From 165afee55a816e2e084ba2dac4cad7d5cb7d2a57 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 26 Jul 2023 14:21:26 +0100
Subject: [PATCH] docs: update security policy and add CVE info (#24769)

---
 .github/SECURITY.md                   | 38 +++++++++++++++++++++++++++
 docs/docs/security/_category_.json    |  4 +++
 docs/docs/security/cves.mdx           | 27 +++++++++++++++++++
 docs/docs/{ => security}/security.mdx |  4 +--
 4 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 .github/SECURITY.md
 create mode 100644 docs/docs/security/_category_.json
 create mode 100644 docs/docs/security/cves.mdx
 rename docs/docs/{ => security}/security.mdx (99%)

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000000..f35b9c48f0eec
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and follows the
+ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache Superset,
+please get in touch with the Apache Security Team privately at
+e-mail address [security@apache.org](mailto:security@apache.org).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
+
+Note that Apache Superset is not responsible for any third-party dependencies that may
+have security issues. Any vulnerabilities found in third-party dependencies should be
+reported to the maintainers of those projects. Results from security scans of Apache
+Superset dependencies found on its official Docker image can be remediated at release time
+by extending the image itself.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
diff --git a/docs/docs/security/_category_.json b/docs/docs/security/_category_.json
new file mode 100644
index 0000000000000..7d24a44873bcf
--- /dev/null
+++ b/docs/docs/security/_category_.json
@@ -0,0 +1,4 @@
+{
+  "label": "Security",
+  "position": 10
+}
diff --git a/docs/docs/security/cves.mdx b/docs/docs/security/cves.mdx
new file mode 100644
index 0000000000000..148af09c54c98
--- /dev/null
+++ b/docs/docs/security/cves.mdx
@@ -0,0 +1,27 @@
+---
+title: CVEs by release
+hide_title: true
+sidebar_position: 2
+---
+
+#### Version 2.1.0
+
+| CVE            | Title                                                                   | Affected          |
+| :------------- | :---------------------------------------------------------------------- | -----------------:|
+| CVE-2023-25504 | Possible SSRF on import datasets                                        | <= 2.1.0          |
+| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | <= 2.1.0          |
+| CVE-2023-27525 | Incorrect default permissions for Gamma role                            | <= 2.1.0          |
+| CVE-2023-30776 | Database connection password leak                                       | <= 2.1.0          |
+
+
+#### Version 2.0.1
+
+| CVE            | Title                                                       | Affected          |
+| :------------- | :---------------------------------------------------------- | -----------------:|
+| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses                | < 2.0.1 or <1.5.2 |
+| CVE-2022-43717 | Cross-Site Scripting on dashboards                          | < 2.0.1 or <1.5.2 |
+| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms          | < 2.0.1 or <1.5.2 |
+| CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access | < 2.0.1 or <1.5.2 |
+| CVE-2022-43720 | Improper rendering of user input                            | < 2.0.1 or <1.5.2 |
+| CVE-2022-43721 | Open Redirect Vulnerability                                 | < 2.0.1 or <1.5.2 |
+| CVE-2022-45438 | Dashboard metadata information leak                         | < 2.0.1 or <1.5.2 |
diff --git a/docs/docs/security.mdx b/docs/docs/security/security.mdx
similarity index 99%
rename from docs/docs/security.mdx
rename to docs/docs/security/security.mdx
index ab6d41e895f40..5934af51df006 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security/security.mdx
@@ -1,7 +1,7 @@
 ---
-title: Security
+title: Role based Access
 hide_title: true
-sidebar_position: 10
+sidebar_position: 1
 ---
 
 ### Roles