Security Vulnerabilities Application
List Extensions Security Vulnerabilities of installed extensions |
Type | XAR |
Category | Application |
Developed by | |
Rating | |
License | GNU Lesser General Public License 2.1 |
Compatibility | XWiki Standard 15.5RC1+ |
Table of contents
Description
The extension security vulnerabilities scan present a listing of the extensions with known vulnerabilities.
This list of extension is based on remote sources of vulnerabilities. See the Indexer documentation for more details.
Screenshots
The security list is available in the Security Vulnerabilities entry of the Extensions category in the administration.
While at least one known security vulnerability is present on the wiki, admins are warned of the presence of issues though the notifications panel.
Configuration
The configuration of the wiki is available either by updating xwiki.properties, or through a form available at the bottom of the administration page.
When a value is not filled in the administration UI, the corresponding xwiki.properties value is used.
When the Scan Delay value is changed, a new recurring security indexation is started, and new ones are scheduled according to the new configured delay.
xwiki.properties
# Extension Manager - Security
#-------------------------------------------------------------------------------------
#-# [Since 15.5RC1]
#-# When true, the security scan is enabled. This is the default; set to false to disable the scan.
#-#
# extension.security.scan.enabled = true
#-# [Since 15.5RC1]
#-# Specifies the delay before starting a new security scan after the last one has finished.
#-# The default value is 24 hours.
#-#
# extension.security.scan.delay = 24
#-# [Since 15.5RC1]
#-# Specifies the url to use as the endpoint for the security scan rest queries.
#-# The url must conform to the API documented here: https://google.github.io/osv.dev/post-v1-query/
#-# The default value is https://api.osv.dev/v1/query.
#-#
# extension.security.scan.url = https://api.osv.dev/v1/query
#-# [Since 15.6RC1]
#-# Specifies the url to use as the endpoint for the security scan false-positive fetching rest queries.
#-# The url must conform to the API documented here: http://e.x.o.doc...
#-# The default value is https://extensions.xwiki.org/xwiki/bin/view/Extension/Extension/Security/Code/Reviews
#-#
# extension.security.reviews.url = https://extensions.xwiki.org/xwiki/bin/view/Extension/Extension/Security/Code/Reviews
From the Administration
Prerequisites & Installation Instructions
We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.
You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:
- Log in the wiki with a user having Administration rights
- Go to the Administration page and select the Import category
- Follow the on-screen instructions to upload the downloaded XAR
- Click on the uploaded XAR and follow the instructions
- You'll also need to install all dependent Extensions that are not already installed in your wiki
Dependencies
Dependencies for this extension (org.xwiki.platform:xwiki-platform-extension-security-ui 16.7.1):
- org.xwiki.platform:xwiki-platform-extension-security-index 16.7.1
- org.xwiki.platform:xwiki-platform-extension-security-notifications 16.7.1
- org.xwiki.platform:xwiki-platform-extension-security-api 16.7.1
- org.xwiki.rendering:xwiki-rendering-macro-message 16.7.1
- org.xwiki.platform:xwiki-platform-administration-ui 16.7.1