asf-tooling opened a new issue, #1066: URL: https://github.com/apache/tooling-trusted-releases/issues/1066
**ASVS Level(s):** L1 **Description:** ### Summary The application implements comprehensive vulnerability detection infrastructure (OSV scanning, pip-audit pre-commit hooks, SBOM quality scoring, severity mapping) but lacks documented policy defining risk-based remediation timeframes that differentiate by severity (Critical/High/Medium/Low with corresponding SLAs). Vulnerabilities are detected and reported only—there is no documented policy defining risk-based remediation timeframes. This is fundamentally a documentation gap rather than a technical deficiency. ### Details The issue exists in `SECURITY.md`, `atr/sbom/osv.py`, and `atr/tasks/sbom.py` lines 280-350. While technical infrastructure exists for vulnerability detection, no documented policy exists for remediation timeframes based on severity. ### Recommended Remediation Create a documented remediation policy in `docs/dependency-remediation-policy.md` or add section to `SECURITY.md`: ```markdown ## Dependency Vulnerability Remediation Policy ### Risk-Based Remediation Timeframes | Severity | CVSS Score Range | Remediation SLA | Notes | |----------|------------------|-----------------|-------| | Critical | 9.0 - 10.0 | 48 hours | Emergency patching process available | | High | 7.0 - 8.9 | 7 days | Prioritized in sprint planning | | Medium | 4.0 - 6.9 | 30 days | Scheduled in regular maintenance | | Low | 0.1 - 3.9 | 90 days | Addressed during dependency updates | ### Emergency Override Process For Critical vulnerabilities, the emergency patching process bypasses the normal 14-day Dependabot cooldown: 1. Security team reviews vulnerability details 2. If confirmed exploitable, emergency PR created immediately 3. Expedited review and deployment process initiated 4. Post-incident review conducted within 7 days ### High-Risk Dependencies The following dependencies receive enhanced monitoring due to their security-critical nature: - **cryptography**: Used for TLS, HMAC, JWT signing - **aiohttp**: Handles all outbound HTTPS connections - **jinja2**: Template rendering (XSS risk) - **sqlalchemy**: Database operations (SQL injection risk) - **pyjwt**: JWT validation (authentication bypass risk) ### Enforcement Mechanisms 1. **Automated Detection**: OSV scanning in CI/CD pipeline 2. **Pre-commit Hooks**: pip-audit blocks commits with vulnerable dependencies 3. **SBOM Quality Scoring**: Tracks vulnerability remediation progress 4. **Regular Audits**: Monthly review of open vulnerability reports ``` Total effort: ~1 day for documentation creation and team review. ### Acceptance Criteria - [ ] Remediation policy document created - [ ] Risk-based SLA table defined with severity levels - [ ] Emergency override process documented - [ ] High-risk dependencies identified and documented - [ ] Enforcement mechanisms documented - [ ] Policy reviewed and approved by security team - [ ] Policy published in project documentation - [ ] Team trained on remediation policy ### References - Source reports: L1:15.1.1.md - Related findings: FINDING-306, FINDING-307 - ASVS sections: 15.1.1 ### Priority Medium --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
