How to handle security alerts

[cweitkamp]

Two days ago a security alert popped up in my notifications (see https://github.com/openhab/openhab-core/network/alert/bom/runtime/pom.xml/org.eclipse.jetty:jetty-server/open). How should we handle those alerts? Upgrade our dependency? Or ignore them for the moment?

[wborn]

I'd be all for upgrading because we already use Karaf 4.2.2 with the Jetty version that doesn't have this vulnerability in openHAB 2.5.0 (#458). It got downgraded again when ESH got merged (#467 (comment)). We might as well upgrade it straight to Karaf 4.2.4 which got released March 18th.

[maggu2810]

It depends if it is about a runtime dependency or a compile time one.

In the following example let's talk about minor version bumps WRT to semver:
We compile against a specific version x and so get a minimum requirement.
So, a product needs to use at least version x but is free to use a higher version.
If version x is vulnerable it does not care on compile time and the products are still free to use version y that is fixed at runtime.
Sure, you can bump the minimum requirement to version y -- but why?
Our code base still works with version x and a consumer should be able to bump OHC to get recent fixes.
We should not watch all third party stuff we are using and prevent to work with vulnerable versions if there is no need for.
Every JRE contains vulnerabilities. Should we require to use the most recent JRE just because a security alert has been detected?

Remember: The compile time dependency can differ from the runtime dependency in OSGi.

[wborn]

Yes you're right that there is no immediate need to upgrade it for OHC itself. It might help to push solutions using OHC (unaware of this) to bump their Karaf/Jetty version. Although I don't think there will be many. 😉

If we don't want to address this we can also dismiss it so it's not becoming an annoyance. E.g. by choosing "Risk is tolarable to this project" option:

We'll still get vulnerability updates and can act accordingly.

Furthermore the risk is not high because it's about a DoS threat and most users will be running some proxy (NGINX/myopenhab) providing security in front of Jetty anyways. If they don't they'll have a lot more security concerns to worry about.

[cweitkamp]

Thanks for your opinions. Makes sense. I will dismiss this one like suggest by @wborn .

[wborn]

They've been dismissed now. You can still find these dismissed alerts in Insights > Alerts > Closed.