Hello,
I'm looking for a way to check for security patches for PrimeFaces (and PrimeReact).
Until version 7 I was able find security issues in form of CVE at the NVD of NIST. I use OWASP Depency Check as part of our CI Platform on Jenkins to get these information for all our 3rd party libraries.
But since version 8 I cannot find any issue any more at NVD. I think that is worrying because now it is hard to find out if we have to patch the PrimeFaces library in our product versions.
Kind regards
Marcel Piolot
Security Vulnerabilities, CVE
There are definitely issues with PF8, PF10, PF11 so I use Sonatype IQ Server and it reports them. PF12 is currently the only version totally clean. (for now)
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
We already know that there are security issues in PF8+. We have found these issues by searching the GitHub tickets.
But normaly we trust the OWASP Dependency Check to find every security vulnarablility that was registerst at the NVD. We think that NVD is kind of an industry standard for such issues.
So my question is why can we no longer find PrimeFaces security issues in NVD? They were found until PF7: https://nvd.nist.gov/products/cpe/searc ... d=primetek. So it was a bit suprising for us that starting with PF8 these kind of issues are no longer found in NVD. Is there any good reason to not report security issues to NVD?
With "I use Sonatype IQ Server and it reports them" I guess that you mean that Sonatype IQ Server is used to finds the issues (and not to report them to NVD).
I've checked the web pages of Sonatype IQ Server and found this page: https://www.sonatype.com/products/intel ... tNoRedir=1. It looks like Sonatype IQ Server not only uses NVD as a source but also scans GitHub. Is this the way we have to go now, to scan GitHub?
But normaly we trust the OWASP Dependency Check to find every security vulnarablility that was registerst at the NVD. We think that NVD is kind of an industry standard for such issues.
So my question is why can we no longer find PrimeFaces security issues in NVD? They were found until PF7: https://nvd.nist.gov/products/cpe/searc ... d=primetek. So it was a bit suprising for us that starting with PF8 these kind of issues are no longer found in NVD. Is there any good reason to not report security issues to NVD?
With "I use Sonatype IQ Server and it reports them" I guess that you mean that Sonatype IQ Server is used to finds the issues (and not to report them to NVD).
I've checked the web pages of Sonatype IQ Server and found this page: https://www.sonatype.com/products/intel ... tNoRedir=1. It looks like Sonatype IQ Server not only uses NVD as a source but also scans GitHub. Is this the way we have to go now, to scan GitHub?
I guess it depends on who was reporting to NVD. There has never been a formal process for reporting to NVD so maybe whoever was reporting them before PF7 just stopped doing it. I know the Open Source community like myself I have never reported anything to NVD.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
I agree you can't count solely on NVD.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
-
- Information
-
Who is online
Users browsing this forum: No registered users and 36 guests