You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2022/11/09 16:24:58 UTC
[GitHub] [solr-site] HoustonPutman commented on a diff in pull request #83: Further clarify reporting of security issues
HoustonPutman commented on code in PR #83:
URL: https://github.com/apache/solr-site/pull/83#discussion_r1018149361
##########
content/pages/security.md:
##########
@@ -5,27 +5,37 @@ template: security
## How to report a security issue
-### CVEs in Solr dependencies
+### Published CVEs Detected by Scanners
+Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.
-The Solr PMC will not accept the output of a vulnerability scan as a security report.
+To find a path forward in addressing a detected CVE we suggest the following process for fastest results:
-Solr depends on lots of other open-source software -- "dependencies".
-If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
-Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
-If you **don't** see a CVE there, you should take the following steps:
+1. Check further down this page to see if the CVE is listed as exploitable in Solr.
+2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr
Review Comment:
```suggestion
2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr.
```
##########
content/pages/security.md:
##########
@@ -5,27 +5,37 @@ template: security
## How to report a security issue
-### CVEs in Solr dependencies
+### Published CVEs Detected by Scanners
+Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.
-The Solr PMC will not accept the output of a vulnerability scan as a security report.
+To find a path forward in addressing a detected CVE we suggest the following process for fastest results:
-Solr depends on lots of other open-source software -- "dependencies".
-If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
-Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
-If you **don't** see a CVE there, you should take the following steps:
+1. Check further down this page to see if the CVE is listed as exploitable in Solr.
+2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr
+3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
+4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
-1. Search through the [Solr users mailing list](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
-1. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
+### Dos and Don'ts
+* Please DO discuss the possible need for library upgrades on the user list.
+* Please DO search Jira for the CVE number to see if we are addressing it already.
+* Please DO create Jira issues and associated pull requests to propose and discuss upgrades of *a single specific* dependency.
+* Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead)
+* Please DO NOT email the security email below with a scan report it will be ignored.
-### Exploits found in Solr
+### Use of Jira
+Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored/closed. The large number of folks sending us reports of things that are already known is a serious drag on our (volunteer) time so **please search Jira** before opening a new issue.
-The Solr PMC greatly appreciates the reporting of security vulnerabilities found in Solr itself.
+### New Exploits <span style="color:blue">You</span> Discover in Solr
-Then please disclose responsibly by following [these ASF guidelines](https://www.apache.org/security/) for reporting.
-You may file your request by email to <ma...@solr.apache.org>.
+The Solr PMC greatly appreciates the reporting of new security vulnerabilities found in Solr itself or demonstrations of exploit vulnerability via dependencies. **It is important not to publish a previously unknown exploit**, or exploit demonstration code on public mailing lists. Please disclose new exploits responsibly by following these [ASF guidelines](https://www.apache.org/security/) for reporting. The contact email for reporting newly discovered exploits in Solr is <ma...@solr.apache.org>.
Review Comment:
```suggestion
The Solr PMC greatly appreciates reports of new security vulnerabilities found in Solr itself or demonstrations of exploiting vulnerabilities via dependencies.
**It is important not to publish a previously unknown exploit**, or exploit demonstration code on public mailing lists.
Please disclose new exploits responsibly by following these [ASF guidelines](https://www.apache.org/security/) for reporting.
The contact email for reporting newly discovered exploits in Solr is <ma...@solr.apache.org>.
```
Switching to one line per sentence and cleaning up the first sentence a bit.
##########
content/pages/security.md:
##########
@@ -5,27 +5,37 @@ template: security
## How to report a security issue
-### CVEs in Solr dependencies
+### Published CVEs Detected by Scanners
+Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.
-The Solr PMC will not accept the output of a vulnerability scan as a security report.
+To find a path forward in addressing a detected CVE we suggest the following process for fastest results:
-Solr depends on lots of other open-source software -- "dependencies".
-If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
-Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
-If you **don't** see a CVE there, you should take the following steps:
+1. Check further down this page to see if the CVE is listed as exploitable in Solr.
+2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr
+3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
+4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
-1. Search through the [Solr users mailing list](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
-1. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
+### Dos and Don'ts
Review Comment:
```suggestion
#### Dos and Don'ts
```
Sub section maybe?
