Skip to content

Create guidance on triaging build time dependency vulnerabilities #855

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
Create guidance on triaging build time dependency vulnerabilities#855
Labels
inactiveNo activity on issue/PRsuggestionNew suggestion for the CNCF sig-security group that don't fall into an existing category
@PushkarJ

Description

@PushkarJ
PushkarJ
opened on Feb 2, 2022

Description: Vulnerability scanners detect CVEs in build time dependencies. But, Best practices to triage these vulnerabilities are unclear

Impact: Adding docs based on experiences and anecdotes, that many projects can follow would be useful

Scope: Write best practices with examples like:

  • Focus on highest severity CVEs first
  • Document if not exploitable as a security advisory or github issue
  • Patch when exploitable and fixed by upstream dependency
  • Define roles and responsibilities

Meeting minutes where this was discussed: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.bssmkroi6sff and youtube recording: https://www.youtube.com/watch?v=MBHdvYW6YjI

cc @anvega @lumjjb @fkautz @ionut-arm

Metadata

Assignees

No one assigned

    Labels

    inactiveNo activity on issue/PRsuggestionNew suggestion for the CNCF sig-security group that don't fall into an existing category

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions