<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:25:12 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3044] https for http://maven.indexdata.com/ (MITM attack)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3044</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;a href=&quot;http://maven.indexdata.com/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;http://maven.indexdata.com/&lt;/a&gt; is flagged as vulnerable to a MITM attack by GitHub CodeQL code scanner for failing to provide https (encryption):&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/raml-module-builder/security/code-scanning&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/raml-module-builder/security/code-scanning&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://maven.indexdata.com/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;http://maven.indexdata.com/&lt;/a&gt; is a public repository advertised on &lt;a href=&quot;https://mvnrepository.com/repos/indexdata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://mvnrepository.com/repos/indexdata&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;RMB has a dependency on cql-java and downloads it from that repository: &lt;a href=&quot;https://mvnrepository.com/artifact/org.z3950.zing/cql-java/1.13&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://mvnrepository.com/artifact/org.z3950.zing/cql-java/1.13&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A machine-in-the-middle attack can change the download to contain malware. Using https will prevent this.&lt;/p&gt;

&lt;p&gt;The issue has been confirmed on Slack #devops-internal on December 8th, 2020.&lt;/p&gt;

&lt;p&gt;Tasks:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Reconfigure &lt;a href=&quot;http://maven.indexdata.com/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;http://maven.indexdata.com/&lt;/a&gt; to allow public downloads without credentials from &lt;a href=&quot;https://maven.indexdata.com/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://maven.indexdata.com/&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Publish the https URL on &lt;a href=&quot;https://mvnrepository.com/repos/indexdata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://mvnrepository.com/repos/indexdata&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="82020">FOLIO-3044</key>
            <summary>https for http://maven.indexdata.com/ (MITM attack)</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5f9abc1eb45b2e007453f423">John Malconian</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Mon, 1 Mar 2021 10:39:03 +0000</created>
                <updated>Fri, 23 Apr 2021 12:47:15 +0000</updated>
                            <resolved>Wed, 7 Apr 2021 17:00:30 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                <comments>
                                                            <comment id="199268" author="5f9abc1eb45b2e007453f423" created="Wed, 7 Apr 2021 15:48:47 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; I&apos;ve completed the first task.   I&apos;m not sure how to complete the second task (Publish the https URL on &lt;a href=&quot;https://mvnrepository.com/repos/indexdata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://mvnrepository.com/repos/indexdata&lt;/a&gt;).   Can you give me a hint? &lt;/p&gt;</comment>
                                                            <comment id="199270" author="5ee89462f7aa140abd82d11d" created="Wed, 7 Apr 2021 16:42:43 +0000"  >&lt;p&gt;Thank you for enabling public https access!&lt;/p&gt;

&lt;p&gt;Regarding mvnrepository.com:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;rsync is deprecated since 2010: &lt;a href=&quot;https://maven.apache.org/repository/guide-central-repository-upload.html#explanations&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://maven.apache.org/repository/guide-central-repository-upload.html#explanations&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Individual developers should upload to Sonatype&apos;s Open Source Software Repository Hosting (OSSRH): &lt;a href=&quot;https://central.sonatype.org/publish/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://central.sonatype.org/publish/&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Large Organizations should use Smart Proxy Publish-Subscribe: &lt;a href=&quot;https://central.sonatype.org/publish/large-orgs/sync/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://central.sonatype.org/publish/large-orgs/sync/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;I don&apos;t see a way how to update the URL on mvnrepository.com, the indexdata repository has probably been added using some method that became deprecated.&lt;/p&gt;

&lt;p&gt;This issue can be closed as done.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="82021">FOLIO-3045</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx2vb:u</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="955">DevOps Sprint 111</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 7 Apr 2021 15:48:47 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>