Update security.html to inform about simple-event-sender issues #19
Conversation
Added information about simple event sender security alerts
| <p class="section-paragraph"> | ||
| <ul> | ||
| <li>details</li> | ||
| <li>The simple-simple-event sender has several <a href="https://github.com/eiffel-community/simple-event-sender/security/dependabot">high severity security alerts</a>. All users should ensure dependencies are updated.</li> |
There was a problem hiding this comment.
I get a 404 error for https://github.com/eiffel-community/simple-event-sender/security/dependabot.
There was a problem hiding this comment.
@magnusbaeck well spotted, seems like I have the rights to see that page so I didn't notice. How do we handle that? Should i add a short explanation on the security page? @fredjn
There was a problem hiding this comment.
Even if the link in the PR worked for everyone I'm not sure it be a good fit for this page since it lists current problems (right?) while this page also should cover historical vulnerabilities? Unless we build something very complicated I think this list needs to be maintained by hand.
There was a problem hiding this comment.
I get the 404 as well. Are the alerts still there? I seem to recall I've had access to the alerts page. (But perhaps that was through a screen share in a meeting.) There are a also 2 open issued filed by dependabot on the repository in question. I can't remember if these were related.
There was a problem hiding this comment.
Probably only admin or simlar for the repo that can see it. Ok if I add a short description for now so that we get it published? @fredjn
There was a problem hiding this comment.
From https://github.com/eiffel-community/simple-event-sender/settings/security_analysis
Dependabot and secret scanning alerts are only visible to people and teams that are given access by admins.
I don't think we can link to that page. So instead we need to change this to advise people to update to a certain version of simple-event-sender.
There was a problem hiding this comment.
@k-hallen-ericsson , could you make the necessary updates to this PR?
Added information about simple event sender security alerts
Description of the Change
Added information about simple event sender security alerts
Alternate Designs
N/A
Benefits
Inform about security issues according to process
Possible Drawbacks
N/A
Sign-off
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Signed-off-by Kristofer Hallén kristofer.hallen@ericsson.com