Thanks a lot for working on this! Tsz-Wo On Sun, Dec 28, 2025 at 6:29 PM Xinyu Tan <[email protected]> wrote:
> Hi, > > I have merged the pr and do a vulnerability check. It seems we need to > bump netty in next version. > > Best > -------------- > Xinyu Tan > > On 2025/12/23 01:43:12 Xinyu Tan wrote: > > Hi, > > > > I have fixed all the reviews[1]! Please check at your spare time. > > > > [1] https://github.com/apache/ratis/pull/1328 > > > > Best > > ------------------ > > Xinyu Tan > > > > On 2025/12/15 17:11:41 Tsz Wo Sze wrote: > > > I agree that we do not have to hide the reports, since the reports > contain > > > the publicly known vulnerabilities but not newly discovered > > > vulnerabilities. This kind of report is already available in maven > repo and > > > other web sites. > > > > > > Xinyu, thanks a lot for starting the discussion and working on it! > > > > > > Tsz-Wo > > > > > > > > > On Mon, Dec 15, 2025 at 5:04 AM Xinyu Tan <[email protected]> wrote: > > > > > > > Hi, Attila > > > > > > > > Yes you are right! > > > > > > > > Since Apache Ratis is an open-source project, anyone can already > scan the > > > > codebase using vulnerability scanning tools. In that sense, > publishing such > > > > a report does not materially increase risk, because attackers who > have the > > > > capability to find vulnerabilities do not need to rely on this > report in > > > > order to discover issues. > > > > > > > > From a community perspective, having this report can be valuable as a > > > > pre-release checklist item. It would help ensure that before every > release > > > > we do not have any publicly known CVEs, and it could serve as an > additional > > > > quality control step ahead of voting on a release. > > > > > > > > Best > > > > ------------- > > > > Xinyu Tan > > > > > > > > On 2025/12/15 10:08:43 Attila Doroszlai wrote: > > > > > > Regarding the first point, the new workflow checks > vulnerabilities > > > > against the NVD, which is more comprehensive than the current > scanning that > > > > only uses GitHub Advisory data. The NVD offers a broader and more > > > > up-to-date set of vulnerabilities. > > > > > > > > > > Nice. > > > > > > > > > > > As for visibility, I tested it and found that only committers can > > > > trigger the workflow. However, GitHub doesn't currently support > restricting > > > > visibility of workflow results[1]. > > > > > > > > > > On second thought that's OK. Visibility is important for security > > > > > issues within the project itself. I guess anyone can perform this > > > > > dependency scan locally, so hiding the results does not make much > > > > > difference. > > > > > > > > > > I'll check the PR. > > > > > > > > > > -Attila > > > > > > > > > > > > > > >
