Tell users what to do if their scanners find issues in the image#37652
Merged
potiuk merged 1 commit intoFeb 23, 2024
Merged
Conversation
bd76278 to
3cfa4eb
Compare
49c1c7a to
3729ab2
Compare
We often get reports with results of the image scanning sent to the security team. However, for 3rd-party CVEs which are public, this is wrong way of reporting them and our users have other ways they can either handle it, or research it or contribute back their findings back and it's not clear for them that a) they have those options b) their expectations are that Airflow security team will tell them how to clear their security scan reports, c) they do not know they should (and can) contribute back. This change restructures and clarifies the chapter that was describing it in a pretty vague way - turning it into "How to" guide for the users, explaining all the options they have and explaining what are the ways they can contribute back - also making it crystal clear what is the responsibility of the security team for it and that the community expects contributions in such cases from commercial users who want their security reports cleared, not the other way round.
3729ab2 to
4532a8f
Compare
Taragolis
approved these changes
Feb 23, 2024
raboof
reviewed
Feb 26, 2024
raboof
left a comment
Member
There was a problem hiding this comment.
Great to write this down in such detail! I added a few tiny linguistic remarks.
| vulnerabilities in one email - those are rejected immediately, as they make the process of handling the issue | ||
| way harder for everyone, including the reporters. | ||
|
|
||
| Also DO NOT open aa GitHub Issue with the scan results and asking what to do. The GitHub Issues are for |
| vulnerability, it does not mean that it can be exploited in Airflow (or specifically in the way you are | ||
| using Airflow). If you do have a reproducible scenario how a vulnerability can be exploited in Airflow, you should - | ||
| of course - privately report it to the security team. But if you do not have reproducible | ||
| scenario, please make a research and try to understand the impact of the vulnerability on Airflow. That |
| could be a fantastic contribution to the community and way to give back to the project that your company uses | ||
| for free. | ||
|
|
||
| You are free to discuss it publicly, open a `Github Discussion <https://github.com/apache/airflow/discussions>`_ |
Member
Author
|
Fixes in #37714 |
jedcunningham
pushed a commit
that referenced
this pull request
Mar 19, 2024
) We often get reports with results of the image scanning sent to the security team. However, for 3rd-party CVEs which are public, this is wrong way of reporting them and our users have other ways they can either handle it, or research it or contribute back their findings back and it's not clear for them that a) they have those options b) their expectations are that Airflow security team will tell them how to clear their security scan reports, c) they do not know they should (and can) contribute back. This change restructures and clarifies the chapter that was describing it in a pretty vague way - turning it into "How to" guide for the users, explaining all the options they have and explaining what are the ways they can contribute back - also making it crystal clear what is the responsibility of the security team for it and that the community expects contributions in such cases from commercial users who want their security reports cleared, not the other way round. (cherry picked from commit 6a707e3)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We often get reports with results of the image scanning sent to the security team. However, for 3rd-party CVEs which are public, this is wrong way of reporting them and our users have other ways they can either handle it, or research it or contribute back their findings back and it's not clear for them that a) they have those options b) their expectations are that Airflow security team will tell them how to clear their security scan reports, c) they do not know they should (and can) contribute back.
This change restructures and clarifies the chapter that was describing it in a pretty vague way - turning it into "How to" guide for the users, explaining all the options they have and explaining what are the ways they can contribute back - also making it crystal clear what is the responsibility of the security team for it and that the community expects contributions in such cases from commercial users who want their security reports cleared, not the other way round.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.