Skip to content

Create guidance on triaging build time dependency vulnerabilities #855

New issue
New issue
Closed
Closed
Create guidance on triaging build time dependency vulnerabilities#855
Labels
inactiveNo activity on issue/PRsuggestionNew suggestion for the CNCF sig-security group that don't fall into an existing category
@PushkarJ

Description

@PushkarJ
PushkarJ
opened on Feb 2, 2022

Description: Vulnerability scanners detect CVEs in build time dependencies. But, Best practices to triage these vulnerabilities are unclear

Impact: Adding docs based on experiences and anecdotes, that many projects can follow would be useful

Scope: Write best practices with examples like:

  • Focus on highest severity CVEs first
  • Document if not exploitable as a security advisory or github issue
  • Patch when exploitable and fixed by upstream dependency
  • Define roles and responsibilities

Meeting minutes where this was discussed: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.bssmkroi6sff and youtube recording: https://www.youtube.com/watch?v=MBHdvYW6YjI

cc @anvega @lumjjb @fkautz @ionut-arm

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    inactiveNo activity on issue/PRsuggestionNew suggestion for the CNCF sig-security group that don't fall into an existing category

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions