Skip to content

Commit

Permalink
Refactoring rename module/package - edit file content
Browse files Browse the repository at this point in the history 
This aims to implement :
eclipse-leshan#1295

Refactoring was done in 2 commits to try to keep git history :
https://stackoverflow.com/questions/2314652/is-it-possible-to-move-rename-files-in-git-and-maintain-their-history
  • Loading branch information
@sbernard31
sbernard31 committed Jun 28, 2024
1 parent 34caf24 commit 6d2ff69
Show file tree
Hide file tree
Showing 243 changed files with 800 additions and 779 deletions.
2 changes: 1 addition & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Leshan config files #
leshan-core/ddffiles
leshan-lwm2m-core/ddffiles
**/Californium.properties
**/Californium3.properties
**/Californium3.bsserver.properties
Expand Down
8 changes: 4 additions & 4 deletions .jenkins/ci.jenkins
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ pipeline {
sh ''' mvn -B clean install javadoc:javadoc -PeclipseJenkins '''
}
// Copy artifacts
sh ''' cp leshan-server-demo/target/leshan-server-demo-*-jar-with-dependencies.jar leshan-server-demo.jar
cp leshan-bsserver-demo/target/leshan-bsserver-demo-*-jar-with-dependencies.jar leshan-bsserver-demo.jar
cp leshan-client-demo/target/leshan-client-demo-*-jar-with-dependencies.jar leshan-client-demo.jar
sh ''' cp leshan-demo-server/target/leshan-demo-server-*-jar-with-dependencies.jar leshan-demo-server.jar
cp leshan-demo-bsserver/target/leshan-demo-bsserver-*-jar-with-dependencies.jar leshan-demo-bsserver.jar
cp leshan-demo-client/target/leshan-demo-client-*-jar-with-dependencies.jar leshan-demo-client.jar
'''
}
}
Expand All @@ -47,7 +47,7 @@ pipeline {
}
always {
junit '**/target/surefire-reports/*.xml'
archiveArtifacts artifacts: 'leshan-server-demo.jar,leshan-bsserver-demo.jar,leshan-client-demo.jar'
archiveArtifacts artifacts: 'leshan-demo-server.jar,leshan-demo-bsserver.jar,leshan-demo-client.jar'
}
}
}
6 changes: 3 additions & 3 deletions .jenkins/test.jenkins
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,9 @@ pipeline {
'''

// Copy artifacts
sh ''' cp leshan-server-demo/target/leshan-server-demo-*-jar-with-dependencies.jar leshan-server-demo.jar
cp leshan-bsserver-demo/target/leshan-bsserver-demo-*-jar-with-dependencies.jar leshan-bsserver-demo.jar
cp leshan-client-demo/target/leshan-client-demo-*-jar-with-dependencies.jar leshan-client-demo.jar
sh ''' cp leshan-demo-server/target/leshan-demo-server-*-jar-with-dependencies.jar leshan-demo-server.jar
cp leshan-demo-bsserver/target/leshan-demo-bsserver-*-jar-with-dependencies.jar leshan-demo-bsserver.jar
cp leshan-demo-client/target/leshan-demo-client-*-jar-with-dependencies.jar leshan-demo-client.jar
'''
}
}
Expand Down
4 changes: 2 additions & 2 deletions .jenkins/weekly.jenkins
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ pipeline {
// Ideally we would like to use a specific integrated tools like : https://github.com/CycloneDX/cyclonedx-node-yarn
// But project is not really active and is searching for contributor : https://github.com/CycloneDX/cyclonedx-node-yarn/issues/12
// OR maybe we should move from Yarn To NPM : https://github.com/eclipse-leshan/leshan/issues/1550#issuecomment-1878802371
sh ''' trivy fs leshan-server-demo/webapp --format cyclonedx --output leshan-server-demo/target/bom-frontend.json --include-dev-deps '''
sh ''' trivy fs leshan-bsserver-demo/webapp --format cyclonedx --output leshan-bsserver-demo/target/bom-frontend.json --include-dev-deps '''
sh ''' trivy fs leshan-demo-server/webapp --format cyclonedx --output leshan-demo-server/target/bom-frontend.json --include-dev-deps '''
sh ''' trivy fs leshan-demo-bsserver/webapp --format cyclonedx --output leshan-demo-bsserver/target/bom-frontend.json --include-dev-deps '''