##########
content/pages/security.md:
##########
@@ -5,27 +5,37 @@ template: security
## How to report a security issue
-### CVEs in Solr dependencies
+### Published CVEs Detected by Scanners
+Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.
-The Solr PMC will not accept the output of a vulnerability scan as a security report.
+To find a path forward in addressing a detected CVE we suggest the following process for fastest results:
-Solr depends on lots of other open-source software -- "dependencies".
-If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
-Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
-If you **don't** see a CVE there, you should take the following steps:
+1. Check further down this page to see if the CVE is listed as exploitable in Solr.
+2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr
+3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
+4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
-1. Search through the [Solr users mailing list](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
-1. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
+### Dos and Don'ts
+* Please DO discuss the possible need for library upgrades on the user list.
+* Please DO search Jira for the CVE number to see if we are addressing it already.
+* Please DO create Jira issues and associated pull requests to propose and discuss upgrades of *a single specific* dependency.
+* Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead)
+* Please DO NOT email the security email below with a scan report it will be ignored.
-### Exploits found in Solr
+### Use of Jira
+Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored/closed. The large number of folks sending us reports of things that are already known is a serious drag on our (volunteer) time so **please search Jira** before opening a new issue.
-The Solr PMC greatly appreciates the reporting of security vulnerabilities found in Solr itself.
+### New Exploits <span style="color:blue">You</span> Discover in Solr
-Then please disclose responsibly by following [these ASF guidelines](https://www.apache.org/security/) for reporting.
-You may file your request by email to <ma...@solr.apache.org>.
+The Solr PMC greatly appreciates the reporting of new security vulnerabilities found in Solr itself or demonstrations of exploit vulnerability via dependencies. **It is important not to publish a previously unknown exploit**, or exploit demonstration code on public mailing lists. Please disclose new exploits responsibly by following these [ASF guidelines](https://www.apache.org/security/) for reporting. The contact email for reporting newly discovered exploits in Solr is <ma...@solr.apache.org>.
-## More information
-You will find more security related information on our Wiki: <https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity>, such as information on how to treat the automated reports from security scanning tools.
+Before reporting a new exploit ensure that you have tested it against an instance of Solr that has been properly configured with:
Review Comment:
```suggestion
Before reporting a new exploit ensure that you have tested it against an instance of Solr that is running a [supported version](https://solr.apache.org/downloads.html) and has been properly configured with:
```
##########
content/pages/security.md:
##########
@@ -5,27 +5,37 @@ template: security
## How to report a security issue
-### CVEs in Solr dependencies
+### Published CVEs Detected by Scanners
+Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.
-The Solr PMC will not accept the output of a vulnerability scan as a security report.
+To find a path forward in addressing a detected CVE we suggest the following process for fastest results:
-Solr depends on lots of other open-source software -- "dependencies".
-If a CVE is published (a publicly identified vulnerability) against one of them, the Solr project will review it to see if it's actually exploitable in Solr -- usually they aren't.
-Please review the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) before taking any steps.
-If you **don't** see a CVE there, you should take the following steps:
+1. Check further down this page to see if the CVE is listed as exploitable in Solr.
+2. Check the [officially published non-exploitable vulnerabilities](https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools) list to see if the CVE is listed as not exploitable in Solr
+3. Search through the [Solr users mailing list archive](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
+4. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
-1. Search through the [Solr users mailing list](https://lists.apache.org/list.html?users@solr.apache.org) to see if anyone else has brought up this dependency CVE.
-1. If no one has, then please do [subscribe to the users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) and then send an email asking about the CVE.
+### Dos and Don'ts
+* Please DO discuss the possible need for library upgrades on the user list.
+* Please DO search Jira for the CVE number to see if we are addressing it already.
+* Please DO create Jira issues and associated pull requests to propose and discuss upgrades of *a single specific* dependency.
+* Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead)
+* Please DO NOT email the security email below with a scan report it will be ignored.
-### Exploits found in Solr
+### Use of Jira
Review Comment:
```suggestion
#### Use of Jira
```
Again, maybe a subsection of the dependency CVEs?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org