To mitigate CVE-2020-11986 NetBeans requests a user consent to analyze a Gradle projects (e.g. to execute build.gradle and let it do any malicious actions). Projects are opened as "broken" and report a problem to "Run priming build". The frequency of such queries is slightly too high and it is a desire of this write up to eliminate some of the consent queries without compromising solution to CVE-2020-11986.
| Action | Always ask for consent? |
|---|---|
| User creates new project in the IDE | Never |
| User opens a single file in editor (which belongs to not opened project) | Yes, show a bubble with request for consent |
| User browses disk via File / Open Project | Don't ask, don't trust until opened |
| User explicitly opens a project via File / Open Project | No |
| User opens a single file in a subproject of an opened (trusted) master project | No, all subprojects are trusted |
| User closes a trusted project and reopens it | No, trust is forever(?) |
When a single file is being edited, shall the IDE encourage the user to open/trust and analyze the project it belongs in, if any? How? A bubble message in a corner with a link?