I don't have advice for security auditing tools/techniques, but think it's a good idea. Anything we can do to make Fluo better is a good thing.
As for JCommander, specifically, I know Accumulo has an outstanding issue to update to the latest JCommander (though I'm not sure if that issue got migrated to GitHub issue tracker from JIRA)... but I think there were some breaking changes that prevented us from doing so. I'm not sure which version Fluo uses, if any, or if it is up-to-date or not, but that might be worth looking into. It doesn't help much if bugs are fixed in our dependencies, after all, if we don't update to use those newer versions. On Mon, Dec 16, 2019 at 1:12 AM Kenneth McFarland <glorifiedcalcula...@gmail.com> wrote: > > Awesome work. > > On Sun, Dec 15, 2019, 8:02 PM Joseph Koshakow <kosh...@gmail.com> wrote: > > > JCommander closed the issue. > > -Joe > > > > On Sun, Dec 15, 2019 at 8:35 PM Joseph Koshakow <kosh...@gmail.com> wrote: > > > > > The comments on that JCommander issue seem to indicate that the issue was > > > resolved but never closed. I looked at > > > https://github.com/cbeust/jcommander/blob/master/build.gradle.kts and it > > > seems like they now use https for sonatype which is where the issue > > > originated from. I left a comment on their issue to confirm with the > > > developers if it was resolved. > > > > > > I have a PR open that upgrades us to JCommander version 1.78 ( > > > https://github.com/apache/fluo/pull/1083/files) which is the most recent > > > in maven. Hopefully that resolves the issue for us. > > > > > > -Joe > > > > > > On Sat, Dec 14, 2019 at 12:23 PM Kenneth McFarland < > > > kennethmcfarl...@apache.org> wrote: > > > > > >> Here is a small example I found very fast out of curiosity. Jcommander > > is > > >> susceptible to MITM. > > >> > > >> https://github.com/cbeust/jcommander/issues/465 > > >> > > >> This is still open afaik. I'll be digging more for things like zipslip > > etc > > >> and transient vulns. I still would appreciate any advice. > > >> > > >> Auditing Fluo will probably mean working inspecting other projects more > > >> than Fluo itself. > > >> > > >> > > >> > > >> On Fri, Dec 13, 2019, 11:27 AM Kenneth McFarland < > > >> kennethmcfarl...@apache.org> wrote: > > >> > > >> > Hi guys, > > >> > > > >> > I have found I'm pretty interested in security. > > >> > > > >> > I'd like to get some experience with Fluo and it's dependencies > > auditing > > >> > them. I'm doing my own research but it's always best to leverage > > others > > >> > experience. > > >> > > > >> > If you have any good references, advice or tips for me please let me > > >> know. > > >> > I'll also be looking through the commit logs and checking accumulo. > > >> > > > >> > I wasn't sure where else to ask this since it's not really an issue > > >> until > > >> > something is found. Thanks! > > >> > > > >> > Kenny > > >> > > > >> > > > > >
