How to report security vulnerabilities which are not novel?

[cjcjameson]

Describe the bug

The policy at https://github.com/opensearch-project/.github/edit/main/SECURITY.md assumes that the person is reporting a novel security defect. I agree that novel security defect reporting should follow a process like that.

What if we want to call out that there's been a CVE in a dependency that this repository takes, and ask that the library be upgraded?

To Reproduce

My company's security team thinks this is insecure software because it brings Dependency Foo v1.2.3

I'm unsure whether I can mention that in this issue tracker

Expected behavior

If it's already on the nvd.nist.gov , I should just create an issue. Or a PR if I'm so inclined.

[davidlago]

We are doing some "spring cleaning in the fall", and to make sure we focus our energies on the right issues and we get a better picture of the state of the repo, we are closing all issues that we are carrying over from the ODFE era (ODFE is no longer supported/maintained, see post here).

If you believe this issue should still be considered for current versions of OpenSearch, apologies! Please let us know by re-opening it.

Thanks!

[peternied]

@cjcjameson This is a great question, we've got the codebase configured with dependabot to file issues, for example see CVE-2022-38751 (Medium) detected in snakeyaml-1.31.jar - #2071

If you know about an issue in a dependency that can be updated we are happy to receive pull requests to resolve these issues, thanks for the contribution you made in #1210

If there isn't a clear path forward please use caution and use AWS/Amazon Security vulnerability reporting page or directly via email to aws-security@amazon.com - it will get to us with urgency so we can figure out how to best respond.