clj-commons

lread 2024-02-26T15:55:44.991559Z

@slipset I just submitted a https://github.com/clj-commons/fs/pull/14. The Circleci pipeline is no longer active(?): https://app.circleci.com/pipelines/github/clj-commons/fs. When you have a moment, can you take a peek and reactivate it?

slipset 2024-02-26T17:47:37.534299Z

It seems like I managed to kick it hard enough to make it run

lread 2024-02-26T18:00:36.225849Z

Thanks, I see the fruits of your kick! But... I just pushed an empty commit on my PR. That should have kicked off a CircleCI job (I think), but I don't see one.

slipset 2024-02-26T18:01:55.349539Z

I turned on building from forked repos? Kind’a hoping your PR was from a forked repo?

lread 2024-02-26T18:02:09.681419Z

Yep

lread 2024-02-26T18:04:39.398569Z

I could close and resubmit the PR if you think that's worth trying.

slipset 2024-02-26T18:05:57.770839Z

Try one more commit

slipset 2024-02-26T18:06:29.071289Z

Building

lread 2024-02-26T18:06:35.596309Z

tada!

lread 2024-02-26T18:06:46.099439Z

Thanks!

slipset 2024-02-26T18:06:52.789569Z

Thank you!

lread 2024-02-26T18:07:49.933129Z

If it all looks good to you, we should probably cut a new release of this old lib!

slipset 2024-02-26T18:09:02.520579Z

Merged

slipset 2024-02-26T18:10:19.969129Z

Releasing

lread 2024-02-26T18:10:33.152889Z

Thanks!

slipset 2024-02-26T18:10:40.857699Z

Again, thank you 🙂

lread 2024-02-26T18:11:14.731069Z

My pleasure!

slipset 2024-02-26T18:17:38.029549Z

Dang! It’s a much downloaded lib

lread 2024-02-26T18:37:04.694749Z

Yep, folks still use it, but also nice to see that folks seem to have migrated to babashka/fs!

slipset 2024-02-26T18:38:52.131499Z

Really appreciate you being on the CVE’s though. We use nvd-whatever at work, and some projects take forever to even reply to PRs with upgraded libs.

lread 2024-02-26T18:42:14.755089Z

Just stumbled on this one. Cljdoc still uses this lib, and I did an NVD scan on cljdoc, and it burped out the CVEs.

Matthew Davidson 2024-02-27T11:25:03.245759Z

> We use nvd-whatever at work, and some projects take forever to even reply to PRs with upgraded libs. I don't know about you, but in my experience with Aleph, CVEs are kind of a mixed bag. Though not as bad as it is for some https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/, apparently. The idea is theoretically sound, but there's low-quality CVEs, incorrect CVEs, and little way to fix the issues. It seems like it's been getting worse, too. The last one we had was a Netty issue that people started clamoring for that was an amplification DoS attack on some standard HTTP/2 behavior. Sounds like a good candidate for a fix...but I hadn't released the HTTP/2 version of Aleph at the time, so it wasn't vulnerable. If there was a way to tell MITRE that Aleph wasn't affected, I'd have done that, but that's not possible afaik. In that case, it wasn't much of a burden to upgrade, but I do have to check the complete Netty changelog every time to try and make sure nothing will break. It's not hard to imagine a scenario where the burden isn't worth it (younger libs, fewer maintainers, less time, worsening CVE quality, etc). All of which is why I no longer personally ring the alarm bell when a CVE comes in. Just my $.02.

slipset 2024-02-27T12:50:19.438169Z

We regularly add to our cve ignore file, after we analyzed the cve. We’re somewhat required to do this by contract.

slipset 2024-02-27T12:50:58.139859Z

In essence, every CVE reported against libs we use need to be mitigated in some way, either by upgrading a lib, removing it, or ignoring the CVE in an ignore file.

Matthew Davidson 2024-02-27T12:51:36.949099Z

Is that commonplace? I haven't tried telling anyone to ignore a CVE officially yet.

slipset 2024-02-27T12:53:31.411889Z

We’re not telling anyone, since it’s all internal. But you could imagine closing a “CVE-WHATEVER” issue with “Not applicable”, and then let your clients act accordingly.

Matthew Davidson 2024-02-27T12:54:47.671269Z

Hmmm 🤔 I'll have to try that the next time an applicable CVE comes in

Matthew Davidson 2024-02-27T12:54:53.449499Z

Thx!

lread 2024-02-27T17:05:54.929959Z

@kingmob clj-yaml is a light wrapper for SnakeYAML. There was a CVE raised against SnakeYAML that did not affect clj-yaml because clj-yaml did not expose the problematic usage. But yeah, like slipset, I have a look at reported CVEs, mark false positives in ignore configs, and bump deps.