Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Tomcat entry updates #4590

Open
joshbressers opened this issue Jul 9, 2024 · 1 comment
Open

Tomcat entry updates #4590

joshbressers opened this issue Jul 9, 2024 · 1 comment

Comments

@joshbressers
Copy link

Hello,

I have a spreadsheet with a large number of Tomcat advisory updates (this sheet is not current with the latest Tomcat vulnerabilities)
https://docs.google.com/spreadsheets/d/1b8XqUEK1PuOfTjm1jj-YSIoQa92A7uwjVfF06kd4bXg/edit?gid=0#gid=0

Many GitHub advisories for tomcat reference the package org.apache.tomcat:tomcat, which is not an installable jar. For example
GHSA-3p86-xgrq-m6p6

Vulnerability scanners should be detecting specific components of the Tomcat project rather than the project itself, and vulnerabilities affect specific Tomcat jars, not all Tomcat jars.

There are some GitHub Tomcat advisories that do capture the specific components that a vulnerability affects
GHSA-f4qf-m5gf-8jm8

In the spreadsheet I have identified the Tomcat component(s) affected by the given vulnerabilities in column D. Some of the vulnerabilities couldn't be figured out, or are documentation or example updates. I left them in for posterity.

I have a few questions about how to submit this large corpus of updates. I would like to work with the GitHub team to minimize friction. I'm very open to suggestions. I can submit one big PR, many small PRs. I'm happy to trickle them in if that's easier. Whatever works best for the GitHub team.

@darakian
Copy link
Contributor

Hey @joshbressers, if you do some searching you'll find a previous conversation about our tomcat advisories and some were brought up and corrected. If you've got a full list the easiest (for us) thing to do would be to just open a butt load of PRs (maybe rate limit it for us). One PR per advisory though please :)
Else maybe just dump the list of GHSA numbers here and I'll open an issue for us to re-review them

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants