Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding details about CVEs in third party dependencies #5941

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

Adding details about CVEs in third party dependencies #5941

wants to merge 7 commits into from
+20 −10

Conversation

Wadeck
Copy link
Contributor

@Wadeck Wadeck commented Jan 20, 2023

As the reporting of CVEs is a recurrent topic within the security team, I would like to clarify our standpoint.

@Wadeck Wadeck requested a review from a team as a code owner January 20, 2023 11:32
MarkEWaite
MarkEWaite approved these changes Jan 20, 2023
View reviewed changes
Copy link
Contributor

@MarkEWaite MarkEWaite left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

content/security/reporting.adoc Outdated Show resolved Hide resolved
daniel-beck
daniel-beck reviewed Jan 22, 2023
View reviewed changes
content/security/index.adoc Outdated
Comment on lines 43 to 54
This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details.
Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply.
We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities].

If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list:
`jenkinsci-cert@googlegroups.com`

IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire.
We will not respond to such queries.
If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/node/[blog].

To show our appreciation for your help, we'll send you link:/security/gift/[a small reward] for privately reported, valid vulnerability reports.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR the redundancy here was deliberate.

Copy link
Contributor Author

@Wadeck Wadeck Jan 23, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you suggest to keep this redundancy?
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you suggest to keep this redundancy?

Yes.

I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.

One is the quick summary, the other is the full level of detail. (Of course, if we feel we need to add more details to the quick summary, making it too long, like we've kinda started with the IMPORTANT block here, its value diminishes.)

daniel-beck
daniel-beck reviewed Jan 23, 2023
View reviewed changes
content/security/reporting.adoc Outdated Show resolved Hide resolved
content/security/reporting.adoc Show resolved Hide resolved
content/security/reporting.adoc Outdated Show resolved Hide resolved
Wadeck and others added 2 commits January 23, 2023 10:50
@Wadeck @daniel-beck
Apply suggestions from Daniel
d137529 
Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
@NotMyFault
Merge branch 'master' into include-cve
9b0b1a2
@NotMyFault
Copy link
Member

Quickly addressed the merge conflicts I introduced.

@kmartens27
Copy link
Contributor

Hi @daniel-beck, I wanted to follow up and see if your concerns were addressed with the updates that have been made. If not, what could be changed to provide the right messaging?

@MarkEWaite
Copy link
Contributor

I liked the phrasing of this enough to quote it in a community.jenkins.io post.

@daniel-beck daniel-beck marked this pull request as draft April 12, 2023 19:49
@daniel-beck
Copy link
Contributor

Pending a conversation with Wadeck we've been postponing repeatedly since January…

@github-actions github-actions bot added the unresolved-merge-conflict There is a merge conflict with the target branch. label Mar 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

Please take a moment and address the merge conflicts of your pull request. Thanks!

@github-actions github-actions bot removed the unresolved-merge-conflict There is a merge conflict with the target branch. label Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarkEWaite MarkEWaite MarkEWaite approved these changes

@NotMyFault NotMyFault NotMyFault approved these changes

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Wadeck @NotMyFault @kmartens27 @MarkEWaite @daniel-beck