Skip to content

doc: add duplicate CVE check in sec. release doc #39845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danbev wants to merge 1 commit into from
Closed

doc: add duplicate CVE check in sec. release doc #39845

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
doc: add duplicate CVE check in sec. release doc 
This commit adds a note about only creating a CVE for Node.js
vulnerabilities.

The motivation for this is a recent HackerOne report where I created a
CVE for a c-ares issue. This CVE should have been created by the c-ares
project, and it was later, but we never updated our HackerOne report to
use their CVE number. Hopefully this extra note in the release doc will
help us check for this situaion and avoid this in the future.

Refs: https://hackerone.com/reports/1178337
  • Loading branch information
@danbev
danbev committed Aug 23, 2021
commit 8017db8de0ed3360b8a1932de4a934e2e701dfad
3 changes: 3 additions & 0 deletions doc/guides/security-release-process.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ information described.
* Approved
* Pass `make test`
* Have CVEs
* Make sure that dependent libraries have CVEs for their issues. We should
only create CVEs for vulnerabilities in Node.js itself. This is to avoid
having duplicate CVEs for the same vulnerability.
* Described in the pre/post announcements

* [ ] Pre-release announcement [email][]: ***LINK TO EMAIL***
Expand Down