I agree that we do not have to hide the reports, since the reports contain the publicly known vulnerabilities but not newly discovered vulnerabilities. This kind of report is already available in maven repo and other web sites.
Xinyu, thanks a lot for starting the discussion and working on it! Tsz-Wo On Mon, Dec 15, 2025 at 5:04 AM Xinyu Tan <[email protected]> wrote: > Hi, Attila > > Yes you are right! > > Since Apache Ratis is an open-source project, anyone can already scan the > codebase using vulnerability scanning tools. In that sense, publishing such > a report does not materially increase risk, because attackers who have the > capability to find vulnerabilities do not need to rely on this report in > order to discover issues. > > From a community perspective, having this report can be valuable as a > pre-release checklist item. It would help ensure that before every release > we do not have any publicly known CVEs, and it could serve as an additional > quality control step ahead of voting on a release. > > Best > ------------- > Xinyu Tan > > On 2025/12/15 10:08:43 Attila Doroszlai wrote: > > > Regarding the first point, the new workflow checks vulnerabilities > against the NVD, which is more comprehensive than the current scanning that > only uses GitHub Advisory data. The NVD offers a broader and more > up-to-date set of vulnerabilities. > > > > Nice. > > > > > As for visibility, I tested it and found that only committers can > trigger the workflow. However, GitHub doesn't currently support restricting > visibility of workflow results[1]. > > > > On second thought that's OK. Visibility is important for security > > issues within the project itself. I guess anyone can perform this > > dependency scan locally, so hiding the results does not make much > > difference. > > > > I'll check the PR. > > > > -Attila > > >