// check for vulnerabilities
// "find" to search file
Expand Down
22 changes: 11 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ The project also provides a client, a server and a bootstrap server demonstratio

| LWM2M Version <br> Targeted | Leshan <br> Version | Minimal <br> Java Version | Development <br> State | Build Status | Standalone <br> Demos |
| - | - | - | - | - | - |
| [v1.0.x](https://github.com/eclipse/leshan/wiki/Lightweight-M2M-Specification#lightweight-m2m-v10x) | [v1.x](https://github.com/eclipse/leshan/tree/1.x) <br/> [Supported features](https://github.com/eclipse/leshan/wiki/LWM2M-Supported-features) | Java 7 | stable released | [jenkins-1.x](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/) | [server-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-server-demo.jar)<br/> [client-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-client-demo.jar) <br/> [bsserver-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-bsserver-demo.jar) |
| [**v1.1.x**](https://github.com/eclipse/leshan/wiki/Lightweight-M2M-Specification#lightweight-m2m-v11x)| [**v2.x** (master)](https://github.com/eclipse/leshan/tree/master) <br/> [Supported features](https://github.com/eclipse/leshan/wiki/LWM2M-1.1-supported-features) | Java 8 | **in development** |[jenkins-master](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/) | [server-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-server-demo.jar)<br/> [client-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-client-demo.jar) <br/> [bsserver-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-bsserver-demo.jar) |
| [v1.0.x](https://github.com/eclipse/leshan/wiki/Lightweight-M2M-Specification#lightweight-m2m-v10x) | [v1.x](https://github.com/eclipse/leshan/tree/1.x) <br/> [Supported features](https://github.com/eclipse/leshan/wiki/LWM2M-Supported-features) | Java 7 | stable released | [jenkins-1.x](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/) | [server-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-demo-server.jar)<br/> [client-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-demo-client.jar) <br/> [bsserver-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/1.x/lastSuccessfulBuild/artifact/leshan-demo-bsserver.jar) |
| [**v1.1.x**](https://github.com/eclipse/leshan/wiki/Lightweight-M2M-Specification#lightweight-m2m-v11x)| [**v2.x** (master)](https://github.com/eclipse/leshan/tree/master) <br/> [Supported features](https://github.com/eclipse/leshan/wiki/LWM2M-1.1-supported-features) | Java 8 | **in development** |[jenkins-master](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/) | [server-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-server.jar)<br/> [client-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-client.jar) <br/> [bsserver-demo](https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-bsserver.jar) |


Release (stable and milestones) are available on [maven central](https://search.maven.org/search?q=org.eclipse.leshan).
Expand Down Expand Up @@ -51,18 +51,18 @@ Test Leshan Demos locally
-----------------------
Get and run the last binary of our demo **server** :
```
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-server-demo.jar
java -jar ./leshan-server-demo.jar
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-server.jar
java -jar ./leshan-demo-server.jar
```
Get and run the last binary of our demo **client** :
```
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-client-demo.jar
java -jar ./leshan-client-demo.jar
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-client.jar
java -jar ./leshan-demo-client.jar
```
Get and run the last binary of our **bootstrap** demo server :
```
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-bsserver-demo.jar
java -jar ./leshan-bsserver-demo.jar
wget https://ci.eclipse.org/leshan/job/leshan-ci/job/master/lastSuccessfulBuild/artifact/leshan-demo-bsserver.jar
java -jar ./leshan-demo-bsserver.jar
```
:information_source: : _All the demos have a `--help` option._

Expand All @@ -88,21 +88,21 @@ mvn clean install

Run demo **server**:
```
java -jar leshan-server-demo/target/leshan-server-demo-*-SNAPSHOT-jar-with-dependencies.jar
java -jar leshan-demo-server/target/leshan-demo-server-*-SNAPSHOT-jar-with-dependencies.jar
```

Connect on Leshan demo UI: http://localhost:8080
Leshan server Demo provides a very simple UI to get the list of connected clients and interact with clients resources.

