This is the TRUE Connector traceability matrix for known major issues. The rating ranges from 1 (high priority) to 3 (low priority). For further details on issues please check the Github issues section of the Data App and Execution core container.
| Classification | Severity | Report Date | Issue | Description | Detailing Location | Affected Component | Impact | Status |
|---|---|---|---|---|---|---|---|---|
| Functional | High | 2023-01-10 | Base64 encoded payload support | Support for Base64 encoded payloads | Internal ticket | Data App | Data handling efficiency | DONE |
| Functional | High | 2023-02-15 | Docker image GHA fails | Failure in Docker image generation via GitHub Actions | Internal ticket | Execution Core | Deployment issues | DONE |
| Security | High | 2023-03-05 | Clearing house authentication | Adding authentication header for clearing house | Internal ticket | Data App | Security enhancement | DONE |
| Functional | Medium | 2023-06-01 | Error in log for self description | Erroneous log entries when requesting self description | Engineering-Research-and-Development/true-connector-execution_core_container#192 | Execution Core | Log clarity | DONE |
| Documentation | High | 2023-09-18 | Error in the curl comman in the "Testing DataApp Provider endoint" section of the readme | The curl call mentioned in the documentation, triggers a parsing error | https://github.com/Engineering-Research-and-Development/true-connector-basic_data_basapp/issues/107 | Data App | Users not able to explore TC | DONE |
Vulnerability Remediation Process is done as following:
- Dependabot code analysis for security vulnerabilities is done automatically
- Analyzing vulnerabilities
- Proposing code change in accordance with version update of dependency at risk
- Fixing/updating and releasing new TRUE Connector version
Based on the severity (Common Vulnerability Scoring System is used) of the issues (Critical, High, Moderate, Low), addressing the issue should be taken into consideration.
| Severity | Time for fixing |
|---|---|
| Critical | < 1 week |
| High | < 3 weeks |
| Moderate | < 1 month |
| Low | < 2 months |
For issues that are currently reported, you can always check Security tab for specific subcomponent and in Dependabot section find all opened issues.
As TrueConnector is an open-source project, we highly encourage end users to report any bugs they encounter. Our goal is to address and resolve these issues promptly.
- Acknowledge the Issue: Quickly acknowledge the new issue, ideally within 24-48 hours.
- Label the issue appropriately (e.g., bug, feature request, enhancement).
- Ask for more information if the issue is unclear or incomplete.
- Assess Urgency and Impact: Determine the issue's priority based on its urgency, impact on the project, and user needs.
- Set Milestones: Assign the issue to a specific milestone if it aligns with project's roadmap and priorities.
- Assign Responsibility: Assign the issue to a team member who has the expertise and capacity to handle it.
- Estimate Timeline: Provide an estimated timeline for when the issue might be addressed, if possible.
- Keep Open Communication: Update the issue thread with progress reports, questions, or requests for feedback.
- Implement Solution: Resolve the issue through code changes, documentation updates, or other necessary actions.
- Code Review and Testing: Ensure that any code changes are reviewed and tested thoroughly.
- Close with Explanation: Once resolved, close the issue with a comment explaining the resolution or linking to the relevant pull request.
For managing security issues, a comprehensive approach is adopted:
-
Automated Security Scanning: Continuous monitoring for vulnerabilities in dependencies using tools like GitHub Dependabot, which automatically updates vulnerable dependencies.
-
GitHub Actions for CI: Leveraging GitHub Actions for continuous integration to build and test every commit, ensuring detection of any new vulnerabilities introduced.
-
Code Review and Quality Assurance: Rigorous peer review process for all code changes, especially those addressing security issues, to prevent the introduction of new vulnerabilities.
-
Test Coverage: Emphasizing comprehensive test coverage, including unit, integration, and end-to-end tests, to detect vulnerabilities early in the development cycle.
-
Documentation and Tracking: Thorough documentation of all security fixes, detailing the vulnerability, the fix, and the impact on the system.
As mentioned earlier, GitHub, used alongside Dependabot, serves as a system for monitoring reported issues, tracking the progress of ongoing issues, and recording closed issues.
Status of issues can be:
- Open - issues is reported by end user, team member or Dependabot
- Under investigation - checking reported issue, labeling, categorizing and assigning it
- Under development - working actively on bug/issue
- Ready for merge - development is done, automated test passed, PR is opened for a review
- Closed - issue is patched and merged
The most recent status updates for each component are available:
- Automated security issues reported by Dependabot
| Severity | Report Date | Issue | Affected Component | Solution | Status |
|---|---|---|---|---|---|
| High | 2022-04 | JSON stack overflow vulnerability | ECC | Bump to v20230227 | CLOSED |
| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | DataApp | Bump to v1.10.0 | CLOSED |
| Critical | 2022-02 | Arbitrary code execution in Apache Commons Text | ECC | Bump to v1.10.0 | CLOSED |
| Moderate | 2022-04 | Chosen Ciphertext Attack in Jose4j | ECC | Bump to v0.9.3 | CLOSED |
| Moderate | 2022-01 | Improper Locking in JetBrains Kotlin | ECC | Bump to v1.6.0 | CLOSED |
| Moderate | 2021-01 | Timing based private key exposure in Bouncy Castle | ECC | Bump to v1.66 | CLOSED |