You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/02/16 04:44:54 UTC

[GitHub] [airflow] potiuk commented on issue #14253: Airflow 1.10.10 blackduck scan security risks

potiuk commented on issue #14253:
URL: https://github.com/apache/airflow/issues/14253#issuecomment-779577586


   Hello @rajeshkatkarnice. Thanks for reporting those, but this is not the way security issues should be reported, this report is not actionable.
   
   One comment - I know BlackDuck first hand and I know that it often reports issues which are not existing. We have no BlackDuck licences so we cannot reproduce your results, so it is difficult to act on your report.
   
   First of all, can you please re-run your checks on 1.10.14 if you want to use 1.10 line. There were many changes and updates since 1.10.10 and it is likely at least some of those problems have been fixed in subsequent versions. We are not releasing patches to earlier versions. If there are any critical security fixes we will release them in 1.10.15, 1.10.16 - there won't ever be 1.10.10.1 release for exmple. So I will kindly ask you to re-run your Black Duck scan on 1.10.14 if you want some action to be taken.
   
   Secondly - if you do, suspect any problems with security, you report it via email to security@apache.org - not via public issue. This is detailed in https://www.apache.org/security/ and the rules there are rather clear:
   
   ```
   Please send one plain-text email for each vulnerability you are reporting. We may ask you to resubmit your report if you send it as an image, movie, HTML, or PDF attachment when it could just as easily be described with plain text.
   ```
   
   So you should break it down into separate issues and sent it there.
   
   This list is private and this is the "responsible disclosure" process that you should follow. You should never discuss even suspected security issues in public issues. It also allows to properly process the issues with assigning CVEs when the issue is triaged and found a real issue. 
   
   So may I ask you - kindly - rerun your scans on latest 1.10 version (possibly also on latest 2.0 version) and follow the process of reporting the issues this way. Just for the sake of easy discovery I will edit the issue now and close it.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org