Re: [PR] MINOR: document how we deal with advisories for dependencies [kafka-site]

Wed, 04 Oct 2023 02:28:41 -0700 


raboof commented on code in PR #554:
URL: https://github.com/apache/kafka-site/pull/554#discussion_r1345493725


##########
project-security.html:
##########
@@ -35,6 +35,22 @@ <h1 class="content-title">Kafka security</h1>
                <p>
                         For a list of security issues fixed in released 
versions of Apache Kafka, see <a href="/cve-list">CVE list</a>.
                </p>
+               <h2>Advisories for dependencies</h2>
+               <p>
+                       Many organizations use 'security scanning' tools to 
detect components for which advisories exist. While we generally encourage 
using such tools, since they are an important way users are notified of risks, 
our experience is that they produce a lot of false positives: when a dependency 
of Kafka contains a vulnerability, it is likely Kafka is using it in a way that 
is not affected. As such, we do not consider the fact that an advisory has been 
published for a Kafka dependency sensitive. Only when additional analysis 
confirms Kafka is affected by the problem, we ask you to report this finding 
privately through <a href="mailto:secur...@kafka.apache.org?Subject=[SECURITY] 
My security issue" target="_top">secur...@kafka.apache.org</a>.

Review Comment:
   I'm happy to adapt the wording - of course it's up to you as PMC to decide 
how you want to deal with such cases.
   
   For context: since anyone can easily run a dependency scanner, it's been our 
general policy to consider the mere fact that an advisory exists for a 
dependency already public knowledge. If a user is unsure about the impact, that 
doesn't really introduce any new information, so private reporting might not 
yet be necessary at that point.
   
   I now changed the wording from "Only when additional analysis confirms Kafka 
is affected" to "Only when additional analysis suggests Kafka may be affected' 
- let me know if you'd like to see a stronger bias towards private reporting.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to