diff --git a/docs/.vuepress/client.ts b/docs/.vuepress/client.ts index 4fd7c0cb6..9c715ca21 100644 --- a/docs/.vuepress/client.ts +++ b/docs/.vuepress/client.ts @@ -16,6 +16,7 @@ import Chat from "./components/Chat.vue"; import CodeTabs from "./components/CodeTabs.vue"; import CodeWithCopy from "./components/CodeWithCopy.vue"; import TableTabs from "./components/TableTabs.vue"; +import ELSTechnology from "./components/ELSTechnology.vue"; import CVETracker from './components/JavaSpringSolvedCveTable.vue' @@ -29,6 +30,7 @@ export default defineClientConfig({ app.component("CodeWithCopy", CodeWithCopy); app.component("CVETracker", CVETracker); app.component("TableTabs", TableTabs); + app.component("ELSTechnology", ELSTechnology); }, layouts: { Layout, diff --git a/docs/.vuepress/components/ELSTechnology.vue b/docs/.vuepress/components/ELSTechnology.vue new file mode 100644 index 000000000..f5b680bd5 --- /dev/null +++ b/docs/.vuepress/components/ELSTechnology.vue @@ -0,0 +1,408 @@ + + + + + + + + diff --git a/docs/.vuepress/config-client/documents.ts b/docs/.vuepress/config-client/documents.ts index f5ad55c61..8e51b3a5c 100644 --- a/docs/.vuepress/config-client/documents.ts +++ b/docs/.vuepress/config-client/documents.ts @@ -35,14 +35,19 @@ export default [ link: "/eportal-api/", }, { - title: "ELS for OS", + title: "ELS for Operating Systems", description: "allows you to continue running your Linux server after the operating system’s end of life.", link: "/els-for-os/", }, { - title: "ELS for Languages", - description: "provides security fixes for programming languages and software development frameworks that have reached their end-of-life”", - link: "/els-for-languages/", + title: "ELS for Runtimes & Libraries", + description: "provides security fixes for language runtimes and software libraries beyond their official end-of-life date.", + link: "/els-for-runtimes-and-libraries/", + }, + { + title: "ELS for Applications", + description: "provides security fixes for open-source applications after official support ends.", + link: "/els-for-applications/", }, { title: "Subscription Management Portal", diff --git a/docs/.vuepress/config-client/sidebar.ts b/docs/.vuepress/config-client/sidebar.ts index 23c0256d2..8de0fbf69 100644 --- a/docs/.vuepress/config-client/sidebar.ts +++ b/docs/.vuepress/config-client/sidebar.ts @@ -33,20 +33,28 @@ export default { ] }, ], - '/els-for-languages/': [ + '/els-for-runtimes-and-libraries/': [ { collapsable: false, children: [ - "/els-for-languages/", - "/els-for-languages/php/", - "/els-for-languages/python/", - "/els-for-languages/spring-framework-and-spring-boot/", - "/els-for-languages/dotnet/", - "/els-for-languages/angular/", - "/els-for-languages/angularjs/", - "/els-for-languages/apache-tomcat/", - "/els-for-languages/openjdk/", - "/els-for-languages/python-libraries/", + "/els-for-runtimes-and-libraries/", + "/els-for-runtimes-and-libraries/angular/", + "/els-for-runtimes-and-libraries/angularjs/", + "/els-for-runtimes-and-libraries/dotnet/", + "/els-for-runtimes-and-libraries/openjdk/", + "/els-for-runtimes-and-libraries/php/", + "/els-for-runtimes-and-libraries/python/", + "/els-for-runtimes-and-libraries/python-libraries/", + "/els-for-runtimes-and-libraries/spring-framework-and-spring-boot/", + ] + }, + ], + '/els-for-applications/': [ + { + collapsable: false, + children: [ + "/els-for-applications/", + "/els-for-applications/apache-tomcat/", ] }, ], diff --git a/docs/.vuepress/public/images/csharp.png b/docs/.vuepress/public/images/csharp.png new file mode 100644 index 000000000..518a64bc0 Binary files /dev/null and b/docs/.vuepress/public/images/csharp.png differ diff --git a/docs/.vuepress/public/images/java.png b/docs/.vuepress/public/images/java.png new file mode 100644 index 000000000..106cc1a00 Binary files /dev/null and b/docs/.vuepress/public/images/java.png differ diff --git a/docs/.vuepress/public/images/javascript.png b/docs/.vuepress/public/images/javascript.png new file mode 100644 index 000000000..a43f9e42b Binary files /dev/null and b/docs/.vuepress/public/images/javascript.png differ diff --git a/docs/.vuepress/public/images/php.png b/docs/.vuepress/public/images/php.png new file mode 100644 index 000000000..81f911b99 Binary files /dev/null and b/docs/.vuepress/public/images/php.png differ diff --git a/docs/.vuepress/public/images/python.png b/docs/.vuepress/public/images/python.png new file mode 100644 index 000000000..c2d062821 Binary files /dev/null and b/docs/.vuepress/public/images/python.png differ diff --git a/docs/.vuepress/public/images/ruby.png b/docs/.vuepress/public/images/ruby.png new file mode 100644 index 000000000..ebfa606c6 Binary files /dev/null and b/docs/.vuepress/public/images/ruby.png differ diff --git a/docs/.vuepress/public/images/typescript.png b/docs/.vuepress/public/images/typescript.png new file mode 100644 index 000000000..863f3f7e8 Binary files /dev/null and b/docs/.vuepress/public/images/typescript.png differ diff --git a/docs/.vuepress/routes.json b/docs/.vuepress/routes.json index f7abced87..dd968436c 100644 --- a/docs/.vuepress/routes.json +++ b/docs/.vuepress/routes.json @@ -42,5 +42,53 @@ "/els-for-languages/php/#modules-and-pecl-extensions": "/els-for-languages/php/#Modules_and_pecl_extensions", "/els-for-languages/php/#the-bin-files": "/els-for-languages/php/#The_bin_files", "/els-for-languages/php/#how-to-use-php-els": "/els-for-languages/php/#Increase_upload_or_memory_limits", - "/els-for-languages/php/#Update_alt_php": "/els-for-languages/php/#Update_alt-php" + "/els-for-languages/php/#Update_alt_php": "/els-for-languages/php/#Update_alt-php", + "/els-for-languages": "/els-for-runtimes-and-libraries", + "/els-for-languages/": "/els-for-runtimes-and-libraries/", + "/els-for-languages/apache-tomcat/": "/els-for-applications/apache-tomcat/", + "/els-for-languages/apache-tomcat/#vulnerability-coverage-and-target-response-times": "/els-for-applications/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/apache-tomcat/#incident-reporting-and-response-timeframe": "/els-for-applications/#incident-reporting-and-response-timeframe", + "/els-for-languages/apache-tomcat/#enhanced-transparency-visibility": "/els-for-applications/#enhanced-transparency-visibility", + "/els-for-languages/apache-tomcat/#technical-support": "/els-for-applications/#technical-support", + "/els-for-languages/apache-tomcat/#overview": "/els-for-applications/apache-tomcat/#connection-to-els-for-apache-tomcat-repository", + "/els-for-languages/apache-tomcat/#steps": "/els-for-applications/apache-tomcat/#connection-to-els-for-apache-tomcat-repository", + "/els-for-languages/apache-tomcat/#resolved-cves-in-els-for-apache-tomcat": "/els-for-applications/apache-tomcat/", + "/els-for-languages/angular/": "/els-for-runtimes-and-libraries/angular/", + "/els-for-languages/angular/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/angular/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/angular/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/angular/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/angular/#step-1-get-user-credentials": "/els-for-runtimes-and-libraries/angular/#connection-to-els-for-angular-repository", + "/els-for-languages/angular/#step-2-set-up-els-for-angular": "/els-for-runtimes-and-libraries/angular/#connection-to-els-for-angular-repository", + "/els-for-languages/angularjs/": "/els-for-runtimes-and-libraries/angularjs/", + "/els-for-languages/angularjs/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/angularjs/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/angularjs/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/angularjs/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/dotnet/": "/els-for-runtimes-and-libraries/dotnet/", + "/els-for-languages/dotnet/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/dotnet/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/dotnet/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/dotnet/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/openjdk/": "/els-for-runtimes-and-libraries/openjdk/", + "/els-for-languages/openjdk/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/openjdk/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/openjdk/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/openjdk/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/php/": "/els-for-runtimes-and-libraries/php/", + "/els-for-languages/php/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/php/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/php/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/php/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/python/": "/els-for-runtimes-and-libraries/python/", + "/els-for-languages/python/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/python/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/python/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/python/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/spring-framework-and-spring-boot/": "/els-for-runtimes-and-libraries/spring/", + "/els-for-languages/spring/#vulnerability-coverage-and-target-response-times": "/els-for-runtimes-and-libraries/#vulnerability-coverage-and-target-response-times", + "/els-for-languages/spring/#incident-reporting-and-response-timeframe": "/els-for-runtimes-and-libraries/#incident-reporting-and-response-timeframe", + "/els-for-languages/spring/#enhanced-transparency-visibility": "/els-for-runtimes-and-libraries/#enhanced-transparency-visibility", + "/els-for-languages/spring/#technical-support": "/els-for-runtimes-and-libraries/#technical-support", + "/els-for-languages/python-libraries/": "/els-for-runtimes-and-libraries/python-libraries/" } diff --git a/docs/.vuepress/theme/components/Breadcrumb.vue b/docs/.vuepress/theme/components/Breadcrumb.vue index 6d4a1919a..75c29512f 100644 --- a/docs/.vuepress/theme/components/Breadcrumb.vue +++ b/docs/.vuepress/theme/components/Breadcrumb.vue @@ -22,6 +22,7 @@ const siteTitle = computed(() => site.value.title); const titleMap = { '/els-for-languages/': 'ELS for Languages', + '/els-for-runtimes-and-libraries/': 'ELS for Runtimes & Libraries', }; const breadCrumbs = computed(() => { diff --git a/docs/els-for-languages/openjdk/README.md b/docs/els-for-applications/README.md similarity index 54% rename from docs/els-for-languages/openjdk/README.md rename to docs/els-for-applications/README.md index 6cc094124..f0313a892 100644 --- a/docs/els-for-languages/openjdk/README.md +++ b/docs/els-for-applications/README.md @@ -1,24 +1,14 @@ -# OpenJDK + -Endless Lifecycle Support (ELS) from TuxCare provides security fixes for OpenJDK versions that have reached end-of-life. This allows you to continue running your OpenJDK-based applications without vulnerability concerns, even after official support has ended. +# Endless Lifecycle Support for Open-Source Applications -## Supported OS and OpenJDK versions - -**Supported architecture:** x86_64. - -| OS | Package Type | OS Version | OpenJDK version | -| :-----------------------------------: | :----------: | :-----------: | :------------: | -| CentOS, CloudLinux, OracleLinux, etc. | RPM | 6.x, 7.x, 8.x | 8 | -| AlmaLinux | RPM | 8.x, 9.x | 8 | - - -*Other versions and architectures upon request. +* [Apache Tomcat](./apache-tomcat) ## Vulnerability Coverage and Target Response Times -TuxCare employs the Common Vulnerability Scoring System (CVSS v3) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. +TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, have similar requirements. +Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: @@ -29,15 +19,15 @@ TuxCare will make commercially reasonable efforts to adhere to the following gui ## Incident Reporting and Response Timeframe -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. +Customers can report vulnerabilities by submitting a ticket through the [TuxCare Support Portal](https://tuxcare.com/support-portal/). TuxCare commits to providing an initial response to any reported issue within 3 days. -Requests for customer-directed security patches for CVEs that are outside of the ELS for OpenJDK scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. +Requests for customer-directed security patches for CVEs that are outside of the ELS for Open-Source Applications scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. ## Enhanced Transparency & Visibility -TuxCare's commitment to transparency and visibility is foundational to our ELS for OpenJDK offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. +TuxCare's commitment to transparency and visibility is foundational to our ELS for Open-Source Applications offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. * **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. * **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. @@ -57,64 +47,4 @@ Note: This feature is under consideration for future development and may be avai ## Technical Support -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - -## Installation Instructions - -These steps are suitable for RPM-based systems (CentOS, CloudLinux, AlmaLinux, Oracle Linux, etc). - -:::tip -This installation method is suitable for both non-containerized systems and containerized environments (such as Docker containers based on supported OS versions). -::: - -1. Download the TuxCare OpenJDK ELS repository package: - - - - ```text - wget https://repo.tuxcare.com/java-els/els-openjdk-release-install.x86_64.rpm - ``` - - - -2. Install the repository package: - - - - ```text - yum install ./els-openjdk-release-install.x86_64.rpm - ``` - - -3. Verify the repository is enabled: - - - - ```text - yum repolist | grep java-els - ``` - - - - You can now install OpenJDK versions supported by TuxCare’s Endless Lifecycle Support (ELS). - -4. Install OpenJDK, for example, OpenJDK 8: - - - - ```text - yum install java-1.8.0-openjdk - ``` - - - -5. Verify the installation: - - - - ```text - java -version - ``` - - - +TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to the TuxCare’s online knowledge base. diff --git a/docs/els-for-applications/apache-tomcat/README.md b/docs/els-for-applications/apache-tomcat/README.md new file mode 100644 index 000000000..1e9b7ae28 --- /dev/null +++ b/docs/els-for-applications/apache-tomcat/README.md @@ -0,0 +1,97 @@ +# Apache Tomcat + +TuxCare's Endless Lifecycle Support (ELS) for Apache Tomcat provides security patches, and selected bug fixes, that are integral to the stable operation of applications running on these versions of Apache Tomcat core components such as Coyote, Catalina, Jasper etc.. These components have either reached their end of standard support from vendors or have reached End of Life (EOL). +Our ELS for Apache Tomcat service is designed to provide solutions for organizations that are not yet ready to migrate to newer versions and that are seeking long-term stability for their legacy Apache Tomcat applications. + +## Connection to ELS for Apache Tomcat Repository + +This guide outlines the steps needed to integrate the TuxCare ELS for Apache Tomcat repository into your Java application. The repository provides trusted Java libraries that can be easily integrated into your Maven as well as Gradle project. + +### Step 1: Get user credentials + +You need username and password in order to use TuxCare ELS Apache Tomcat repository. Anonymous access is disabled. To receive username and password please contact [sales@tuxcare.com](mailto:sales@tuxcare.com). + +### Step 2: Create or Modify Your Build Tool Settings + +**Maven** + +* If you are using Maven as your build automation tool, you will need to make changes in your `${MAVEN_HOME}/settings.xml` file. If the file does not already exist in your Maven home directory (`${MAVEN_HOME}`), you should create one. Open the `settings.xml` file with a text editor and include the following configuration: + +```text + + + + + repository-id + ${env.USERNAME} + ${env.PASSWORD} + + + +``` + +* Set your credentials via the following environment variables: + +```text +export USERNAME=your-username +export PASSWORD=your-password +``` + +Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials-1). + +* You may choose an arbitrary allowed value instead of `repository-id` and use the same value in the following snippet from your `pom.xml` file: + +```text + + + repository-id + https://nexus.repo.tuxcare.com/repository/els_tomcat/ + + +``` + +* An example of maven project you can find [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/maven). Do not forget to set the environment variables. + +**Gradle** + +* If you are using Gradle as your build automation tool, make sure to include the following configuration in your project setup: + +```text +repositories { + maven { + url = uri("https://nexus.repo.tuxcare.com/repository/els_tomcat/") + credentials { + username = findProperty('USERNAME') + password = findProperty('PASSWORD') + } + } +} +``` + +* Set your credentials via the following environment variables: + +```text +export ORG_GRADLE_PROJECT_USERNAME=your-username +export ORG_GRADLE_PROJECT_PASSWORD=your-password +``` + +Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials-1). + +* An example of gradle project you can find [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/gradle). Do not forget to set the environment variables. + +## Verification + +To confirm that the repository has been correctly established, include any library from the repository into your project and then run a build. The build tool you're using should be able to identify and resolve dependencies from the TuxCare ELS for Apache Tomcat repository. + +## Conclusion + +You've successfully integrated the TuxCare ELS for Apache Tomcat repository into your project. You can now benefit from the secure and vetted Apache Tomcat libraries it provides. + + \ No newline at end of file diff --git a/docs/els-for-languages/README.md b/docs/els-for-languages/README.md deleted file mode 100644 index 1b47f9178..000000000 --- a/docs/els-for-languages/README.md +++ /dev/null @@ -1,13 +0,0 @@ - - -# Endless Lifecycle Support for Languages - -* [PHP](./php) -* [Python](./python) -* [Spring Framework and Spring Boot](./spring-framework-and-spring-boot) -* [Apache Tomcat](./apache-tomcat) -* [.NET](./dotnet) -* [Angular](./angular) -* [AngularJS](./angularjs) -* [OpenJDK](./openjdk) -* [Python Libraries](./python-libraries) diff --git a/docs/els-for-languages/angularjs/README.md b/docs/els-for-languages/angularjs/README.md deleted file mode 100644 index 644714235..000000000 --- a/docs/els-for-languages/angularjs/README.md +++ /dev/null @@ -1,202 +0,0 @@ -# AngularJS - -Endless Lifecycle Support (ELS) for AngularJS from TuxCare provides security fixes for AngularJS versions that