Now you can register a LWM2M client by running our **client** demo:
```
java -jar leshan-client-demo/target/leshan-client-demo-*-SNAPSHOT-jar-with-dependencies.jar
java -jar leshan-demo-client/target/leshan-demo-client-*-SNAPSHOT-jar-with-dependencies.jar
```
or trying the [Eclipse Wakaama](http://eclipse.org/wakaama) test client.

You can also try our **bootstrap** demo server:
```
java -jar leshan-bsserver-demo/target/leshan-bsserver-demo-*-SNAPSHOT-jar-with-dependencies.jar
java -jar leshan-demo-bsserver/target/leshan-demo-bsserver-*-SNAPSHOT-jar-with-dependencies.jar
```

Let's start to code !
Expand Down
75 changes: 39 additions & 36 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,73 +2,76 @@

## Reporting a Vulnerability

To report a Security issue, you can :
- (**Preferred way ⭐**) create a new [Github Security Advisories](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories), using [this form](https://github.com/eclipse-leshan/leshan/security/advisories/new),
- open a [gitlab issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability),
- send an email to [email protected].
To report a Security issue, you can :

- (**Preferred way ⭐**) create a new [Github Security Advisories](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories), using [this form](https://github.com/eclipse-leshan/leshan/security/advisories/new),
- open a [gitlab issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability),
- send an email to [email protected].

For more details, please look at :
- https://www.eclipse.org/security/
- https://www.eclipse.org/projects/handbook/#vulnerability

- https://www.eclipse.org/security/
- https://www.eclipse.org/projects/handbook/#vulnerability

## Supported Versions

Only Leshan library is concerned. The demos are not covered.
Only Leshan library is concerned. The demos are not covered.

| Version | Supported |
| ------- | ------------------ |
| 2.x | :heavy_check_mark: | |
| 1.x | :heavy_check_mark: |
| ------- | ------------------ | --- |
| 2.x | :heavy_check_mark: | |
| 1.x | :heavy_check_mark: |

Note: ℹ️ **1.x** version depends on californium 2.x version where support is not clear.
Note: ℹ️ **1.x** version depends on californium 2.x version where support is not clear.
See : https://github.com/eclipse/californium/security/policy

## About Leshan Demo

As said previously **Leshan demos are not covered by Security Policy**.

It is strongly discouraged to use Leshan demos v1.x on public server because they are using no longer maintained javascript library like :
It is strongly discouraged to use Leshan demos v1.x on public server because they are using no longer maintained javascript library like :

- **bootstrap.js** (pkg:javascript/[email protected]) : Bootstrap before 4.0.0 is end-of-life and no longer maintained.
- **jquery-2.2.4.js** (pkg:javascript/[email protected]) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

Concerning Leshan demos v2.x, some minimal efforts are made to update dependencies when vulnerabilities are detected but keep in mind that demos are not production ready tools.
Concerning Leshan demos v2.x, some minimal efforts are made to update dependencies when vulnerabilities are detected but keep in mind that demos are not production ready tools.

## Versions Security State

List of version which are not affected by known vulnerability.
List of version which are not affected by known vulnerability.

| Version | |
| -------------------- | ------------------ |
| 2.0.0-M13 + | :heavy_check_mark: |
| 1.5.0 + | :heavy_check_mark: |
| Version | |
| ----------- | ------------------ |
| 2.0.0-M13 + | :heavy_check_mark: |
| 1.5.0 + | :heavy_check_mark: |

This is an exhaustive list of known security issue affecting leshan library :

| CVE/ID | Leshan version concerned | artifacts | Affect |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ---------------------------------------- | ---------------------| ------ |
| [CVE-2023-41034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41034) <br> [GHSA-wc9j-gc65-3cm7](https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7) | 2.0.0-M1 -> 2.0.0-M12 <br> 1.0.0 -> 1.4.2| leshan-core | if you parse untrusted DDF files <br> (e.g. if they let external users provide their own model), |

| CVE/ID | Leshan version concerned | artifacts | Affect |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------ |
| [CVE-2023-41034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41034) <br> [GHSA-wc9j-gc65-3cm7](https://github.com/eclipse-leshan/leshan/security/advisories/GHSA-wc9j-gc65-3cm7) | 2.0.0-M1 -> 2.0.0-M12 <br> 1.0.0 -> 1.4.2 | leshan-lwm2m-core | if you parse untrusted DDF files <br> (e.g. if they let external users provide their own model), |

