You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix dependency policy and add to SECURITY-INSIGHTS.yml (#4907)
## Description of the changes
Adding security policy to SECURITY.md
Adding a couple of sections to the SECURITY-INSIGHTS.yml to fix missing
items.
Next step is to check the CLOMonitor for other gaps - Need to build a
threat model too.
## How was this change tested?
Only text changes in this PR.
## Checklist
- [X] I have read
https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
- [X] I have signed all commits
- [Not needed] I have added unit tests for the new functionality
- [Not needed] I have run lint and test steps successfully
---------
Signed-off-by: Jonah Kowall <[email protected]>
The first and best way to report a vulnerability is by using private security issues in GitHub or opening an issue on Github. We are also available on the CNCF Slack in the jaeger channel.
Copy file name to clipboardExpand all lines: SECURITY.md
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,25 @@ The Jaeger project provides community support only for last minor version: bug f
6
6
7
7
Security fixes are given priority and might be enough to cause a new version to be released.
8
8
9
+
### Security Patch Policy
10
+
11
+
CVEs in Jaeger code will be patched in the newest Jaeger releases.
12
+
13
+
### Dependencies Lifecycle Policy
14
+
15
+
Dependencies are evaluated before being introduced to ensure they:
16
+
17
+
1) are actively maintained
18
+
2) are maintained by trustworthy maintainers
19
+
3) are licensed in a way not to impact the Jaeger license based on [the CNCF license allowlist](https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md).
20
+
21
+
These evaluations vary from dependency to dependencies.
22
+
23
+
Dependencies are also scheduled for removal if the project has been deprecated or if the project is no longer maintained. Additionally based on license changes we replace dependencies as necessary.
24
+
25
+
CVEs in dependencies will be patched for all supported versions if the CVE is applicable and is assessed by Snyk to be
26
+
of high or critical severity. Automation generates a new dependabot scan daily and alerts are addressed.
27
+
9
28
## Reporting a Vulnerability
10
29
11
30
_The following is a copy of the [Report a security issue](https://www.jaegertracing.io/report-security-issue/) page from our website. The website's version has precedence in case of conflicts._
This is a placeholder document for the Jaeger project self-assessment. More details of what this will turn into can be found in the [TAG-Security documented standards.](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md)
4
+
5
+
## Table of Contents
6
+
7
+
*[Metadata](#metadata)
8
+
*[Security links](#security-links)
9
+
*[Overview](#overview)
10
+
*[Actors](#actors)
11
+
*[Actions](#actions)
12
+
*[Background](#background)
13
+
*[Goals](#goals)
14
+
*[Non-goals](#non-goals)
15
+
*[Self-assessment use](#self-assessment-use)
16
+
*[Security functions and features](#security-functions-and-features)
17
+
*[Project compliance](#project-compliance)
18
+
*[Secure development practices](#secure-development-practices)
This is a placeholder for the Jaeger Threat Model. This will be based on [OSSF standards](https://github.com/ossf/security-insights-spec/tree/main/docs/threat-model) and examples of existing threat models. This is a significant chunk of work for Jaeger due to the diversity and complexity of all the supported components in deployment.
0 commit comments