Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding details about CVEs in third party dependencies #5941

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

Wadeck
Copy link
Contributor

@Wadeck Wadeck commented Jan 20, 2023

As the reporting of CVEs is a recurrent topic within the security team, I would like to clarify our standpoint.

Copy link
Contributor

@MarkEWaite MarkEWaite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

content/security/reporting.adoc Outdated Show resolved Hide resolved
Comment on lines 43 to 54
This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details.
Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply.
We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities].

If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list:
`[email protected]`

IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire.
We will not respond to such queries.
If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/node/[blog].

To show our appreciation for your help, we'll send you link:/security/gift/[a small reward] for privately reported, valid vulnerability reports.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR the redundancy here was deliberate.

Copy link
Contributor Author

@Wadeck Wadeck Jan 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you suggest to keep this redundancy?
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you suggest to keep this redundancy?

Yes.

I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.

One is the quick summary, the other is the full level of detail. (Of course, if we feel we need to add more details to the quick summary, making it too long, like we've kinda started with the IMPORTANT block here, its value diminishes.)

content/security/reporting.adoc Outdated Show resolved Hide resolved
content/security/reporting.adoc Show resolved Hide resolved
content/security/reporting.adoc Outdated Show resolved Hide resolved
@NotMyFault
Copy link
Member

Quickly addressed the merge conflicts I introduced.

@kmartens27
Copy link
Contributor

Hi @daniel-beck, I wanted to follow up and see if your concerns were addressed with the updates that have been made. If not, what could be changed to provide the right messaging?

@MarkEWaite
Copy link
Contributor

I liked the phrasing of this enough to quote it in a community.jenkins.io post.

@daniel-beck daniel-beck marked this pull request as draft April 12, 2023 19:49
@daniel-beck
Copy link
Contributor

Pending a conversation with Wadeck we've been postponing repeatedly since January…

@github-actions github-actions bot added the unresolved-merge-conflict There is a merge conflict with the target branch. label Mar 15, 2024
Copy link
Contributor

Please take a moment and address the merge conflicts of your pull request. Thanks!

@github-actions github-actions bot removed the unresolved-merge-conflict There is a merge conflict with the target branch. label Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants