Thanks for the feedback chaps. Lewis, the report is broken down into CVEs and the tools likelyhood of the stuff it detected being accurate.
I think some stuff is pretty obvious, take for example Apache Commons Collections, that had a Java Serialization bug that allowed for remote code execution in 3.2.1 but is fixed in 3.2.2 ( https://commons.apache.org/proper/commons-collections/security-reports.html) and the issue has been in the wild since 2015. We can tackle simple stuff like this just by shipping an updated version, I assume 3.2.1 to 3.2.2 shouldn't prove too arduous and update. Others like CVE-2016-6809 need a bit more digging as their severity is high but confidence low, but turns out Tika did have a matlab exploit that seemingly got addressed in 1.14. As I said, I'm not looking to run out there and ship a big release to fix all of these, but its worth addressing as we move forward. Tom On Mon, Sep 11, 2017 at 5:31 PM, Sean Kelly <[email protected]> wrote: > Huh. That's a nifty tool. > > A little frightening. > > --k > >> Tom Barber <mailto:[email protected]> >> 2017-09-9 at 8.03 a >> >> Hi folks >> >> This isn't supposed to be an alarmist email, but quite enlightening all >> the >> same. >> >> I saw a link to a plugin on the Drill mailing list called Dependency Check >> Report so I wired it into my OODT repo amongst others to see what was >> flagged up since the Struts fallout. >> >> Anyway, of course its unlikely but not out of the question to run OODT >> fronting on to the interwebs so I think this is decent food for thought as >> to why its useful to keep dependencies up to date as much as possible. >> >> Here's a selection of the output: >> >> https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0 >> https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0 >> https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0 >> https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0 >> >> Of course there is a bunch of repetition in there and plenty that aren't >> over the top severe, some may also be false positives, but as we work >> through to OODT 2.0 with the new stuff and chopping out the old stuff, >> reducing these as much as possible I would posture. >> >> Tom >> >>
