So, there is this article: https://ostif.org/dataformatsdatatypes-audit-complete/
which goes over results of recent, second round of security audits done by OSTIF and AdaLogics. I thought it might be of interest to anyone interested in software security (including supply-chain attack aspects). It is pretty cool to work with experts in this area, and the investigation uncovered a few issues, most of which were fixed almost as quickly as they were uncovered. And although many were not (in my opinion) necessarily important security concerns (such as, say, Ion format module throwing NPEs on invalid content), practically all were things that were good to be fixed (to report invalid content with actual meaningful declared exception type, for example). I also think it is great to have external validation/verification of security aspects: due to the size and complexity of Jackson codebase, authors are not always best at identifying problem areas. So it is invaluable having extra pairs of eyes & new toolsets to drill into potential problem areas. Anyway, I thought that since this will probably do circles around OSS software security circles, it's good to share ASAP. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10i1eE%3D98JqROZDXih52OHKOPrGCuHTox0oKBq%2B4i1UrSQ%40mail.gmail.com.
