RFE: support other maven repos

[dfj]

What do you think about adding support for maven repos other than central, e.g. maven.repository.redhat.com? As an example implementation off the top of my head, you could allow multiple "affected" elements. language-module: java could then have an optional "repository" element specifying the repo URL; if this is omitted, maven central would be assumed as a default.

[abn]

This is planned, and needs to be done on the service side. This should be as easy as adding it to https://github.com/victims/victims-web/blob/master/src/victims_web/config.py#L89 either in prod or as defaults. I need to test if Charon falls over with r.j.o/maven.redhat.

[abn]

Although I think an optional repository field might be useful for CVE DB.

[reiz]

+1

[jasinner]

This issue has been fixed in the service side, and the Red Hat repository has been added. I propose adding an optional 'repository' field to reports if the report is a library not from Maven central.

[reiz]

At VersionEye we stopped adding more maven repositories to the crawling framework because we got issues with that. Non official maven repositories can overwrite official artefacts and provide a different hash value. Plus they can publish non official releases of official artifacts like TestNG. This are just some of the issues we had to face at VersionEye.

@dfj Why is RedHat not publishing to Maven Central? With the right Maven plugin it's a 1 command deployment.

[jasinner]

I think Red Hat does not publish to maven central because we don't want to rely on a third party for our builds to work.
When reporting issues in the victims database, we'll try to use Maven Central whenever it's available, but may resort to Red Hat's Maven repository if the artifact is not found in maven central.
Thinking about design, we'll probably have to add repository to an affected version in the affected library list ie:

cve: 2016-3092
title: "Apache Commons Fileupload: Denial of Service"
description: >
    A malicious client can send file upload requests that cause the HTTP server
    using the Apache Commons Fileupload library to become unresponsive, preventing
    the server from servicing other requests. A fork of this component
    is also included in Apache Tomcat.
cvss_v2: 4.3
references:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1349475
    - http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%[email protected]%3E
    - http://tomcat.apache.org/security.html
    - http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
affected:
    - repository: "https://maven.repository.redhat.com/ga/"
    - groupId: "commons-fileupload"
      artifactId: "commons-fileupload"
      version:
        - "<=1.3.1,1.3"
        - "<=1.2.2,1.2"
       fixedin:
         - ">=1.3.2,1.3"
     - groupId: "org.apache.tomcat"
       artifactId: "tomcat-catalina"
       version:
         - "<=9.0.0.M7,9"
         - "<=8.5.2,8.5"
         - "<=8.0.35,8.0"
         - "<=7.0.69,7"
       fixedin:
         - ">=9.0.0.M8,9"
         - ">=8.5.3,8.5"
         - ">=8.0.36,8.0"
         - ">=7.0.70,7"

[jasinner]

Most of the time we won't need to include the repository field as versions are available in Maven central as well other repositories. However we should include it where the dependency is only found in a third party repository.