You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are doing some "spring cleaning in the fall", and to make sure we focus our energies on the right issues and we get a better picture of the state of the repo, we are closing all issues that we are carrying over from the ODFE era (ODFE is no longer supported/maintained, see post here).
If you believe this issue should still be considered for current versions of OpenSearch, apologies! Please let us know by re-opening it.
@cjcjameson This is a great question, we've got the codebase configured with dependabot to file issues, for example see CVE-2022-38751 (Medium) detected in snakeyaml-1.31.jar - #2071
If you know about an issue in a dependency that can be updated we are happy to receive pull requests to resolve these issues, thanks for the contribution you made in #1210
If there isn't a clear path forward please use caution and use AWS/Amazon Security vulnerability reporting page or directly via email to aws-security@amazon.com - it will get to us with urgency so we can figure out how to best respond.
Describe the bug
The policy at https://github.com/opensearch-project/.github/edit/main/SECURITY.md assumes that the person is reporting a novel security defect. I agree that novel security defect reporting should follow a process like that.
What if we want to call out that there's been a CVE in a dependency that this repository takes, and ask that the library be upgraded?
To Reproduce
My company's security team thinks this is insecure software because it brings Dependency Foo v1.2.3
I'm unsure whether I can mention that in this issue tracker
Expected behavior
If it's already on the nvd.nist.gov , I should just create an issue. Or a PR if I'm so inclined.
The text was updated successfully, but these errors were encountered: