Hi everyone,
I’m opening this proposal in reaction to @mleduc thread about the new UI to list vulnerabilities in which he said:
We’ll need to commit to maintain this list (and be reactive), this also mean being able to provide clear explanations of each analysis. This can imo be time consuming, and we’ll probably need to work as a group to make the first explanations clear to have good examples to follow in the future, and to give a first good impression to the first users of the feature.
So I propose that we add a section in our policy regarding vulnerabilities of dependencies, with the following content:
Vulnerabilities in dependencies
Besides the security vulnerability directly related to the code of XWiki itself, some vulnerabilities might be introduced through the dependencies of XWiki and the extensions installed on it. Since XWiki 15.5 we provide a dashboard in the Administration allowing to check if a known vulnerability is present on a wiki.
How to react when a vulnerability is found in a library or an extension?
In most cases it’s possible to upgrade the extension which contains a vulnerability. In few cases it’s not possible to upgrade, but the vulnerable dependency has been analyzed and is not considered as impacting directly the wiki: in such case the vulnerability is marked as ignored, you should check the analysis.
Finally if a vulnerability concerns a part that cannot be upgraded because no new version exist and there’s no analysis, you can contact us through the channels defined above.
How long does it take to fix a vulnerable dependency?
We cannot commit on a time for actually fixing the dependency, since it might depend on other parties and on technical complexity to upgrade. But we maintain the dependencies of XWiki up-to-date as most as possible also for fixing those vulnerabilities before they are disclosed.
Finally when it’s possible we will provide quickly an analysis of a vulnerability to assess how impactful it can be on a wiki.
WDYT? is it enough?