On Fri, Dec 22, 2023 at 4:26 PM 'wfoll...@cloudbees.com' via Jenkins Developers <jenkinsci-dev@googlegroups.com> wrote:
> Now, if you are not sure, you can still contact the security team, but I > will ask you to provide more details, like which plugin, which CVE, and > your doubts. > After discussing with Wadeck, I'd like to clarify our position: The Jenkins security team does not generally answer questions about publicly known vulnerabilities in libraries that may not even be used anywhere in Jenkins. Any number of commercial or free dependency scanners can provide an answer. This basically falls into the category of compliance question/questionnaire (see the highlighted block here <https://www.jenkins.io/security/#reporting-vulnerabilities>). For vulnerable libraries determined to actually be dependencies, per our reporting guidelines <https://www.jenkins.io/security/reporting/#non-issues>, we do not consider vulnerabilities in dependencies to be vulnerabilities in Jenkins unless reporters can demonstrate exploitation, or at least explain how it *might* work (or it's really obvious). Unfortunately we get too many folks just dumping unfiltered dependency scanner output into our issue tracker, so we need to be pretty restrictive here due to our limited capacity. Similar limitations apply to reports of vulnerabilities in OS libraries in Docker images <https://github.com/jenkinsci/docker/security/policy>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtJ6uA2As806KHtahDdrNpERi299xrB-vxE6HU6AzmkW4g%40mail.gmail.com.
