divijvaidya commented on code in PR #554:
URL: https://github.com/apache/kafka-site/pull/554#discussion_r1345468001
##########
project-security.html:
##########
@@ -35,6 +35,22 @@ <h1 class="content-title">Kafka security</h1>
<p>
For a list of security issues fixed in released
versions of Apache Kafka, see <a href="/cve-list">CVE list</a>.
</p>
+ <h2>Advisories for dependencies</h2>
+ <p>
+ Many organizations use 'security scanning' tools to
detect components for which advisories exist. While we generally encourage
using such tools, since they are an important way users are notified of risks,
our experience is that they produce a lot of false positives: when a dependency
of Kafka contains a vulnerability, it is likely Kafka is using it in a way that
is not affected. As such, we do not consider the fact that an advisory has been
published for a Kafka dependency sensitive. Only when additional analysis
confirms Kafka is affected by the problem, we ask you to report this finding
privately through <a href="mailto:secur...@kafka.apache.org?Subject=[SECURITY]
My security issue" target="_top">secur...@kafka.apache.org</a>.
Review Comment:
I would be more comfortable if we add something like "if you are unsure
about impact to Kafka, err on the side of reporting". Asking this because users
in the community may not be familiar with breadth of components in Kafka code
base to make a call on impact.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
