Overview
This is a one day, invitation only, security event. All Tomcat committers are invited. The purpose is to improve Tomcat security.
The event is being funded by Google who generously provided $5k to the Tomcat project to help improve security. All attendees will have one night's accommodation paid for at the CoC hotel. Include the additional night when making your reservation for CoC EU and markt will pay one night's accommodation at some point during CoC EU using the ASF credit card that has been created and linked to the $5k from Google.
Administration
Thursday 6th June 2024 (the data after CoC EU),
09.00-17.00
Venue: Atrium Lounge, Roset Hotel & Residence, Štúrova, Bratislava, Slovakia
Bratislava
Agenda
- Introductions
- Chris's CVE analysis: review past CVEs to identify general patterns that may apply elsewhere in the Tomcat code base
- general discussion to identify areas where we may be able to improve things
- split into groups based interest/experience and review the code
- work on fixes to any potential improvements found
Attendees
If there is anyone else you would like to invite, please start a discussion on the private@ mailing list.
Committer | Attending Y/N |
---|---|
Dimitris Soumis (guest) | Y |
Matus Madzin (guest) | Y |
Vladimir Chup (guest) | Y |
potiuk (guest) | Y |
engelen (guest) | Y |
markt | Y |
jfclere | Y |
schultz | Y |
rjung | Y |
remm | Y |
mturk | Y |
fschumacher | Y |
Meeting Notes
Fuzzers / test suites. Look at what is available and investigate integration into a CI build somewhere (GitHub actions, BuildBot, Gump)
- TLS
- TLS fuzzer
- drwetter/testssl.sh
- HTTP
- Synopsys http fuzzer
- Structured field
- H2
- Http2-test
- h2spec - no longer maintained?
- Good for protocol violations
- jfclere - can be modified
- Python h2 library for reproducers - flexible
- WebSocket
- Autobahn - receptive to fixes
- scipag/websocket_fuzzer
- andresriancho/websocket-fuzzer - maintained?
- WebDAV
- litmus
- Misc
- find-sec-bugs.gihub.io - no failures when run on 11.0.x
- Coverity - automate - fix/silence issues
- SpotBugs - add to overnight CI
Documentation
- Provide IDE configuration for SpotBugs, Checkstyle
CVE reproducer test cases
- Needs discussion on the dev list to decide exactly what we want to do
- Do we use a fixed timeframe (simple) or variable (risk based). Longer delay helps enterprises that are slower to update.
- Publish a policy
- Can develop/track in private svn - can run tests privately
Code signing
- Investigate DigiCert signature revocation
Migrate from BZ to GitHub issues
- Discuss on dev list
SBOM
- What do we include?
- If we switched to Maven we could get this for free (but it doesn't support shading)
- Discuss on dev list generate vs change build
- Schultz has draft
Shading
- BCEL - schultz looking at documenting the process to get from standard BCEL to what we need
- DBCP, Pool, etc - shade during build rather than copy of source
Dependencies
- Contact to make sure they are aware we use them and that the CRA is coming - solo projects fall between OSS steward and hobbyist
- NSIS
- BND
- JSign
Code coverage
- Realms probably the biggest gap
- Manager and Host Manager have low/no coverage
- IntrospectionUtils is quite fundamental - should probably have higher coverage
- http2
- Lots of 'little' gaps
- Can we / should we remove packages from report?
- Future GSoC project?
Secure by default
- We need CI to be running a performance test to check for obvious regressions
TODO - finish this formatting
9.0.x - change default to true for discardfacades
Test removal of recycling - collect GC stats
processorCache == 0 => bad for performance
Document 0 == no cache & performance implications
Secure by default
Shutdown port to -1 - test scripts all OS
Use ${catalina.base} for pwd ?
Remove/disable web apps from distributions - package as WAR as .war.disabled
Check TLS 1.1 - disabled by default?
Security listener
Windows admin users
Writable files that shouldn’t be
Anything from the Tomcat security guide
Cipher list
Remove SSI? and/or CGI? Move them to extras?
Next event
EU
If not CoC , fosdem?
Small group code review
Actions
Today
HTTP header parsing review
Accounting
Date | Description | CC Income ($) | CC Expenses ($) | CC Balance ($) | Cash Income | Cash Expenses | Cash Balance | Total Balance |
---|---|---|---|---|---|---|---|---|
Initial funding from Google | 5,000.00 | 5,000.00 | ||||||
28 Feb 2024 | Meeting room for June 6th 2024 - EUR380 | 425.37 | 4,574.63 | |||||
03 Jun 2024 | markt accommodation - EUR 563.86 | 632.12 | 3,942.51 | 474.09 | 474.09 | 4,416.60 | ||
04 Jun 2024 | remm accommodation - EUR 145.83 | 163.83 | 3,778.68 | 474.09 | 4,252.77 | |||
05 Jun 2024 | engelen accommodation - EUR 154.22 | 173.43 | 3,605.25 | 474.09 | 4,079.34 | |||
06 Jun 2024 | Lunch - EUR 270 | 3,605.25 | 303.63 | 170.46 | 3,775.71 | |||
06 Jun 2024 | Dinner - EUR 214.10 | 240.24 | 3,365.01 | 170.46 | 3,535.72 |