Hi devs,
Currently the Security Vulnerabilities extension is not bundled by default but we still need to handle discovered vulnerabilities.
On the Security Policy page, we write:
We also need to define a process to decide how to handle when known dependency vulnerabilities are discovered. A first step has been done in that, our CI will fail if there are vulnerabilities detected, preventing us from releasing a new version of XWiki and thus forcing us to address the vulnerabilities in some way.
So this proposal is about defining this process. Here’s a try:
- It’s the role of the Security Manager to handle this. If agreed we’ll need to update https://dev.xwiki.org/xwiki/bin/view/Community/DevelopmentPractices#HSecurityManagerRole
- Of course, it’s possible for the Security Manager to delegate the work to someone else but it’s still his/her responsibility to ensure it’s handled.
- Today, @mleduc has volunteered to ensure we have an analysis for all CVEs found
- We have the Vulnerability Security Review app on xwiki.org to record the analysis for all CVEs found (replace
viewbyeditin the URL to edit analysis) - When our functional test in charge of finding these vulnerabilites fail, the security manager must work ASAP towards performing and recording the analysis before the next release. This is an action that must block the release (unless there’s an exception agreed by the developers, on an exceptional basis).
*When agreed we document this process in the Security Policy page
Note that we already have part of this process on https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HHowtoreactifavulnerabilityisfoundinalibraryorextension3F but the content above adds some specific actions.
WDYT?
Thanks