have reached its end of life. This allows you to continue running AngularJS applications without vulnerability concerns, even after official support has ended. - -:::warning -ELS for AngularJS is currently in active development. If you are interested in updates, adoption, or have specific requirements or feature requests, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -## Supported AngularJS Versions - -* AngularJS 1.5, 1.6, 1.7, 1.8 - -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for AngularJS scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for AngularJS offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - -## Connection to ELS for AngularJS Repository - -Please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for instructions. - -This guide outlines the steps needed to integrate the TuxCare ELS for AngularJS repository. - -## Step 1: Get user credentials - -You need a username, password, and token in order to use TuxCare ELS AngularJS repository. Anonymous access is disabled. To receive the credentials, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com). - -## Step 2: Set Up ELS for AngularJS - -TuxCare provides ELS for AngularJS as an NPM package, hosted on a secure internal registry. Follow the steps below to add it to your project and get started. - -1. Navigate to the root directory of your AngularJS project. -2. Create a `.npmrc` file or update it if it already exists. - - **Example:** - - ```text - my-angularjs-project/ - ├── node_modules/ - ├── package.json - ├── .npmrc ⚠️ ← Create it here - └── package-lock.json - ``` - -3. Use an editor of your choice (e.g., VS Code) to add the following registry address line: - - - - ```text - registry=https://registry.npmjs.org/ - @els-js:registry=https://nexus.repo.tuxcare.com/repository/els_js/ - //nexus.repo.tuxcare.com/repository/els_js/:_auth=${TOKEN} - ``` - - - - :::warning - Replace ${TOKEN} with the token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com). - ::: - -4. Update your `package.json` file to replace your AngularJS dependencies with the TuxCare packages: - - - - - - - - - - - - - -5. In your terminal, run the following command to install ELS for AngularJS dependencies: - - - - ```text - npm install --userconfig .npmrc - ``` - - - - You will see an output like: - - ```text - added 1 package, and audited 2 packages in 796ms - - found 0 vulnerabilities - ``` - -6. You've successfully integrated the TuxCare ELS for AngularJS repository into your project. - -## Resolved CVEs - -Fixes for the following vulnerabilities are available in ELS for AngularJS from TuxCare versions: - -| CVE ID | Severity | Vulnerable Version | Safe Version | -| --- | --- | --- | --- | -| CVE-2025-0716 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-8372 | Medium | >=1.3.0-rc.4 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-8373 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2024-21490 | High | >=1.3.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26118 | Medium | >=1.4.9 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26117 | Medium | >=1.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2023-26116 | Medium | >=1.2.21 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2022-25869 | Medium | >=0.0.0| 1.5.11, 1.6.10, 1.7.9, 1.8.3 | -| CVE-2022-25844 | Medium | >=1.7.0 | 1.7.9, 1.8.3 | -| CVE-2020-7676 | Medium | <1.8.0 | 1.5.11, 1.6.10, 1.7.9 | -| CVE-2019-10768 | Critical | <1.7.9 | 1.5.11, 1.6.10, 1.7.9 | - -If you are interested in the TuxCare Endless Lifecycle Support, contact [sales@tuxcare.com](mailto:sales@tuxcare.com). - diff --git a/docs/els-for-languages/apache-tomcat/README.md b/docs/els-for-languages/apache-tomcat/README.md deleted file mode 100644 index 2fe0bf999..000000000 --- a/docs/els-for-languages/apache-tomcat/README.md +++ /dev/null @@ -1,144 +0,0 @@ -# Apache Tomcat - -TuxCare's Endless Lifecycle Support (ELS) for Apache Tomcat provides security patches, and selected bug fixes, that are integral to the stable operation of applications running on these versions of Apache Tomcat core components such as Coyote, Catalina, Jasper etc.. These components have either reached their end of standard support from vendors or have reached End of Life (EOL). -Our ELS for Apache Tomcat service is designed to provide solutions for organizations that are not yet ready to migrate to newer versions and that are seeking long-term stability for their legacy Apache Tomcat applications. - -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for Apache Tomcat scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for Apache Tomcat offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - -## Connection to ELS for Apache Tomcat Repository - -## Overview - -This guide outlines the steps needed to integrate the TuxCare ELS for Apache Tomcat repository into your Java application. The repository provides trusted Java libraries that can be easily integrated into your Maven as well as Gradle project. - -## Steps - -## Step 1: Get user credentials - -You need username and password in order to use TuxCare ELS Apache Tomcat repository. Anonymous access is disabled. To receive username and password please contact [sales@tuxcare.com](mailto:sales@tuxcare.com). - -## Step 2: Create or Modify Your Build Tool Settings - -**Maven** - -* If you are using Maven as your build automation tool, you will need to make changes in your `${MAVEN_HOME}/settings.xml` file. If the file does not already exist in your Maven home directory (`${MAVEN_HOME}`), you should create one. Open the `settings.xml` file with a text editor and include the following configuration: - -```text - - - - - repository-id - ${env.USERNAME} - ${env.PASSWORD} - - - -``` - -* Set your credentials via the following environment variables: - -```text -export USERNAME=your-username -export PASSWORD=your-password -``` - -Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials-1). - -* You may choose an arbitrary allowed value instead of `repository-id` and use the same value in the following snippet from your `pom.xml` file: - -```text - - - repository-id - https://nexus.repo.tuxcare.com/repository/els_tomcat/ - - -``` - -* An example of maven project you can find [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/maven). Do not forget to set the environment variables. - -**Gradle** - -* If you are using Gradle as your build automation tool, make sure to include the following configuration in your project setup: - -```text -repositories { - maven { - url = uri("https://nexus.repo.tuxcare.com/repository/els_tomcat/") - credentials { - username = findProperty('USERNAME') - password = findProperty('PASSWORD') - } - } -} -``` - -* Set your credentials via the following environment variables: - -```text -export ORG_GRADLE_PROJECT_USERNAME=your-username -export ORG_GRADLE_PROJECT_PASSWORD=your-password -``` - -Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials-1). - -* An example of gradle project you can find [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/gradle). Do not forget to set the environment variables. - -## Verification - -To confirm that the repository has been correctly established, include any library from the repository into your project and then run a build. The build tool you're using should be able to identify and resolve dependencies from the TuxCare ELS for Apache Tomcat repository. - -## Conclusion - -You've successfully integrated the TuxCare ELS for Apache Tomcat repository into your project. You can now benefit from the secure and vetted Apache Tomcat libraries it provides. - -## Resolved CVEs in ELS for Apache Tomcat - -| CVE Name | Severity | Group | Name | Version | Fixed Version | -| ---------------- | -------- | ------------------------------- | ------------------------------------------- | ------------- | --------------------- | -| | | | | | | -| | | | | | | diff --git a/docs/els-for-languages/spring-framework-and-spring-boot/README.md b/docs/els-for-languages/spring-framework-and-spring-boot/README.md deleted file mode 100644 index ee67e40bb..000000000 --- a/docs/els-for-languages/spring-framework-and-spring-boot/README.md +++ /dev/null @@ -1,142 +0,0 @@ -# Spring Framework and Spring Boot - -TuxCare's Endless Lifecycle Support (ELS) for Spring provides security updates, system enhancement patches, and selected bug fixes, that are integral to the stable operation of applications running on these versions of Spring ecosystem components such as Spring Framework, Spring Boot, Spring Data, Spring Security, etc. These components have either reached their end of standard support from vendors or have reached End of Life (EOL). - -Our ELS for Spring service is designed to provide solutions for organizations that are not yet ready to migrate to newer versions and that are seeking long-term stability for their legacy Spring applications. - -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, have similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare [Support Portal](https://tuxcare.com/support-portal/). TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for Spring scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for Spring offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare [Support Portal](https://tuxcare.com/support-portal/) and to the TuxCare’s online knowledge base. - -## Connection to ELS for Spring Repository - -## Overview - -This guide outlines the steps needed to integrate the TuxCare ELS for Spring repository into your Java application. The repository provides trusted Java libraries that can be easily integrated into your Maven as well as Gradle project. - -## Steps - -## Step 1: Get user credentials - -You need username and password in order to use TuxCare ELS Spring repository. Anonymous access is disabled. To receive username and password please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) - -## Step 2: Create or Modify Your Build Tool Settings - -**Maven** - -* If you are using Maven as your build automation tool, you will need to make changes in your `${MAVEN_HOME}/settings.xml` file. If the file does not already exist in your `${MAVEN_HOME}` directory, you should create one. Open the `settings.xml` file with a text editor and include the following configuration: - -```text - - - - - repository-id - ${env.USERNAME} - ${env.PASSWORD} - - - -``` - -* Set your credentials via the following environment variables: - -```text -export USERNAME=your-username -export PASSWORD=your-password -``` - -Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials). - -* You may choose an arbitrary allowed value instead of `repository-id` and use the same value in the following snippet from your `pom.xml` file: - -```text - - - repository-id - https://nexus-repo.corp.cloudlinux.com/repository/els_spring/ - - -``` - -* An example maven project can be found [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/maven). Do not forget to set the environment variables. - -**Gradle** - -* If you are using Gradle as your build automation tool, make sure to include the following configuration in your project setup: - -```text -repositories { - maven { - url = uri("https://nexus-repo.corp.cloudlinux.com/repository/els_spring") - credentials { - username = findProperty('USERNAME') - password = findProperty('PASSWORD') - } - } -} -``` - -* Set your credentials via the following environment variables: - -```text -export ORG_GRADLE_PROJECT_USERNAME=your-username -export ORG_GRADLE_PROJECT_PASSWORD=your-password -``` - - Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials). - -* An example gradle project can be found [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/gradle). Do not forget to set the environment variables. - -## Verification - -To confirm that the repository has been correctly established, include any library from the repository into your project and then run a build. The build tool you're using should be able to identify and resolve dependencies from the TuxCare ELS for Spring repository. - -## Conclusion - -You've successfully integrated the TuxCare ELS for Spring repository into your project. You can now benefit from the secure and vetted Spring libraries it provides. - -## Resolved CVEs in ELS for Spring - - diff --git a/docs/els-for-runtimes-and-libraries/README.md b/docs/els-for-runtimes-and-libraries/README.md new file mode 100644 index 000000000..d9a344bd3 --- /dev/null +++ b/docs/els-for-runtimes-and-libraries/README.md @@ -0,0 +1,55 @@ + + +# Endless Lifecycle Support for Runtimes and Libraries + + + +## Vulnerability Coverage and Target Response Times + +TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. + +Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. + +TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: + +* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days +* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days +* **Low-severity CVEs:** Patches provided within 90 days. + * **For .NET patches may be provided upon custom request.