Hi, I have merged the pr and do a vulnerability check. It seems we need to bump netty in next version.
Best -------------- Xinyu Tan On 2025/12/23 01:43:12 Xinyu Tan wrote: > Hi, > > I have fixed all the reviews[1]! Please check at your spare time. > > [1] https://github.com/apache/ratis/pull/1328 > > Best > ------------------ > Xinyu Tan > > On 2025/12/15 17:11:41 Tsz Wo Sze wrote: > > I agree that we do not have to hide the reports, since the reports contain > > the publicly known vulnerabilities but not newly discovered > > vulnerabilities. This kind of report is already available in maven repo and > > other web sites. > > > > Xinyu, thanks a lot for starting the discussion and working on it! > > > > Tsz-Wo > > > > > > On Mon, Dec 15, 2025 at 5:04 AM Xinyu Tan <[email protected]> wrote: > > > > > Hi, Attila > > > > > > Yes you are right! > > > > > > Since Apache Ratis is an open-source project, anyone can already scan the > > > codebase using vulnerability scanning tools. In that sense, publishing > > > such > > > a report does not materially increase risk, because attackers who have the > > > capability to find vulnerabilities do not need to rely on this report in > > > order to discover issues. > > > > > > From a community perspective, having this report can be valuable as a > > > pre-release checklist item. It would help ensure that before every release > > > we do not have any publicly known CVEs, and it could serve as an > > > additional > > > quality control step ahead of voting on a release. > > > > > > Best > > > ------------- > > > Xinyu Tan > > > > > > On 2025/12/15 10:08:43 Attila Doroszlai wrote: > > > > > Regarding the first point, the new workflow checks vulnerabilities > > > against the NVD, which is more comprehensive than the current scanning > > > that > > > only uses GitHub Advisory data. The NVD offers a broader and more > > > up-to-date set of vulnerabilities. > > > > > > > > Nice. > > > > > > > > > As for visibility, I tested it and found that only committers can > > > trigger the workflow. However, GitHub doesn't currently support > > > restricting > > > visibility of workflow results[1]. > > > > > > > > On second thought that's OK. Visibility is important for security > > > > issues within the project itself. I guess anyone can perform this > > > > dependency scan locally, so hiding the results does not make much > > > > difference. > > > > > > > > I'll check the PR. > > > > > > > > -Attila > > > > > > > > > >
