Re: Potential security issues with EdgeX
toggle quoted messageShow quoted text
Agree Benjamin. We were under the impression the security mailing list was more restricted.
Does EdgeX have such a limited mailing list for security issues? If not we need to create one.
From: <EdgeX-TSC-Security@...> on behalf of Benjamin Cabé <benjamin.cabe@...>
Date: Wednesday, October 17, 2018 at 2:31 AM
To: "edgex-tsc-security@..." <edgex-tsc-security@...>
Subject: Re: [Edgex-tsc-security] Potential security issues with EdgeX
FWIW reporting security vulnerabilities on a *public* mailing list certainly sounds like a security anti-pattern as well…
We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:
Blacklisted import crypto/sha1: weak cryptographic primitive
Potential file inclusion via variable
Expect file permissions to be 0600 or less
I’ve attached the gosec output to this email.
Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.
We would like to know how we should proceed further?
Potentially we could integrate gosec into the build pipeline.
Member of Technical Staff – Open Source Engineer
VMware Open Source Technology Center
Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.