JLLeitschuh
commented
3 years ago This should be under the "All for one, one for all", sorry about that.
Closed JLLeitschuh closed 3 years ago
JLLeitschuh
commented
3 years ago This should be under the "All for one, one for all", sorry about that.
JarLob
commented
3 years ago Is it correct?
JLLeitschuh
commented
3 years ago Yes! Thank you!
ghsecuritylab
commented
3 years ago Your submission is now in status CodeQL review.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
ghsecuritylab
commented
3 years ago Your submission is now in status SecLab review.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
ghsecuritylab
commented
3 years ago Your submission is now in status SecLab finalize.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
antonio-morales
commented
3 years ago Hi @JLLeitschuh,
first of all, thank you for your patience while we reviewed your submission.
Unfortunately, we don't think that this query addresses a real security issue. We've classified it as a general misconfiguration.
However, if you can provide additional details to support your submission, we would be pleased to reconsider our decision.
Regards, Antonio.
JLLeitschuh
commented
3 years ago So, my rationale here is that "security" covers the three pillars of "Confidentiality", "Integrity", & "Availability". Here's the best argument I have to back up why this has security implications.
Just to get this out of the way, I don't think this is applicable here.
This depreciation & shutdown impacts the integrity of your CI/CD flow. Maven resolves dependencies from repositories in the order they are declared. If, as a user, you were relying upon a dependency that was being resolved from JCenter, when JCenter shuts down, you will be relying upon artifacts being served potentially from a different location. We've seen this kind of change cause vulnerabilities in the past in the JVM ecosystem.
https://blog.autsoft.hu/a-confusing-dependency/
I think that this pilar is the most closely aligned with the impact. When the shutdown occurs, this will impact the ability for your CI/CD tools to build your organization's software. When it occurs, it will block development until this issue is resolved. If some dependencies haven't been relocated, and this shutdown impacts your development team, you could end up with idle developers.
Assuming that a developer costs, on average $500/day (assumes a $120,000 year average salary). And you have a project that has 10 developers working on it; if this shutdown impacts this team such that they are unable to work on this project for a day, it will have cost an organization of ~$5,000/day.
I'm really not confident that this does a good job of supporting my argument, but if you were to compute a CVSSv3.1 score for this issue, you'd end up with a 8.2.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
I can see your perspective, and I'm more than happy to accept your decision, but I think that the "Availability" impact of this issue is still worth consideration.
anticomputer
commented
3 years ago Hi @JLLeitschuh we discussed your points with the wider team and have decided to not accept this submission for a bounty reward at this time. While we appreciate the availability argument, we feel the submission currently does not meet the bar for acceptance under our bounty guidelines. While projects might certainly be affected when the deprecation does finalize, the query would currently not uncover repositories that, today, are affected by any immediate risk exposure.
JLLeitschuh
commented
3 years ago Sounds perfectly reasonable. I'll self-close.
ghsecuritylab
commented
3 years ago Your submission is now in status Closed.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
CVE ID(s)
None yet, because this service hasn't been totally shut down yet.
However, here are some examples of alerts raised by this query. https://lgtm.com/query/1719878637611379656/
Report
This CodeQL Query detects the dependence upon Bintray/JCenter in Maven Pom files. JCenter has traditionally been one of the two central repositories commonly used in the JVM ecosystem. JCenter/Bintray is shutting down on February 2022.
https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/
The query can be found here. https://github.com/github/codeql/pull/5105