Hi, Attila Yes you are right!
Since Apache Ratis is an open-source project, anyone can already scan the codebase using vulnerability scanning tools. In that sense, publishing such a report does not materially increase risk, because attackers who have the capability to find vulnerabilities do not need to rely on this report in order to discover issues. >From a community perspective, having this report can be valuable as a >pre-release checklist item. It would help ensure that before every release we >do not have any publicly known CVEs, and it could serve as an additional >quality control step ahead of voting on a release. Best ------------- Xinyu Tan On 2025/12/15 10:08:43 Attila Doroszlai wrote: > > Regarding the first point, the new workflow checks vulnerabilities against > > the NVD, which is more comprehensive than the current scanning that only > > uses GitHub Advisory data. The NVD offers a broader and more up-to-date set > > of vulnerabilities. > > Nice. > > > As for visibility, I tested it and found that only committers can trigger > > the workflow. However, GitHub doesn't currently support restricting > > visibility of workflow results[1]. > > On second thought that's OK. Visibility is important for security > issues within the project itself. I guess anyone can perform this > dependency scan locally, so hiding the results does not make much > difference. > > I'll check the PR. > > -Attila >
