You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently noticed that many vulnerabilities reported for BouncyCastle over in the Maven ecosystem might be missing the full set of affected packages. One possible (unconfirmed!) example is GHSA-r97x-3g8f-gx3m which only shows the packages org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 affected for versions >= 1.51, < 1.56.
However, wandering over to https://www.bouncycastle.org/latest_releases.html I can see that there's a staggering number of different jar files for every published version for a variety of configurations. I count at least 35 in the signed JAR table alone, not even including the unsigned providers with debug information. Many of these seem to be published to Maven Central - e.g. https://mvnrepository.com/artifact/org.bouncycastle
Would it make sense to have some automation (and/or auditing) on the GitHub side to detect multi-published packages such as these and correct the entries to avoid potential risks being missed?
It seems to be most common in the Java ecosystem, but it exists on other ecosystems too. Over in JavaScript land, Lodash is another great example: lodash, lodash-es, lodash-amd, babel-plugin-lodash the per method packages such as lodash.throttle, etc.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
GitHub team,
I recently noticed that many vulnerabilities reported for BouncyCastle over in the Maven ecosystem might be missing the full set of affected packages. One possible (unconfirmed!) example is GHSA-r97x-3g8f-gx3m which only shows the packages
org.bouncycastle:bcprov-jdk14andorg.bouncycastle:bcprov-jdk15affected for versions>= 1.51, < 1.56.However, wandering over to https://www.bouncycastle.org/latest_releases.html I can see that there's a staggering number of different jar files for every published version for a variety of configurations. I count at least 35 in the signed JAR table alone, not even including the unsigned providers with debug information. Many of these seem to be published to Maven Central - e.g. https://mvnrepository.com/artifact/org.bouncycastle
Would it make sense to have some automation (and/or auditing) on the GitHub side to detect multi-published packages such as these and correct the entries to avoid potential risks being missed?
It seems to be most common in the Java ecosystem, but it exists on other ecosystems too. Over in JavaScript land, Lodash is another great example:
lodash,lodash-es,lodash-amd,babel-plugin-lodashthe per method packages such aslodash.throttle, etc.Beta Was this translation helpful? Give feedback.
All reactions