[jira] Created: (OFBIZ-1525) Issue to group current existing security concern

Issue to group current existing security concern
------------------------------------------------

                 Key: OFBIZ-1525
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1525
             Project: OFBiz
          Issue Type: Improvement
    Affects Versions: SVN trunk
            Reporter: Jacques Le Roux


The goal of this virtual issue is only to be able to group all existing open OFBiz security issues

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Description: The goal of this virtual issue is only to be able to group all pending OFBiz security issues  (was: The goal of this virtual issue is only to be able to group all existing open OFBiz security issues)
        Summary: Issue to group current existing security concerns  (was: Issue to group current existing security concern)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Description: The goal of this virtual issue is only to group all OFBiz security issues (pending or closed)  (was: The goal of this virtual issue is only to be able to group all pending OFBiz security issues)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Description:
The goal of this virtual issue is only to group all OFBiz security issues (pending or closed).

Note that there are no *proved* security issue currently, just possible breaches


  was:The goal of this virtual issue is only to group all OFBiz security issues (pending or closed)


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-1525:
--------------------------------------

    Assignee: Jacques Le Roux

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marco Risaliti updated OFBIZ-1525:
----------------------------------

    Component/s: framework

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Component/s:     (was: framework)
    Description:
The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

Note that there are no *proved* security issue currently, just possible breaches.

This issue should never be closed


  was:
The goal of this virtual issue is only to group all OFBiz security issues (pending or closed).

Note that there are no *proved* security issue currently, just possible breaches



Marco,

I voluntarily put "unknown" as component as this is a cover (or hat if you prefer) issue which goal is to group together potential security issue. In other words this issue should never be closed as we don't know in advance which components might be affected by a security issue.

Morevover ecommerce is already concerned by some potential security issues ;o)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552657 ]

Marco Risaliti commented on OFBIZ-1525:
---------------------------------------

Sorry Jacques, I have not seen that it was a grouped bugs.
In this case I have used to set in the grouped bugs the sum of the components used by detailed issues.
I didn't like unknow components.
Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue.

Thanks
Marco


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Component/s: INCORPORATING ISSUE

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marco Risaliti updated OFBIZ-1525:
----------------------------------

    Component/s:     (was: INCORPORATING ISSUE)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Component/s: ALL COMPONENTS

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592940#action_12592940 ]

Jonathon Wong commented on OFBIZ-1525:
--------------------------------------

> Note that there are no *proved* security issue currently, just possible breaches.

Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult.

Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592941#action_12592941 ]

David E. Jones commented on OFBIZ-1525:
---------------------------------------

Not sure what Jacques was going for with the whole proving thing... but I agree that this is no reason to not work on things.

Your comments (Jonathon) seem to forget the driving force behind OFBiz. There is no policy per-se on this because the only policies that exist are there to coordinate contributions. For these particular problems the basic fact is that if no one contributes a fix, there will be no fix in the project. That is the definition of "community driven".

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12592942#action_12592942 ]

Scott Gray commented on OFBIZ-1525:
-----------------------------------

I think the "policy" is a bit more like this:
If you want it, either do it or pay someone else to do it.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1525:
-----------------------------------

    Summary: Issue to group security concerns  (was: Issue to group current existing security concerns)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.