Skip to content

Commit

Permalink
doc: add duplicate CVE check in sec. release doc
Browse files Browse the repository at this point in the history
This commit adds a note about only creating a CVE for Node.js
vulnerabilities.

The motivation for this is a recent HackerOne report where I created a
CVE for a c-ares issue. This CVE should have been created by the c-ares
project, and it was later, but we never updated our HackerOne report to
use their CVE number. Hopefully this extra note in the release doc will
help us check for this situaion and avoid this in the future.

PR-URL: #39845
Refs: https://hackerone.com/reports/1178337
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
danbev authored and targos committed Sep 4, 2021
1 parent 5e1cba8 commit 8efd559
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions doc/guides/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ information described.
* Approved
* Pass `make test`
* Have CVEs
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.
* Described in the pre/post announcements

* [ ] Pre-release announcement [email][]: ***LINK TO EMAIL***
Expand Down

0 comments on commit 8efd559

Please sign in to comment.