There is concern expressed by a group that has scanned the openwebstart codebase for vulnerabilities from CVEs. From looking at their reports it seems like the vulnerabilities are primarily in the tools/plugins used as part of the maven build and not with the delivered artifacts of OWS (ie the jars that get deployed to end-user machines). Can you provide any statements regarding plans to address these CVEs and whether or not they are impactful to current end-user machines?
I'm attempting to attach the reports here
Thank you,
John
Addressing CVEs in 1.13.0
Addressing CVEs in 1.13.0
- Attachments
-
- ows_cve_report_1.png (170.29 KiB) Viewed 1321 times
-
- ows_cve_report_2.png (278.71 KiB) Viewed 1321 times
-
- ows_cve_report_3.png (393.91 KiB) Viewed 1321 times
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
Sure we can provide a statement.
Can you please tell me :
Which company do you belong to?
Which company/group is interested in the vulnerability report?
Which tool was used to produce the report? Is the tool available in github?
Was the tool run from within github on the codebase in github?
Was the tool run on the codebase of both icedtea-web and openwebstart in github?
Thanks
Can you please tell me :
Which company do you belong to?
Which company/group is interested in the vulnerability report?
Which tool was used to produce the report? Is the tool available in github?
Was the tool run from within github on the codebase in github?
Was the tool run on the codebase of both icedtea-web and openwebstart in github?
Thanks
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
Hi John,
Can you please tell me which SAST tool was used So that I can also check for myself, do the fixes and verify them by running the tool again?
Thanks
Can you please tell me which SAST tool was used So that I can also check for myself, do the fixes and verify them by running the tool again?
Thanks
Re: Addressing CVEs in 1.13.0
@Janak - I have a similar concerns as John above. Based on my own experience, these seem to be consistent with the results I see for OpenWebStart using Snyk as the SAST. Would you be still be willing to verify and fix the findings, as offered above? Would love to have these issues resolved!
Thanks in Advance!
Thanks in Advance!
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
Thanks for suggesting Snyk. We will verify and fix.
Re: Addressing CVEs in 1.13.0
@Janak - Thank you for the response above. Has there been any progress in resolving these issues? Is there an ETA for the resolutions to be deployed?
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
We will include this in the next release, scheduled for the end of May,
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
@TechGuy47 I tried snyk and ran it on the source code for OWS and ITW. But I did not get the same report as mentioned above. Do you get the same reports as mentioned above in ows_cve_report_1.png, ows_cve_report_2.png and ows_cve_report_3.png? If yes then how did you run snyk i.e. with what commandline options? Is it necessary to have the licensed version of snyk to get a reports like the ones mentioned above?TechGuy47 wrote: 08 Apr 2026, 21:27 @Janak - I have a similar concerns as John above. Based on my own experience, these seem to be consistent with the results I see for OpenWebStart using Snyk as the SAST. Would you be still be willing to verify and fix the findings, as offered above? Would love to have these issues resolved!
Thanks in Advance!
-
Janak Mulani
- Posts: 1088
- Joined: 24 Mar 2020, 13:37
Re: Addressing CVEs in 1.13.0
I was able to run snyk test locally on OWS and ITW codebase and it has generated reports. Will try to fix the vulnerabilities.