asf-tooling opened a new issue, #1133:
URL: https://github.com/apache/tooling-trusted-releases/issues/1133
**ASVS Level(s):** [L1]
**Description:**
### Summary
The application uses a release candidate version (ldap3==2.10.2rc3) in
production without documented justification or special monitoring procedures.
Release candidate versions have uncertain security patch processes and may not
receive updates through standard channels, making the 30-day freshness policy
less meaningful. If a vulnerability is discovered, the fix may be released in
stable 2.9.x branch but not backported to 2.10.x RC branch, creating unclear
upgrade paths.
### Details
**Current situation:**
- Production dependency: `ldap3==2.10.2rc3` (release candidate)
- Latest stable release: `ldap3==2.9.1`
- No documented justification for using RC version
- No special monitoring procedures for RC dependencies
**Security concerns:**
1. RC versions may not receive security patches through standard channels
2. Vulnerability fixes might be released only in stable branches
3. Unclear upgrade path if security issue found in RC version
4. 30-day freshness policy less meaningful for RC versions (no regular
releases)
5. No established process for monitoring RC security status
**Affected file:** `pip-audit.requirements`, line 148
### Recommended Remediation
**Option A — Use stable version (preferred):**
1. Test application functionality with `ldap3==2.9.1`
2. If no regressions, prefer stable over RC
3. Update `pip-audit.requirements` to use stable version
**Option B — Document justification and establish monitoring:**
1. Create `DEPENDENCIES.md` with section for Pre-Release Dependencies:
```markdown
## Pre-Release Dependencies
### ldap3==2.10.2rc3
- **Reason:** [Document specific feature or bug fix required]
- **Stable alternative tested:** 2.9.1 [results]
- **Monitoring:** Weekly manual checks of releases
- **Security advisories:** Subscribed to ldap3 security notifications
- **Upgrade target:** Migrate to stable 2.10.x within 7 days of release
```
2. Establish explicit monitoring procedures:
- Weekly manual checks of ldap3 releases
- Subscribe to security advisories
- Document remediation timeline
**Option C — Automated RC version monitoring:**
Implement `scripts/check_prerelease_deps.py`:
```python
def check_prerelease_versions():
"""Detect pre-release versions and validate documentation exists."""
# Parse requirements for RC/alpha/beta versions
# Verify DEPENDENCIES.md documents each pre-release
# Fail if undocumented pre-release found
```
### Acceptance Criteria
- [ ] Either migrate to stable ldap3==2.9.1, or document justification for
RC version
- [ ] If keeping RC: Create DEPENDENCIES.md with pre-release policy
- [ ] If keeping RC: Establish monitoring procedures
- [ ] If keeping RC: Subscribe to ldap3 security advisories
- [ ] Optional: Implement automated pre-release detection script
- [ ] Unit test verifying the fix
### References
- Source reports: L1:15.2.1.md
- Related findings: None
- ASVS sections: 15.2.1
### Priority
Low
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
