janhoy commented on PR #153: URL: https://github.com/apache/solr-site/pull/153#issuecomment-4640660518
I fail to visualize to myself how this will fully look like. But the idea to maintain the list of (non) vulnerable dependency CVEs in Yaml/MD sounds like an improvement. Question is how we'll make sure we maintain it. Same issue as before. This could be a good task for an agent perhaps. Each week, grab list of dependency CVEs from our dependencies, filter on the highest severities (some threshold), check out solr codebase, do an assessment on whether Solr is vulnerable or not. Make a draft solr-site PR with the verdict. And if we are vulnerable, send an email to security@ list.. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