This is a not exhaustive list of security issue from Leshan dependencies which could affect Leshan :

| CVE/ID | Leshan version concerned | Source | Affect |
| --------------------------------------------------------------------------------------------------------| ---------------------------------------- | ---------------------| ------ |
| [CVE-2022-39368](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39368) | 2.0.0-M1 -> 2.0.0-M8 <br> 1.0.0 -> 1.4.1 | californium/scandium | any DTLS usage |
| [CVE-2022-2576](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2576) | 2.0.0-M1 -> 2.0.0-M7 <br> 1.0.0 -> 1.4.0 | californium/scandium | DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0 |
| [GHSA-fj2w-wfgv-mwq6](https://github.com/peteroupc/CBOR-Java/security/advisories/GHSA-fj2w-wfgv-mwq6) | 2.0.0-M2 -> 2.0.0-M4 | com.upokecenter.cbor | CBOR or SenML-CBOR decoding |
| [CVE-2020-27222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27222) | 1.1.0 -> 1.3.1 | californium/scandium | DTLS with x509 and/or RPK |
| [CVE-2021-34433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34433) | 2.0.0-M1 -> 2.0.0-M4 <br> 1.0.0 -> 1.3.1 | californium/scandium | DTLS with x509 and/or RPK |
| CVE/ID | Leshan version concerned | Source | Affect |
| ----------------------------------------------------------------------------------------------------- | ---------------------------------------- | -------------------- | ---------------------------------------------- |
| [CVE-2022-39368](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39368) | 2.0.0-M1 -> 2.0.0-M8 <br> 1.0.0 -> 1.4.1 | californium/scandium | any DTLS usage |
| [CVE-2022-2576](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2576) | 2.0.0-M1 -> 2.0.0-M7 <br> 1.0.0 -> 1.4.0 | californium/scandium | DTLS*VERIFY_PEERS* ON_RESUMPTION_THRESHOLD > 0 |
| [GHSA-fj2w-wfgv-mwq6](https://github.com/peteroupc/CBOR-Java/security/advisories/GHSA-fj2w-wfgv-mwq6) | 2.0.0-M2 -> 2.0.0-M4 | com.upokecenter.cbor | CBOR or SenML-CBOR decoding |
| [CVE-2020-27222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27222) | 1.1.0 -> 1.3.1 | californium/scandium | DTLS with x509 and/or RPK |
| [CVE-2021-34433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34433) | 2.0.0-M1 -> 2.0.0-M4 <br> 1.0.0 -> 1.3.1 | californium/scandium | DTLS with x509 and/or RPK |

Note: We strongly encourage you to switch last safe Leshan version, but for vulnerability caused by a dependency :
- if there isn't Leshan release available OR if you want to be very conservative
- AND the concerned library is using [semantic versioning](https://semver.org/)

then you could try to just update the dependency to a safe compatible version without upgrading Leshan.

- if there isn't Leshan release available OR if you want to be very conservative
- AND the concerned library is using [semantic versioning](https://semver.org/)

then you could try to just update the dependency to a safe compatible version without upgrading Leshan.

## Runtime Security State

This is a not exhaustive list of JVM security issue which could affect common Leshan usages.

| Dependency | Affected Version | Usage | Vulnerability | More Information |
| ---------- | ---------------- | ----- | ------------- | ---------------- |
| JDK / JCE | <= 15.0.2? <br/> <= 16.0.2? <br/> < 17.0.3 <br/> < 18.0.1 | Cipher Suite based on ECDSA | ECDSA [CVE-2022-21449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449) | https://github.com/eclipse/leshan/issues/1243 |
| Dependency | Affected Version | Usage | Vulnerability | More Information |
| ---------- | --------------------------------------------------------- | --------------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------- |
| JDK / JCE | <= 15.0.2? <br/> <= 16.0.2? <br/> < 17.0.3 <br/> < 18.0.1 | Cipher Suite based on ECDSA | ECDSA [CVE-2022-21449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449) | https://github.com/eclipse/leshan/issues/1243 |
Loading

0 comments on commit 6d2ff69

Please sign in to comment.