[GHSA-j24h-xcpc-9jw8] Add org.eclipse.core.resources and org.eclipse.help as affected

[guidobonomi]

• core.resources is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.core.resources/3.19.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.core.resources/3.19.0
• help is affected as per https://mvnrepository.com/artifact/org.eclipse.platform/org.eclipse.help/3.10.0 and https://deps.dev/maven/org.eclipse.platform%3Aorg.eclipse.help/3.10.0

[darakian]

Hey @guidobonomi, thanks for the PR but can I ask for a few more details? How are those packages being marked as vulnerable?

[guidobonomi]

hey @darakian, here the links to the eclipse advisory:

• https://gitlab.eclipse.org/security/cve-assignement/-/issues/8
• https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8

A bunch of eclipse libraries are vulnerable by this vulnerability. While some other sources properly report these two additional packages as vulnerable (i.e. maven), some reports these packages as vulnerable but erroneously reports the IDE version as fix version - like Gitlab here for org.eclipse.core.resources where it erroneously reports 4.29 as fix version while it should be 3.19.100 (as also per maven & sonatype ossindex) while version 3.19.0 of core.resources is affected as per maven & sonatype ossindex.

Here we are already reporting the proper vulnerable packages like org.eclipse.platform:org.eclipse.platform < 4.29.0 but we are missing the 2 packages in the scope of this PR. I hope this helps

[darakian]

You're gonna have to help me out a little more. I'm not seeing anything in either https://gitlab.eclipse.org/security/cve-assignement/-/issues/8 or https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 that seems to indicate that org.eclipse.platform:org.eclipse.core.resources or org.eclipse.platform:org.eclipse.help are affected.

Is there a particular commit/PR/comment that I should be reading?