Security Vulnerabilities Application

Last modified by Admin on 2024/05/11 00:58

cogList Extensions Security Vulnerabilities of installed extensions
TypeXAR
CategoryApplication
Developed by

XWiki Development Team

Rating
0 Votes
LicenseGNU Lesser General Public License 2.1
Compatibility

XWiki Standard 15.5RC1+

Installable with the Extension Manager

Description

This application is currently unstable and may report false positives, which should be treated with caution.

The extension security vulnerabilities scan present a listing of the extensions with known vulnerabilities.
This list of extension is based on remote sources of vulnerabilities. See the Indexer documentation for more details.

XWiki <15.6 Please note that for now, the listing does not include all installed extensions. Extensions that can't be updated through the Extension Manager are currently not included.

Screenshots

The security list is available in the Security Vulnerabilities entry of the Extensions category in the administration.

extension-security-notifications-admin.png

The vulnerabilities presented in the screenshot above are based on outdated extensions versions and does not represent the state of an up to date XWiki instance.
They are here to show what the UI looks like with known vulnerabilities listed.

While at least one known security vulnerability is present on the wiki, admins are warned of the presence of issues though the notifications panel.

extension-security-notifications-uix.png

Configuration

The configuration of the wiki is available either by updating xwiki.properties, or through a form available at the bottom of the administration page.
When a value is not filled in the administration UI, the corresponding xwiki.properties value is used.

When the Scan Delay value is changed, a new recurring security indexation is started, and new ones are scheduled according to the new configured delay.

xwiki.properties

#-------------------------------------------------------------------------------------
# Extension Manager - Security
#-------------------------------------------------------------------------------------

#-# [Since 15.5RC1]
#-# When true, the security scan is enabled. This is the default; set to false to disable the scan.
#-#
# extension.security.scan.enabled = true

#-# [Since 15.5RC1]
#-# Specifies the delay before starting a new security scan after the last one has finished.
#-# The default value is 24 hours.
#-#
# extension.security.scan.delay = 24

#-# [Since 15.5RC1]
#-# Specifies the url to use as the endpoint for the security scan rest queries.
#-# The url must conform to the API documented here: https://google.github.io/osv.dev/post-v1-query/
#-# The default value is https://api.osv.dev/v1/query.
#-#
# extension.security.scan.url = https://api.osv.dev/v1/query

#-# [Since 15.6RC1]
#-# Specifies the url to use as the endpoint for the security scan false-positive fetching rest queries.
#-# The url must conform to the API documented here: http://e.x.o.doc...
#-# The default value is https://extensions.xwiki.org/xwiki/bin/view/Extension/Extension/Security/Code/Reviews
#-#
# extension.security.reviews.url = https://extensions.xwiki.org/xwiki/bin/view/Extension/Extension/Security/Code/Reviews

From the Administration

extension-security-notifications-admin-config.png

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:

  1. Log in the wiki with a user having Administration rights
  2. Go to the Administration page and select the Import category
  3. Follow the on-screen instructions to upload the downloaded XAR
  4. Click on the uploaded XAR and follow the instructions
  5. You'll also need to install all dependent Extensions that are not already installed in your wiki

Dependencies

Dependencies for this extension (org.xwiki.platform:xwiki-platform-extension-security-ui 16.3.1):

Get Connected