Copilot commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3058255482
########## content/pages/security-reporting.md: ########## @@ -0,0 +1,200 @@ +Title: Solr™ Vulnerability Reporting Procedure +URL: security-reporting.html +save_as: security-reporting.html +template: security-reporting + +This page documents the procedure for reporting a security vulnerability in Apache Solr and +explains what happens after a report is submitted. It also provides canned email templates +for PMC members to use when responding to reports. + +Apache Solr is maintained by volunteers. The PMC will make every effort to respond promptly, +but cannot guarantee specific response times. We appreciate your patience and your contribution +to the security of the project. + +If you have concerns about how the project team is handling a report, you may also contact +[[email protected]](mailto:[email protected]) directly. +For PMC members, the ASF provides detailed +[committer guidance on vulnerability handling](https://www.apache.org/security/committers.html). + +## Before You Report + +Ensure you have tested against a [supported Solr version](https://solr.apache.org/downloads.html) +with both **authentication** and **authorization** properly configured. +Exploits demonstrated without authentication are not valid — running Solr without authentication is a +misconfiguration, not a vulnerability. + +<h2 id="submission-rules">Submission Rules <a class="headerlink" href="#submission-rules" title="Permanent link">¶</a></h2> + +A valid security report to [[email protected]](mailto:[email protected]) must: + +1. **Be sent as plaintext** — no zip file attachments, no links to Google Docs, Dropbox, or similar services +2. **Cover exactly one vulnerability** — if you have multiple findings, send one email per issue +3. **Include step-by-step reproduction steps** — scanner output alone is not a report +4. **Demonstrate the issue with authentication and authorization enabled** — running Solr + without authentication is a misconfiguration, not a vulnerability +5. **Target a [supported Solr version](https://solr.apache.org/downloads.html)** — reports + against unsupported versions will not be accepted + +<h2 id="workflow">Workflow <a class="headerlink" href="#workflow" title="Permanent link">¶</a></h2> + +<figure class="workflow-figure"> + <img src="{{ SITEURL }}/theme/images/security-vuln-process.png" + alt="Flowchart showing the Solr vulnerability reporting process: reporter submits plaintext email, PMC triages within 7 days (reject / needs changes / accepted), accepted reports get a private JIRA and ACK email, followed by full investigation up to 30 days, then either won't fix or confirmed vuln leading to fix, coordinated disclosure, CVE publication, and credit in advisory." /> + <figcaption>Solr vulnerability reporting workflow</figcaption> +</figure> + +<h2 id="what-to-expect">What to Expect <a class="headerlink" href="#what-to-expect" title="Permanent link">¶</a></h2> + +| Step | Who | Timeframe | +|------|-----|-----------| +| Initial triage / acknowledgment | PMC volunteers | Up to 7 days | +| Full investigation | PMC volunteers | Up to 30 days | +| CVE ID allocation | PMC + ASF Security Team (CNA) | During fix development | +| Fix + CVE publication | PMC + ASF Security Team | Coordinated with you | +| Credit in advisory | PMC | At public disclosure | Review Comment: The markdown table rows start with `||`, which typically renders as an extra empty leading column in many Markdown parsers (including Python-Markdown). Use a single leading `|` per row (or omit leading pipes consistently) so the table renders with the intended 3 columns. ########## .claude/settings.local.json: ########## @@ -0,0 +1,30 @@ +{ + "permissions": { + "allow": [ + "Bash(./build.sh:*)", + "Bash(python -m pelican:*)", + "Bash(pip install:*)", + "Bash(cat:*)", + "WebSearch", + "WebFetch(domain:docs.getpelican.com)", + "WebFetch(domain:github.com)", + "Bash(python3:*)", + "Bash(for i in posts posts2 posts3 posts4 posts5 posts6 posts7 posts8 posts9)", + "Bash(do)", + "Bash(if grep -q \"ENABLE_REMOTE_JMX\" /Users/janhoy/git/solr-site/output/$i.html)", + "Bash(then)", + "Bash(echo:*)", + "Bash(break)", + "Bash(fi)", + "Bash(done)", + "WebFetch(domain:issues.apache.org)", + "Bash(xargs ls:*)", + "Bash(grep -E \"\\\\.html$\")", + "Bash(grep -E \"\\\\.svg$\")", + "Bash(git:*)", + "WebFetch(domain:www.apache.org)" + ], + "deny": [], + "ask": [] + } +} Review Comment: This appears to be a machine-local Claude configuration (note the `settings.local.json` name and the hard-coded `/Users/...