[GHSA-j24h-xcpc-9jw8] Add org.eclipse.core.resources and org.eclipse.help as affected

[guidobonomi]

• core.resources is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.core.resources/3.19.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.core.resources/3.19.0
• help is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.help/3.10.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.help/3.10.0

[darakian]

Hey @guidobonomi, thanks for the PR but can I ask for a few more details? How are those packages being marked as vulnerable?

[guidobonomi]

hey @darakian, here the links to the eclipse advisory:

• https://gitlab.eclipse.org/security/cve-assignement/-/issues/8
• https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8

A bunch of eclipse libraries are vulnerable by this vulnerability. While some other sources properly report these two additional packages as vulnerable (i.e. maven), some reports these packages as vulnerable but erroneously reports the IDE version as fix version - like Gitlab here for org.eclipse.core.resources where it erroneously reports 4.29 as fix version while it should be 3.19.100 (as also per maven & sonatype ossindex) while version 3.19.0 of core.resources is affected as per maven & sonatype ossindex.

Here we are already reporting the proper vulnerable packages like org.eclipse.platform:org.eclipse.platform < 4.29.0 but we are missing the 2 packages in the scope of this PR. I hope this helps

[darakian]

You're gonna have to help me out a little more. I'm not seeing anything in either https://gitlab.eclipse.org/security/cve-assignement/-/issues/8 or https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 that seems to indicate that org.eclipse.platform:org.eclipse.core.resources or org.eclipse.platform:org.eclipse.help are affected.

Is there a particular commit/PR/comment that I should be reading?

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[guidobonomi]

hey @darakian I am struggling a bit understanding which kind of info can help here. As a reference, can you please advise which info have been reported to flag org.eclipse.platform:org.eclipse.core.runtime < 3.29.0 for this vuln?

[darakian]

Sure, it looks like this commit
eclipse-platform/eclipse.platform@5dc372a
is the origin for the core runtime artifact

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.