Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Security-CVEs fixes guidelines #2936

Merged
merged 1 commit into from
Nov 29, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,27 @@
## Reporting a Vulnerability

If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.
- If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.

- For Security-CVE related fix -
- For direct dependency - Use ```yarn upgrade package``` to update the package and in order to enforce as sub-deps please add nested-dep step2.

- For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see
[Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
- To add the CVEs fix to previous versions, add label ex: backport 1.x.

```
Example: foobar@1.x vulnerable package and 1.y is the fix
step 1:
For direct dependency checks:
run: yarn upgrade foobar@1.y to update the package.json
and yarn install to update the yarn.lock file
Step 2.
Check for sub deps foobar in other package.
If foobar@1.x exists for subdeps in yarn.lock file
Then edit the package.json file and add **/foobar@1.y in resolution section as shown below to enforce the 1.y.
'resolutions': { "**/foobar": "^1.y",
"**/foo": "^2.x" ,
"**/bar": "^3.k"}
Then run: yarn install for updating yarn.lock file