` path) and grants broad command permissions. This should not be committed to the repository; remove it from the PR and add `.claude/settings.local.json` to `.gitignore` (or provide a sanitized, non-local example file if the project wants to document recommended settings). ########## themes/solr/templates/security-news.html: ########## @@ -0,0 +1,53 @@ +{% extends "subnav.html" %} + +{% block subnav_title %}Solr™ Security News{% endblock %} +{% block subnav_nav_items %} +<dd><a href="{{ SITEURL }}/posts.html">All News</a></dd> +<dd><a href="{{ SITEURL }}/security-news.html" class="selected">Security News</a></dd> +<dd><a href="{{ SITEURL }}/blog.html">Blog</a></dd> +<dd><a href="{{ SITEURL }}/news.html">Announcements</a></dd> +{% endblock %} + +{% block rss %}<link rel="alternate" type="application/atom+xml" title="Solr security announce feed" href="/feeds/solr/security.atom.xml" />{% endblock %} + +{% block content_inner %} +<div class="small-12 columns"> + <style type="text/css"> + .headerlink, .elementid-permalink { + visibility: hidden; + } + h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { Review Comment: Permalink anchors are revealed only on `:hover`, which makes them hard to discover/use via keyboard navigation. Add a `:focus`/`:focus-visible` rule (e.g., `.headerlink:focus` and/or `h2:focus-within > .headerlink`) so the links become visible when tabbed to. ```suggestion h1:hover > .headerlink, h2:hover > .headerlink, h3:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, h6:hover > .headerlink, h1:focus-within > .headerlink, h2:focus-within > .headerlink, h3:focus-within > .headerlink, h4:focus-within > .headerlink, h5:focus-within > .headerlink, h6:focus-within > .headerlink, .headerlink:focus, .headerlink:focus-visible, dt:hover > .elementid-permalink, dt:focus-within > .elementid-permalink, .elementid-permalink:focus, .elementid-permalink:focus-visible { ``` ########## plugins/combined_posts/__init__.py: ########## @@ -100,9 +100,69 @@ def generate_output(self, writer): logger.info(f'Writing {url} ({page_num}/{paginator.num_pages})') +class SecurityNewsGenerator(Generator): + """ + Generator for creating a paginated security news page. + + Lists only articles from the 'solr/security' category, sorted + chronologically, and generates security-news.html (+ security-newsN.html). + """ Review Comment: The docstring says 'sorted chronologically' but the code sorts with `reverse=True` (newest-first). Clarify the docstring (e.g., 'reverse chronological order' / 'newest first') to match the behavior. ########## plugins/combined_posts/__init__.py: ########## @@ -100,9 +100,69 @@ def generate_output(self, writer): logger.info(f'Writing {url} ({page_num}/{paginator.num_pages})') +class SecurityNewsGenerator(Generator): + """ + Generator for creating a paginated security news page. + + Lists only articles from the 'solr/security' category, sorted + chronologically, and generates security-news.html (+ security-newsN.html). + """ + + def generate_output(self, writer): + """Generate paginated security news pages.""" + + articles = self.context.get('articles', []) + + security_articles = [ + a for a in articles + if hasattr(a, 'category') and a.category and + a.category.name == 'solr/security' + ] + + security_articles.sort(key=lambda x: x.date, reverse=True) Review Comment: The docstring says 'sorted chronologically' but the code sorts with `reverse=True` (newest-first). Clarify the docstring (e.g., 'reverse chronological order' / 'newest first') to match the behavior. ########## themes/solr/templates/security-reporting.html: ########## @@ -0,0 +1,61 @@ +{% extends "subnav.html" %} + +{% block subnav_title %}Vulnerability Reporting Procedure{% endblock %} +{% block subnav_nav_items %} +<dd><a href="{{ SITEURL }}/security.html">Security</a></dd> +<dd><a href="{{ SITEURL }}/security-reporting.html" class="selected">Vulnerability Reporting Procedure</a></dd> +<dd><a href="{{ SITEURL }}/security-dependency-cves.html">CVE Status for Dependencies</a></dd> +{% endblock %} + +{% block content_inner %} +<div class="small-12 columns"> + <style type="text/css"> + .headerlink, .elementid-permalink { + visibility: hidden; + } + h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { + visibility: visible; + } + details { + border: 1px solid #ddd; + border-radius: 4px; + margin-bottom: 1em; + padding: 0; + } + summary { + background: #f5f5f5; + cursor: pointer; + font-weight: bold; + padding: 0.75em 1em; + border-radius: 4px; + } + details[open] summary { + border-bottom: 1px solid #ddd; + border-radius: 4px 4px 0 0; + } + details pre { + background: #fafafa; + border: none; + margin: 0; + padding: 1em 1.5em; + white-space: pre-wrap; + font-size: 0.9em; + } + .workflow-figure { + margin: 2em 0; + } + .workflow-figure img { + width: 100%; + height: auto; + border: 1px solid #e8e8e8; + border-radius: 4px; + } + .workflow-figure figcaption { + color: #666; + font-size: 0.9em; + margin-top: 0.5em; + } + </style> Review Comment: There is now duplicated inline CSS across multiple templates (`security.html`, `security-news.html`, `security-dependency-cves.html`, and this file), especially the `.headerlink` hover behavior. Consider moving shared rules into a theme stylesheet (or a shared template partial/block) to avoid style drift and make future updates (e.g., adding `:focus-visible`) a single change. ########## pelicanconf.py: ########## @@ -107,7 +107,7 @@ MARKDOWN = { 'extension_configs': { - 'toc': {}, + 'toc': {'permalink': True, 'permalink_class': 'headerlink', 'permalink_title': 'Permanent link'}, Review Comment: This enables TOC permalinks globally for all Markdown headings, which is broader than the PR description (focused on security pages). If this is intentional, consider adding a global CSS rule in the theme to style/hide `.headerlink` consistently site-wide; otherwise, scope permalink behavior to only the pages/templates that need it to avoid unexpected `¶` links appearing on unrelated pages. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
