Skip to content

Commit

Permalink
Update SECURITY.md
Browse files Browse the repository at this point in the history
  • Loading branch information
juhoinkinen authored Jan 22, 2024
1 parent 9b561f5 commit f4046c2
Showing 1 changed file with 17 additions and 11 deletions.
28 changes: 17 additions & 11 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,30 +5,35 @@
The [most recent Annif major/minor release](https://github.com/NatLibFi/Annif/releases)
is considered supported,
in the sense that if a serious bug or vulnerability is encountered in it,
a patch release is made to fix the issue.
we relase a patch to fix the issue.

Generally, we aim to update all dependencies to their latest versions on each Annif major/minor release.
However, note that the [dependencies of a given Annif release](https://github.com/NatLibFi/Annif/blob/main/pyproject.toml)
are pinned only on minor version level, so all patch level fixes of dependencies can be applied to an Annif installation,
However, note that most of the [dependencies of a given Annif release](https://github.com/NatLibFi/Annif/blob/main/pyproject.toml)
are pinned only on minor version level, so patch level fixes of (most) dependencies can be applied to an Annif installation,
by either manually updating the outdated packages or recreating the virtual environment from scratch and reinstalling Annif.

### Docker image
The Docker image of the latest Annif release in the
[quay.io repository](https://quay.io/repository/natlibfi/annif?tab=tags)
is rebuilt from time to time in order to update both system packages and Annif dependencies in the image.
We rebuild and publish a new Docker image of the latest Annif release in the
[quay.io repository](https://quay.io/repository/natlibfi/annif?tab=info)
when it is considered necessary in order to update both system packages and Annif dependencies of the image.
A new image is published about once every month.

The security scanner that is used on quay.io is
[Clair](https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/about_quay_io/clair-vulnerability-scanner).
Typically the scanner detects many vulnerabilities at any moment in the Annif image, even several tens.
You can see the vulnerabilities detected in an image by navigating via the link in the Security Scan column of the [tags view](https://quay.io/repository/natlibfi/annif?tab=tags),
see the screenshot below.

The scanner typically detects many vulnerabilities, that is several tens, in the packages of the images, even when they have been rebuild recently.
However, there exist patches for only some of the vulnerabilities,
and due to the way that Annif uses the dependencies, most of the detected vulnerabilities
do not apply to Annif use.

<img src="https://github.com/NatLibFi/Annif/assets/34240031/bab1316e-57fb-46a4-8ec0-94a414b26e2a" width="500">

## Reporting a Vulnerability

Thank you for improving the security of Annif.
We value your findings, and we'd be grateful if you report
any concerns or vulnerabilities directly to `[email protected]`.
We value your findings, and we would be grateful if you report
any concerns or vulnerabilities by email to **`[email protected]`**.
Note that Annif team is a part of the larger Finto team,
which has resources for the contact service throughout the year.

Expand All @@ -39,9 +44,10 @@ Each security concern will be assigned to a handler from our team,
who will contact you if there is a need for additional information.
We confirm the problem and keep you informed of the fix.

Make sure to add the following details when submitting your report:
To facilitate a quick and accurate response make sure to include the following details when submitting your report:

- A clear and descriptive title that outlines the report's subject and the software it pertains to (Annif).
- The versions of Annif, its dependencies and the (possible) other related software that give rise to the vulnerability.
- Break down the technical aspects of the vulnerability in your description.
- A minimal example showcasing the vulnerability.
- An explanation who has the potential to exploit this vulnerability and the benefits they would derive from doing so.
Expand Down

0 comments on commit f4046c2

Please sign in to comment.