From 4a21b44b5f917df16c5fd27cb1c4e3d15bd74d34 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Mon, 20 May 2024 13:21:52 -0300 Subject: [PATCH] Add documentation about how to handle CVEs on third-party libraries reported by Snyk Closes #29707 Co-authored-by: Alexander Schwartz Signed-off-by: Bruno Oliveira da Silva --- docs/bug-triage.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/bug-triage.md b/docs/bug-triage.md index 360ab60602..d68829847e 100644 --- a/docs/bug-triage.md +++ b/docs/bug-triage.md @@ -31,6 +31,12 @@ In cases where it is clear that no additional comment is needed you can just add example if the description only states `It doesn't work` then there's not much point in explaining what information is missing. +#### CVE reports on third-party libraries + +Known CVEs on third-party libraries will be automatically created as GitHub issues, labeled with `kind/cve`, `kind/bug`, and `status/triage`. The triager identifies the responsible team for the dependency and assigned the appropriate `team/...` label. This process is similar to the bug triage process previously mentioned. + +When evaluating the CVE report, assess the impact on the codebase by determining if we are vulnerable or affected. "Vulnerable" means that we use the code reported in the CVE, while "affected" means that we have the dependency with the CVE present but do not use the vulnerable code, making it impossible to exploit the CVE. If closing an issue as "not planned," include a proper explanation and the reason for closing it for future reference. + ### Prioritize the issue Second step is to prioritize the bug depending on how common the use-case is, if it's a regression, @@ -90,4 +96,4 @@ The priority for an issue is also bumped to important if the `team/rh-iam` label When triaging or fixing an issue consider if the fix should be backported. If it should be backported add the corresponding `backport/` label. -For convenience, use the `.github/scripts/pr-backport.sh` to help create the backport PRs. \ No newline at end of file +For convenience, use the `.github/scripts/pr-backport.sh` to help create the backport PRs.