Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Security NVD doc section #23624

Merged
merged 1 commit into from
Feb 14, 2022
Merged

Update Security NVD doc section #23624

merged 1 commit into from
Feb 14, 2022

Conversation

sberyozkin
Copy link
Member

Fixes #23476.

Hi Loic - can you check it please, I added the example how it can be configured based on your feedback at #23476.

I've added a recommendation to disable the suppression list sometimes, such as to check that no real issues have happened in the suppressed dependencies, do you agree ?

loicmathieu
loicmathieu approved these changes Feb 14, 2022
View reviewed changes
Copy link
Contributor

@loicmathieu loicmathieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, 2 minor typos.

Such a suppression list has to be carefully prepared and sometimes it can be disabled to doublecheck that only the same known false positives are reported.

I never disabled it but you can add a duration (untill parameter) for your suppressions. Here it's only false positive at CPE level wich should be pretty stable but yes, a sentence may be added that state that suppression list must be handled carefully and revisited from time to time.

@sberyozkin
Copy link
Member Author

@loicmathieu Thanks, let me add a note about the time limited suppression

@sberyozkin sberyozkin force-pushed the update_security_nvd_doc branch from 4a48568 to 06208db Compare February 14, 2022 13:54
@sberyozkin
Copy link
Member Author

sberyozkin commented Feb 14, 2022
edited
Loading

@loicmathieu I replaced the proposal to disable with the suggestion to consider adding an until tribute, thanks

@sberyozkin sberyozkin merged commit 9c8475f into quarkusio:main Feb 14, 2022
@quarkus-bot quarkus-bot bot added this to the 2.8 - main milestone Feb 14, 2022
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Feb 14, 2022
@sberyozkin sberyozkin deleted the update_security_nvd_doc branch February 14, 2022 17:15
@gsmet gsmet modified the milestones: 2.8 - main, 2.7.2.Final Feb 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loicmathieu loicmathieu loicmathieu approved these changes

Assignees
No one assigned
Labels
area/documentation kind/enhancement New feature or request
Projects
None yet
Milestone
2.7.2.Final
Development

Successfully merging this pull request may close these issues.

Handling NVD reported vulnerabilities for Quarkus
3 participants
@sberyozkin @loicmathieu @gsmet