entmike
commented
6 years ago Hi jboss, I'll go point-by-point where I think that I can provide a response:
The SCN plugins are Open Source and are not actively maintained.
This is half-true. If you look at the Issues history on this repository, I maintain what I can. So to say it's not "actively" maintained annoys me a little, as I've been "active" as I can be. Is it completely maintained? Absolutely not.
They will have callbacks to other websites for details like fonts etc.
I do not believe any of the components we've written perform callbacks to other websites for webfonts or JS files. The only exception would be for things like Map Tiles but this is a common practice, and unless you use the map component, this isn't even an issue anyway. To me, this sounds like your vendor throwing a blanket statement that could arguably apply to anything web-based. I'd roll my eyes at this one a little as a web developer.
The SCN Plugins are maintained by a public group and it is not recommended to use them unless you have the expertise to audit the code behind the same and with frequent patches and that the software is offered “As-Is” it becomes difficult to identify any third party calls or API calls happening within the code, which might compromise your systems.
Yes, the code is written by hobbyists and the source code is there for anyone to use or modify freely. To say that it becomes difficult "any third party calls or API calls happening within the code" sounds paranoid to me personally, only because I know we are not doing anything malicious like this, but who is to say that I'm not lying or forgetful? /tinfoil hat :) -- Again, the code is open source and someone can go look for themselves or perform traffic analysis on their network or just even look in Fiddler and see if there's any outgoing traffic. (Spoiler alert: There's not.)
So my question is, is anyone responsible for auditing the code or is there any reassurance that I can give my boss and our security team the extension are free form malicious code?
No, there is no responsibility to do this, and we (and I use we loosely, most of the other contributors have not been active or moved on to other areas of interest) do not actively audit one another or every line of code. We do exhibit a degree of "common sense" which does not always hold up to the rigid (or absurd, depending on what ones role may be) standards a security vendor places on free, open source extensions.
I hope it is okay to ask this question here. I also hope that this does not offend anyone. I do thank all of you for your hard work.
It's always ok to ask questions! I take no offense! I am glad that people are interested in using, or simply experimenting with, or modifying these extensions! It's not the first time I've heard of companies being unable/unwilling to use them because of these reasons. I can understand why. I could win the lottery tomorrow or find another interesting hobby and disappear from GitHub or whatever the scenario.
From the beginning, the spirit/idea was to SHARE the source code and let others own/modify it on their own and contribute back. This really never happened at any significant scale. It became more of a we create the components and release them for direct use in practice. In other words, people just took the bundled ZIP because it was least effort. It's sad, but that's the way it ended up.
What really should happen, is SAP should take note of their continuing gaps in their product and fill them themselves to alleviate these concerns for everybody. But I would not hold my breath on that one.
jboss1995
A vendor brought to my bosses attention that SCN Community Extensions are open source and a security risk. This is what she said:
The SCN plugins are Open Source and are not actively maintained. They will have callbacks to other websites for details like fonts etc. Since we work with Institutes aligned with Defence etc , these enterprises do not use similar tools in their landscape because they cannot audit the code behind the same. The SCN Plugins are maintained by a public group and it is not recommended to use them unless you have the expertise to audit the code behind the same and with frequent patches and that the software is offered “As-Is” it becomes difficult to identify any third party calls or API calls happening within the code, which might compromise your systems.
So my question is, is anyone responsible for auditing the code or is there any reassurance that I can give my boss and our security team the extension are free form malicious code? I hope it is okay to ask this question here. I also hope that this does not offend anyone. I do thank all of you for your hard work.