Prime Community Forum

Hello,

I'm looking for a way to check for security patches for PrimeFaces (and PrimeReact).

Until version 7 I was able find security issues in form of CVE at the NVD of NIST. I use OWASP Depency Check as part of our CI Platform on Jenkins to get these information for all our 3rd party libraries.
But since version 8 I cannot find any issue any more at NVD. I think that is worrying because now it is hard to find out if we have to patch the PrimeFaces library in our product versions.

Kind regards
Marcel Piolot

There are definitely issues with PF8, PF10, PF11 so I use Sonatype IQ Server and it reports them. PF12 is currently the only version totally clean. (for now)

We already know that there are security issues in PF8+. We have found these issues by searching the GitHub tickets.

But normaly we trust the OWASP Dependency Check to find every security vulnarablility that was registerst at the NVD. We think that NVD is kind of an industry standard for such issues.
So my question is why can we no longer find PrimeFaces security issues in NVD? They were found until PF7: https://nvd.nist.gov/products/cpe/searc ... d=primetek. So it was a bit suprising for us that starting with PF8 these kind of issues are no longer found in NVD. Is there any good reason to not report security issues to NVD?

With "I use Sonatype IQ Server and it reports them" I guess that you mean that Sonatype IQ Server is used to finds the issues (and not to report them to NVD).
I've checked the web pages of Sonatype IQ Server and found this page: https://www.sonatype.com/products/intel ... tNoRedir=1. It looks like Sonatype IQ Server not only uses NVD as a source but also scans GitHub. Is this the way we have to go now, to scan GitHub?

I guess it depends on who was reporting to NVD. There has never been a formal process for reporting to NVD so maybe whoever was reporting them before PF7 just stopped doing it. I know the Open Source community like myself I have never reported anything to NVD.

Thank you very much for the hint with Sonartype. The good thing is that we now know for sure that NVD can not be the only source we rely on. We are now also checking Artifactory/JFrog/XRay as an alternative.

I agree you can't count solely on NVD.