** +* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. + +## Incident Reporting and Response Timeframe + +Customers can report vulnerabilities by submitting a ticket through the [TuxCare Support Portal](https://tuxcare.com/support-portal/). TuxCare commits to providing an initial response to any reported issue within 3 days. + +Requests for customer-directed security patches for CVEs that are outside of the ELS for Runtimes & Libraries scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. + +Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. + +## Enhanced Transparency & Visibility + +TuxCare's commitment to transparency and visibility is foundational to our ELS for Runtimes & Libraries offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. + +* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. +* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. + +:::warning +Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) +::: + +* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. +* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. + +:::warning +Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) +::: + +* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. + +## Technical Support + +TuxCare provides technical support according to the: +* Standard [support policy](https://tuxcare.com/TuxCare-support-policy.pdf) **(excluding .NET)**. +* The **.NET-specific** [support policy](https://tuxcare.com/TuxCare-els-windows-support-policy.pdf). + +It delivers 24/7/365 access to the TuxCare’s support team through the [TuxCare Support Portal](https://tuxcare.com/support-portal/) and to the TuxCare’s online knowledge base. \ No newline at end of file diff --git a/docs/els-for-languages/angular/README.md b/docs/els-for-runtimes-and-libraries/angular/README.md similarity index 79% rename from docs/els-for-languages/angular/README.md rename to docs/els-for-runtimes-and-libraries/angular/README.md index a6b35f942..fcccdf3fe 100644 --- a/docs/els-for-languages/angular/README.md +++ b/docs/els-for-runtimes-and-libraries/angular/README.md @@ -10,51 +10,6 @@ ELS for Angular is currently in active development. If you are interested in upd Angular versions 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, and 19 are supported. -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for Angular scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for Angular offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - ## Connection to ELS for Angular Repository Please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for instructions. diff --git a/docs/els-for-runtimes-and-libraries/angularjs/README.md b/docs/els-for-runtimes-and-libraries/angularjs/README.md new file mode 100644 index 000000000..bb7e3a68a --- /dev/null +++ b/docs/els-for-runtimes-and-libraries/angularjs/README.md @@ -0,0 +1,157 @@ +# AngularJS + +Endless Lifecycle Support (ELS) for AngularJS from TuxCare provides security fixes for AngularJS versions that have reached its end of life. This allows you to continue running AngularJS applications without vulnerability concerns, even after official support has ended. + +:::warning +ELS for AngularJS is currently in active development. If you are interested in updates, adoption, or have specific requirements or feature requests, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) +::: + +## Supported AngularJS Versions + +* AngularJS 1.5, 1.6, 1.7, 1.8 + +## Connection to ELS for AngularJS Repository + +Please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) for instructions. + +This guide outlines the steps needed to integrate the TuxCare ELS for AngularJS repository. + +## Step 1: Get user credentials + +You need a username, password, and token in order to use TuxCare ELS AngularJS repository. Anonymous access is disabled. To receive the credentials, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com). + +## Step 2: Set Up ELS for AngularJS + +TuxCare provides ELS for AngularJS as an NPM package, hosted on a secure internal registry. Follow the steps below to add it to your project and get started. + +1. Navigate to the root directory of your AngularJS project. +2. Create a `.npmrc` file or update it if it already exists. + + **Example:** + + ```text + my-angularjs-project/ + ├── node_modules/ + ├── package.json + ├── .npmrc ⚠️ ← Create it here + └── package-lock.json + ``` + +3. Use an editor of your choice (e.g., VS Code) to add the following registry address line: + + + + ```text + registry=https://registry.npmjs.org/ + @els-js:registry=https://nexus.repo.tuxcare.com/repository/els_js/ + //nexus.repo.tuxcare.com/repository/els_js/:_auth=${TOKEN} + ``` + + + + :::warning + Replace ${TOKEN} with the token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com). + ::: + +4. Update your `package.json` file to replace your AngularJS dependencies with the TuxCare packages: + + + + + + + + + + + + + +5. In your terminal, run the following command to install ELS for AngularJS dependencies: + + + + ```text + npm install --userconfig .npmrc + ``` + + + + You will see an output like: + + ```text + added 1 package, and audited 2 packages in 796ms + + found 0 vulnerabilities + ``` + +6. You've successfully integrated the TuxCare ELS for AngularJS repository into your project. + +## Resolved CVEs + +Fixes for the following vulnerabilities are available in ELS for AngularJS from TuxCare versions: + +| CVE ID | Severity | Vulnerable Version | Safe Version | +| --- | --- | --- | --- | +| CVE-2025-0716 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-8372 | Medium | >=1.3.0-rc.4 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-8373 | Medium | >=0.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2024-21490 | High | >=1.3.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2023-26118 | Medium | >=1.4.9 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2023-26117 | Medium | >=1.0.0 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2023-26116 | Medium | >=1.2.21 | 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2022-25869 | Medium | >=0.0.0| 1.5.11, 1.6.10, 1.7.9, 1.8.3 | +| CVE-2022-25844 | Medium | >=1.7.0 | 1.7.9, 1.8.3 | +| CVE-2020-7676 | Medium | <1.8.0 | 1.5.11, 1.6.10, 1.7.9 | +| CVE-2019-10768 | Critical | <1.7.9 | 1.5.11, 1.6.10, 1.7.9 | + +If you are interested in the TuxCare Endless Lifecycle Support, contact [sales@tuxcare.com](mailto:sales@tuxcare.com). + diff --git a/docs/els-for-languages/dotnet/README.md b/docs/els-for-runtimes-and-libraries/dotnet/README.md similarity index 74% rename from docs/els-for-languages/dotnet/README.md rename to docs/els-for-runtimes-and-libraries/dotnet/README.md index 4bc5fcf8e..d14f5b19e 100644 --- a/docs/els-for-languages/dotnet/README.md +++ b/docs/els-for-runtimes-and-libraries/dotnet/README.md @@ -35,50 +35,6 @@ The .NET Runtime is the base runtime required to run console or server-based .NE TuxCare applies security patches to .NET 6 for the above OS versions, ensuring continued stability and security even beyond the official end-of-life date. -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+)**: Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9)**: Patches provided within 60 days -* **Low-severity CVEs**: Patches may be provided upon custom request -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal [https://tuxcare.com/support-portal/](https://tuxcare.com/support-portal/). TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for .NET scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-els-windows-support-policy.pdf). It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal [https://tuxcare.com/support-portal/](https://tuxcare.com/support-portal/) and to the TuxCare’s online knowledge base. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for .NET offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - ## Installation via the .NET Installer ### Prerequisites & System Requirements diff --git a/docs/els-for-languages/duration-of-support/README.md b/docs/els-for-runtimes-and-libraries/duration-of-support/README.md similarity index 100% rename from docs/els-for-languages/duration-of-support/README.md rename to docs/els-for-runtimes-and-libraries/duration-of-support/README.md diff --git a/docs/els-for-runtimes-and-libraries/openjdk/README.md b/docs/els-for-runtimes-and-libraries/openjdk/README.md new file mode 100644 index 000000000..091548264 --- /dev/null +++ b/docs/els-for-runtimes-and-libraries/openjdk/README.md @@ -0,0 +1,75 @@ +# OpenJDK + +Endless Lifecycle Support (ELS) from TuxCare provides security fixes for OpenJDK versions that have reached end-of-life. This allows you to continue running your OpenJDK-based applications without vulnerability concerns, even after official support has ended. + +## Supported OS and OpenJDK versions + +**Supported architecture:** x86_64. + +| OS | Package Type | OS Version | OpenJDK version | +| :-----------------------------------: | :----------: | :-----------: | :------------: | +| CentOS, CloudLinux, OracleLinux, etc. | RPM | 6.x, 7.x, 8.x | 8 | +| AlmaLinux | RPM | 8.x, 9.x | 8 | + + +*Other versions and architectures upon request. + +## Installation Instructions + +These steps are suitable for RPM-based systems (CentOS, CloudLinux, AlmaLinux, Oracle Linux, etc). + +:::tip +This installation method is suitable for both non-containerized systems and containerized environments (such as Docker containers based on supported OS versions). +::: + +1. Download the TuxCare OpenJDK ELS repository package: + + + + ```text + wget https://repo.tuxcare.com/java-els/els-openjdk-release-install.x86_64.rpm + ``` + + + +2. Install the repository package: + + + + ```text + yum install ./els-openjdk-release-install.x86_64.rpm + ``` + + +3. Verify the repository is enabled: + + + + ```text + yum repolist | grep java-els + ``` + + + + You can now install OpenJDK versions supported by TuxCare’s Endless Lifecycle Support (ELS). + +4. Install OpenJDK, for example, OpenJDK 8: + + + + ```text + yum install java-1.8.0-openjdk + ``` + + + +5. Verify the installation: + + + + ```text + java -version + ``` + + + diff --git a/docs/els-for-languages/php/README.md b/docs/els-for-runtimes-and-libraries/php/README.md similarity index 94% rename from docs/els-for-languages/php/README.md rename to docs/els-for-runtimes-and-libraries/php/README.md index 8c4a0c26e..64aa9fc8d 100644 --- a/docs/els-for-languages/php/README.md +++ b/docs/els-for-runtimes-and-libraries/php/README.md @@ -74,51 +74,6 @@ Below are tables with information about the time of security support from the ve -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, have similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for PHP scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for PHP offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - ## Installation Instructions for Linux ### Get user credentials diff --git a/docs/els-for-languages/python-libraries/README.md b/docs/els-for-runtimes-and-libraries/python-libraries/README.md similarity index 100% rename from docs/els-for-languages/python-libraries/README.md rename to docs/els-for-runtimes-and-libraries/python-libraries/README.md diff --git a/docs/els-for-languages/python/README.md b/docs/els-for-runtimes-and-libraries/python/README.md similarity index 55% rename from docs/els-for-languages/python/README.md rename to docs/els-for-runtimes-and-libraries/python/README.md index fbb23725f..84e1dbceb 100644 --- a/docs/els-for-languages/python/README.md +++ b/docs/els-for-runtimes-and-libraries/python/README.md @@ -15,51 +15,6 @@ Endless Lifecycle Support (ELS) for Python from TuxCare provides security fixes *Other distros and architectures upon request. -## Vulnerability Coverage and Target Response Times - -TuxCare employs the Common Vulnerability Scoring System (CVSS v3) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score. - -Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI-DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, have similar requirements. - -TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities: - -* **High and Critical CVEs (CVSS 7+):** Patches provided within 14 days -* **Medium-severity CVEs (CVSS 4.0 to 6.9):** Patches provided within 60 days -* **Low-severity CVEs:** Patches provided within 90 days -* TuxCare may offer a mitigation strategy as an alternative to a direct code fix. - -## Incident Reporting and Response Timeframe - -Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal . TuxCare commits to providing an initial response to any reported issue within 3 days. - -Requests for customer-directed security patches for CVEs that are outside of the ELS for Python scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days. - -Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer. - -## Enhanced Transparency & Visibility - -TuxCare's commitment to transparency and visibility is foundational to our ELS for Python offering. We provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain. - -* **SLSA Compliance**: All packages are built and signed to ensure verifiable Supply-chain Levels for Software Artifacts (SLSA) compliance. They are securely constructed from vetted sources, include attestations for all dependencies, and undergo continuous testing to maintain integrity and security. -* **Software Bill of Materials (SBOM)**: We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Enhanced Metadata in Standard Formats:** Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips. -* **Verifiable Integrity and Provenance**: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy. - -:::warning -Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) -::: - -* **Secure Distribution**: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered. - -## Technical Support - -TuxCare provides technical support according to the [support policy](https://tuxcare.com/TuxCare-support-policy.pdf?_gl=1*9hjdum*_up*MQ..*_ga*MTQ0MTM0NTI4OC4xNjk5Mzk2ODYy*_ga_Z539WTSZ80*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_1790YFKF4F*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..*_ga_64QBSWJJGS*MTY5OTM5Njg2MC4xLjAuMTY5OTM5Njg2MC4wLjAuMA..) . It delivers 24/7/365 access to the TuxCare’s support team through the TuxCare Support Portal and to the TuxCare’s online knowledge base. - ## Installation Instructions for Linux ### RPM-based diff --git a/docs/els-for-runtimes-and-libraries/spring/README.md b/docs/els-for-runtimes-and-libraries/spring/README.md new file mode 100644 index 000000000..b0bdbfc20 --- /dev/null +++ b/docs/els-for-runtimes-and-libraries/spring/README.md @@ -0,0 +1,97 @@ +# Spring + +TuxCare's Endless Lifecycle Support (ELS) for Spring provides security updates, system enhancement patches, and selected bug fixes, that are integral to the stable operation of applications running on these versions of Spring ecosystem components such as Spring Framework, Spring Boot, Spring Data, Spring Security, etc. These components have either reached their end of standard support from vendors or have reached End of Life (EOL). + +Our ELS for Spring service is designed to provide solutions for organizations that are not yet ready to migrate to newer versions and that are seeking long-term stability for their legacy Spring applications. + +## Connection to ELS for Spring Repository + +## Overview + +This guide outlines the steps needed to integrate the TuxCare ELS for Spring repository into your Java application. The repository provides trusted Java libraries that can be easily integrated into your Maven as well as Gradle project. + +## Steps + +## Step 1: Get user credentials + +You need username and password in order to use TuxCare ELS Spring repository. Anonymous access is disabled. To receive username and password please contact [sales@tuxcare.com](mailto:sales@tuxcare.com) + +## Step 2: Create or Modify Your Build Tool Settings + +**Maven** + +* If you are using Maven as your build automation tool, you will need to make changes in your `${MAVEN_HOME}/settings.xml` file. If the file does not already exist in your `${MAVEN_HOME}` directory, you should create one. Open the `settings.xml` file with a text editor and include the following configuration: + +```text + + + + + repository-id + ${env.USERNAME} + ${env.PASSWORD} + + + +``` + +* Set your credentials via the following environment variables: + +```text +export USERNAME=your-username +export PASSWORD=your-password +``` + +Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials). + +* You may choose an arbitrary allowed value instead of `repository-id` and use the same value in the following snippet from your `pom.xml` file: + +```text + + + repository-id + https://nexus-repo.corp.cloudlinux.com/repository/els_spring/ + + +``` + +* An example maven project can be found [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/maven). Do not forget to set the environment variables. + +**Gradle** + +* If you are using Gradle as your build automation tool, make sure to include the following configuration in your project setup: + +```text +repositories { + maven { + url = uri("https://nexus-repo.corp.cloudlinux.com/repository/els_spring") + credentials { + username = findProperty('USERNAME') + password = findProperty('PASSWORD') + } + } +} +``` + +* Set your credentials via the following environment variables: + +```text +export ORG_GRADLE_PROJECT_USERNAME=your-username +export ORG_GRADLE_PROJECT_PASSWORD=your-password +``` + + Here `your-username` and `your-password` are your credentials mentioned in the [Step 1](#step-1-get-user-credentials). + +* An example gradle project can be found [here](https://github.com/cloudlinux/securechain-java/blob/main/examples/gradle). Do not forget to set the environment variables. + +## Verification + +To confirm that the repository has been correctly established, include any library from the repository into your project and then run a build. The build tool you're using should be able to identify and resolve dependencies from the TuxCare ELS for Spring repository. + +## Conclusion + +You've successfully integrated the TuxCare ELS for Spring repository into your project. You can now benefit from the secure and vetted Spring libraries it provides. + +## Resolved CVEs in ELS for Spring + +