[
https://issues.apache.org/jira/browse/APEXCORE-801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16299175#comment-16299175
]
ASF GitHub Bot commented on APEXCORE-801:
-----------------------------------------
PramodSSImmaneni closed pull request #85: APEXCORE-801 Added committer
guidelines for CVE vulnerabilities and PRs
URL: https://github.com/apache/apex-site/pull/85
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/src/md/contributing.md b/src/md/contributing.md
index 08cb487..5ee5cec 100644
--- a/src/md/contributing.md
+++ b/src/md/contributing.md
@@ -153,6 +153,11 @@ Thanks for contributing!
- Ensure tests are added/modified for new features or fixes
- Ensure appropriate JavaDoc comments have been added
- Verify contributions don't depend on incompatible licences (see
https://www.apache.org/legal/resolved.html#category-x)
+1. If the CI build fails because of the presence of a CVE vulnerability,
further analysis needs to be performed
+ - If the CVE is unrelated to the changes in the PR i.e., the changes in the
PR are not the cause then it can be merged
+ - If the vulnerability is in a dependency added by the PR then the committer
should ask the contributor to address it. If there are no good alternatives,
then a discussion should happen in the security list whether to allow the PR,
before it can be merged
+ - If it is determined that a vulnerability is not applicable to the project
for a reason such as the code paths corresponding to it are not exercised by
the software or for any other reason, the vulnerability can be added to the
whitelist file `dependency-check-whitelist.xml` to ignore it for future builds
+ - In any case, if the vulnerability affects the software, a JIRA should to
be created to address the vulnerability in an appropriate way
1. Use the github *rebase and merge* option or the git command line to merge
the pull request (see link `view command line options` on the PR).
1. Update JIRA after pushing the changes. Set the `Fix version` field and
resolve the JIRA with proper resolution. Also verify that other fields (type,
priority, assignee) are correct.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Committer guidelines for dependency CVE failures
> ------------------------------------------------
>
> Key: APEXCORE-801
> URL: https://issues.apache.org/jira/browse/APEXCORE-801
> Project: Apache Apex Core
> Issue Type: Documentation
> Components: Website
> Reporter: Pramod Immaneni
> Assignee: Pramod Immaneni
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
