search

eclipse-jgit / jgit

JGit, the Java implementation of git
https://www.eclipse.org/jgit/
Other
127 stars 37 forks source link

Security bug reporting instructions refer to Bugzilla #31

Closed jrn closed 7 months ago

jrn commented 7 months ago

Bug description

https://github.com/eclipse-jgit/jgit/security/policy states:

"The community is also encouraged to report vulnerabilities using the Eclipse Foundation's Bugzilla instance. Note that you will require an Eclipse Foundation account to create an issue report, but by doing so you will be able to participate directly in the resolution of the issue.

Issue reports related to vulnerabilities must be marked as "committers-only", either automatically by clicking the provided link, by the reporter, or by a committer during the triage process. Note that issues marked "committers-only" are visible to all Eclipse committers. By default, a "committers-only" issue is also accessible to the reporter and individuals explicitly indicated in the "cc" list.

What is the github issues equivalent that we should be following?

Actual behavior

Instructions refer to the previous (bugzilla) bug tracker.

Expected behavior

Instructions refer to the current bug tracker.

msohn commented 7 months ago

Thanks for the heads up, looks like we missed this when migrating from Bugzilla.

According to [1] we can choose to either report security issues via confidential issues (GitLab) or private security advisories (GitHub).

AFAIR for tracking past security issues we used confidential GitLab issues, they came in via the Eclipse security team [2]. This worked well for me hence I'd tend to stick to this path. This is also the path described on the general security reporting page of the Eclipse Foundation [3].

I have no experience using GitHub security advisories. Maybe you have ? What's your preference ?

[1] https://www.eclipse.org/projects/handbook/#project-setup-for-vulnerability-reporting [2] https://www.eclipse.org/security/team/ [3] https://www.eclipse.org/security/

msohn commented 7 months ago

@mrybczyn what's your recommendation from the Eclipse security team ?

tomaswolf commented 7 months ago

Can't we just remove our own SECURITY.md file in the repo and have the foundation's global one be used then by default?

msohn commented 7 months ago

AFAIR I was asked to add the SECURITY.md by EMO

jrn commented 7 months ago

AFAIR for tracking past security issues we used confidential GitLab issues, they came in via the Eclipse security team [2]. This worked well for me hence I'd tend to stick to this path.

I agree, this is a good path.

I have no experience using GitHub security advisories. Maybe you have ?

They're good for getting a CVE identifier and advertising it, but I didn't find them more useful than other tools for handling the flow of fixing an issue.

msohn commented 7 months ago

I pushed an update of SECURITY.md https://review.gerrithub.io/c/eclipse-jgit/jgit/+/1177352 using the text from https://www.eclipse.org/security/.

msohn commented 7 months ago

submitted update of SECURITY.md