Skip to content

Commit

Permalink
Merge pull request #1647 from Wadeck/Wadeck-patch-1
Browse files Browse the repository at this point in the history 
Add more details to the security policy
  • Loading branch information
@dduportal
dduportal committed Jun 14, 2023
2 parents 07dd84b + 1e41f9c commit 439170b
Showing 1 changed file with 12 additions and 6 deletions.
18 changes: 12 additions & 6 deletions SECURITY.md
View file
Expand Up @@ -16,21 +16,27 @@ The default base image is Debian but multiple other variants are proposed, that

If you have identified a security vulnerability and would like to report it, please be aware of those requirements.


For findings from a **Software Composition Analysis (SCA) scanner report**, all of the following points must be satisfied:
- The scan must have been done on the latest version of the image.
- If the finding is coming from the system (Docker layer):
- The scan must have been done on the latest version of the image.
Vulnerabilities are discovered in a continuous way, so it is expected that past releases could contain some.
- The package should have a fixed version provided in the base image that is not yet included in our image.
- The package should have a fixed version provided in the base image that is not yet included in our image.
We rely on the base image provider to propose the corrections.
- The correction should have existed at the time the image was created.
- The correction should have existed at the time the image was created.
Normally our update workflow ensures that the latest available versions are used.
- If the finding is coming from the application dependencies:
- Proof of exploitation or sufficiently good explanation about why you think it's impacting the application.

The objective is to reduce the number of reports we receive that are not relevant to the security of the project.
For all "valid" findings from SCA, your report must contain:
- The path to the library (there are ~2000 components in the ecosystem, we don't want to have to guess)
- The version and variant of the Docker image you scanned.
- The scanner name and version as well.
- The publicly accessible information about the vulnerability (ideally CVE). For private vulnerability database, please provide all the information at your disposal.

The objective is to reduce the number of reports we receive that are not relevant to the security of the project.

For findings from a **manual audit**, the report must contain either reproduction steps or a sufficiently well described proof to demonstrate the impact.


Once the report is ready, please follow the process about [Reporting Security Vulnerabilities](https://jenkins.io/security/reporting/).

We will reject reports that are not satisfying those requirements.
Expand Down

0 comments on commit 439170b

Please sign in to comment.