Skip to content

Commit cfd89d1

Browse files
Flossyclaude
andcommitted
Fix GitHub issues #55, #70, #71: Add security policy, code formatting, and automated updates
Fixes #70: Add .editorconfig for consistent code formatting - Created .editorconfig with rules for Java, XML, YAML, Markdown, Shell, and Properties files - Ensures consistent indentation (4 spaces for Java/XML, 2 for YAML/Shell) - UTF-8 charset and LF line endings across all files - Max line length of 120 for Java files - Works automatically in VS Code, IntelliJ IDEA, Eclipse, Vim, and other editors Fixes #71: Add Dependabot configuration for automated dependency updates - Created .github/dependabot.yml for Maven and GitHub Actions dependencies - Weekly updates on Mondays with max 5 open PRs for Maven, 3 for Actions - Grouped updates: - Apache CXF dependencies grouped together - Test dependencies (JUnit, Mockito) grouped together - Logging dependencies (SLF4J, Logback) grouped together - Auto-labels PRs with "dependencies" and appropriate category tags - Provides security alerts, changelogs, and automated updates Fixes #55: Add SECURITY.md with vulnerability reporting process - Created SECURITY.md with clear vulnerability disclosure guidelines - Preferred method: GitHub Security Advisories - Alternate method: Email to sfloess@gmail.com - Documents expected response times and coordinated disclosure process - Lists known security concerns (Java serialization, file operations) - Documents security best practices and update process - Updated README.md to link to SECURITY.md in Security Considerations section - Added note about ObjectInputFilter protection in v1.30 Benefits: - Improved security posture with clear vulnerability reporting - Automated dependency updates reduce maintenance burden - Consistent code formatting across all contributors - Better security researcher engagement Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1 parent 375724c commit cfd89d1

4 files changed

Lines changed: 156 additions & 0 deletions

File tree

.editorconfig

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# EditorConfig: https://EditorConfig.org
2+
# Ensures consistent code formatting across different editors and IDEs
3+
4+
root = true
5+
6+
# All files
7+
[*]
8+
charset = utf-8
9+
end_of_line = lf
10+
insert_final_newline = true
11+
trim_trailing_whitespace = true
12+
13+
# Java files
14+
[*.java]
15+
indent_style = space
16+
indent_size = 4
17+
max_line_length = 120
18+
19+
# XML files (pom.xml, etc.)
20+
[*.xml]
21+
indent_style = space
22+
indent_size = 4
23+
24+
# YAML files (GitHub Actions, etc.)
25+
[*.{yml,yaml}]
26+
indent_style = space
27+
indent_size = 2
28+
29+
# Markdown files
30+
[*.md]
31+
trim_trailing_whitespace = false
32+
max_line_length = off
33+
34+
# Shell scripts
35+
[*.sh]
36+
indent_style = space
37+
indent_size = 2
38+
39+
# Properties files
40+
[*.properties]
41+
indent_style = space
42+
indent_size = 2

.github/dependabot.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
version: 2
2+
updates:
3+
# Maven dependencies
4+
- package-ecosystem: "maven"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
day: "monday"
9+
open-pull-requests-limit: 5
10+
groups:
11+
# Group Apache CXF updates together
12+
apache-cxf:
13+
patterns:
14+
- "org.apache.cxf:*"
15+
# Group test dependencies together
16+
test-dependencies:
17+
patterns:
18+
- "org.junit.jupiter:*"
19+
- "org.mockito:*"
20+
# Group logging dependencies together
21+
logging:
22+
patterns:
23+
- "org.slf4j:*"
24+
- "ch.qos.logback:*"
25+
labels:
26+
- "dependencies"
27+
- "automated"
28+
29+
# GitHub Actions
30+
- package-ecosystem: "github-actions"
31+
directory: "/"
32+
schedule:
33+
interval: "weekly"
34+
day: "monday"
35+
open-pull-requests-limit: 3
36+
labels:
37+
- "dependencies"
38+
- "ci/cd"

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,12 +174,15 @@ This library sits at the foundation of the Solenopsis stack:
174174

175175
## Security Considerations
176176

177+
**For security vulnerability reporting, see [SECURITY.md](SECURITY.md).**
178+
177179
### Java Serialization
178180
The serialization methods in `StringUtil` are **for internal use only**:
179181
- **WARNING**: Java deserialization of untrusted data is a security risk
180182
- Only deserialize data from trusted sources
181183
- Consider using JSON or XML for external data
182184
- These methods are used internally for session caching
185+
- **ObjectInputFilter** protection added in v1.30 to restrict deserialization to trusted packages
183186

184187
## Contributing
185188

SECURITY.md

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
Currently supported versions of jcommons:
6+
7+
| Version | Supported |
8+
| ------- | ------------------ |
9+
| 1.x | :white_check_mark: |
10+
| < 1.0 | :x: |
11+
12+
## Reporting a Vulnerability
13+
14+
**Please do not report security vulnerabilities through public GitHub issues.**
15+
16+
Instead, please report them via one of the following methods:
17+
18+
### Option 1: GitHub Security Advisories (Preferred)
19+
1. Go to https://github.com/FlossWare/jcommons/security/advisories
20+
2. Click "New draft security advisory"
21+
3. Fill in the details
22+
23+
### Option 2: Email
24+
Send an email to: **sfloess@gmail.com**
25+
26+
Please include:
27+
- Type of vulnerability
28+
- Full paths of source file(s) related to the vulnerability
29+
- Location of the affected source code (tag/branch/commit)
30+
- Step-by-step instructions to reproduce the issue
31+
- Proof-of-concept or exploit code (if possible)
32+
- Impact of the issue, including how an attacker might exploit it
33+
34+
### What to Expect
35+
- **Acknowledgment**: Within 48 hours
36+
- **Initial assessment**: Within 1 week
37+
- **Fix timeline**: Depends on severity (critical: days, high: weeks, medium/low: next release)
38+
- **Disclosure**: We follow coordinated disclosure - public disclosure after fix is available
39+
40+
## Security Considerations in jcommons
41+
42+
### Known Security Concerns
43+
1. **Java Serialization** (`StringUtil.fromString`, `StringUtil.fromCompressedString`)
44+
- Deprecated since v1.22, planned for removal in v2.0
45+
- **Never use with untrusted data**
46+
- Only for internal, trusted sources
47+
- Consider using JSON libraries instead
48+
- **ObjectInputFilter** protection has been added as of v1.30 to restrict deserialization to trusted packages
49+
50+
2. **File Operations** (`FileUtil`)
51+
- Validate file paths to prevent directory traversal
52+
- Be cautious with user-supplied file paths
53+
54+
### Best Practices
55+
- Always use the latest version of jcommons
56+
- Review CHANGELOG.md for security-related updates
57+
- Enable OWASP dependency checking in your builds
58+
- Subscribe to GitHub security advisories for this repository
59+
60+
## Security Update Process
61+
1. Security patch is developed and tested
62+
2. CVE is requested (if applicable)
63+
3. Version is released with security notes in CHANGELOG.md
64+
4. GitHub Security Advisory is published
65+
5. Users are notified via release notes
66+
67+
## Attribution
68+
We appreciate the security research community and will credit researchers (with permission) in:
69+
- CHANGELOG.md
70+
- GitHub Security Advisory
71+
- Release notes
72+
73+
Thank you for helping keep jcommons and its users safe!

0 commit comments

Comments
 (0)