raboof commented on code in PR #86: URL: https://github.com/apache/solr-site/pull/86#discussion_r1049644130
########## content/pages/security.md: ########## @@ -10,17 +10,42 @@ Every CVE that is detected by a software scanner is by definition already public To find a path forward in addressing a detected CVE we suggest the following process for fastest results: -1. Check further down this page to see if the CVE is listed as exploitable in Solr. -2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr. +1. Check [further down this page](#recent-cve-reports-for-apache-solr) to see if the CVE is listed as exploitable in Solr. +2. Check the [officially published non-exploitable vulnerabilities](#cve-reports-for-apache-solr-dependencies) list to see if the CVE is listed as not exploitable in Solr. 3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?us...@solr.apache.org) to see if anyone else has brought up this dependency CVE. 4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE. +#### VEX +Since the process of checking whether CVEs in dependencies of Solr affect your +Solr deployment is tedious and error-prone, we are experimenting with sharing +information about advisories that are known (not) to affect Solr in a +machine-readable way. + +File formats to share this information are called 'VEX' formats. A number of +such formats are under active development, such as based on +[CycloneDX](https://cyclonedx.org/capabilities/vex/) and +[CSAF](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md#45-profile-5-vex). + +We are currently providing vulnerability information in a CycloneDX JSON-based +format [here](/solr.vex.json). We are very curious to hear about your experience, +and to find out what is still missing to reduce the signal/noise ratio and make +these tools more effective. We invite you to join the discussion at the +[security-discuss](mailto:security-disc...@community.apache.org) +[mailinglist](https://www.apache.org/foundation/mailinglists.html) or, +if you prefer to collaborate in private, contact +[secur...@apache.org](mailto:secur...@apache.org). It will likely be interesting +to know what security scanning/reporting tool you are using, exactly on which +artifacts, and if/how its vendor appears to support VEX. We'd be happy to work +with you to see if we can provide this information in other variations or formats. + #### Dos and Don'ts * Please DO discuss the possible need for library upgrades on the user list. * Please DO search Jira for the CVE number to see if we are addressing it already. * Please DO create Jira issues and associated pull requests to propose and discuss upgrades of *a single specific* dependency. * Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead) * Please DO NOT email the security email below with a scan report it will be ignored. +* Please DO talk to your scanning tool vendor about supporting VEX. +* Please DO share your experience with incorporating VEX into your toolchain on the [security-disc...@community.apache.org](mailto:security-disc...@community.apache.org) [mailinglist](https://www.apache.org/foundation/mailinglists.html) or with [secur...@apache.org](mailto:secur...@apache.org). Review Comment: :+1: condensed it into one bullet referring to the chapter -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
