 1% or less of the CVE database that contains all software worldwide.

To be honest it does not seem an easy decision what would be the best way to go.
I still see pros and cons in both approaches.
However, after revisiting everything, I tend for the first option. We can make it configurable and therefore potentially could even allow the security check to be switched off saving performance (wait times for CVE DB).
If we go for it, we could still integrate OWASP tooling directly into IDEasy as maven dependency increasing our code base or we could do it as a local or global tool. Then we would first install that owasp-dependency-check tool and from that point on, use it and just ask it if «tool» + «edition» + «version» is fine or there are CVEs that should prevent the installation or at least require user-confirmation. The tighter integration would allow direct processing of the found CVEs, threshold filtering, and more control of what we display to the end-user and what questions to ask or options to give. However, if the CVE-DB format changes or the library itself is buggy or has security flaws, we are responsible and need to implement changes and deploy updated releases while if we call the tool as something external (black-box), we have less such responsibility.

Are there different CVE tools which can check at runtime if a tool version is not safe?

Yes, but most probably we want to stay with the OWASP one that is already integrated and open-source.
There are also other tools with advanced features that require a commercial license.
I distinguish two totally different aspects:

  1. Analyze IDEasy and the tools it installs for a project
  2. Analyze the product that some project is building and that project team may happen to use IDEasy.

In the 2. case, we should give more freedom if we want to support the security analysis of a git code repository with the help of IDEasy. There we could integrate such tools and also support commerical ones. However, this is a totally different story. See e.g. https://github.com/devonfw/ide/issues/1278[ide#1278 (snyk)]

What about identically CVE's in different versions of the same tool?

With the approach of the security.json we more or less wanted to define versions/-ranges that are "bad" (that is what devonfw-ide supported with security files and what I planned to reimplement in IDEasy).
Only for information and curiosity of the user, we wanted to give further details.
However, with PR #190 we took various rounds how the structure of security.json should be.
Current state is that somehow there are entries for version ranges but those only refer to a specific CVE (but since it is only a String it could also be multiple CVEs or we could redesign to a JSON array).

With all the complexity that arose in PR #190 and related aspects, I started questioning the entire approach.
Should we instead integrate OWASP dependency check directly (option 1) instead of creating our own dependency.json format managed in ide-urls (option 2 and original design)?

What about modified CVE descriptions, how to handle the diffs and where?

Exactly a good question that is a big pro for option 1 and con of option 2.
Original plan was that then security.json file will be updated by rerunning our tool and diff gets distributed to the users.

As I stated above, I therefore tend to go for option 1.
My suggestion would be to do a first PoC to see if that can be done rather easily and works well without blocking the user with hours of CVE-DB downloads, etc. - created story #547 for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Refinement
Development

Successfully merging a pull request may close this issue.

3 participants