[jetty-dev] Changes in usage of GitHub private advisories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Changes in usage of GitHub private advisories

From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Jul 2024 14:00:10 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Dear Jetty project committers,

The usage of GitHub private advisories by Eclipse Foundation projects is currently in a pilot phase, and Eclipse Jetty is among the early adopters. Thank you for helping us better understand how these new GitHub features can be utilized. This message concerns some immediate changes regarding your use of this feature (and all other Eclipse Projects).

As you know, the Eclipse Foundation (EF) is a CVE Numbering Authority (CNA), meaning that the EF issues CVEs for projects under its stewardship. According to the forthcoming new CNA rules (coming into effect in August, see https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf), CVEs must be assigned by the CNA with the most appropriate scope for the affected product. Another CNA can assign a CVE only if the primary CNA refuses to do so.

When a project requests a CVE from a private advisory on GitHub, the CNA issuing the CVE is GitHub. This violates the new rule.

In addition, entries issued by GitHub contain wrong information in certain fields of the CVE JSON V5 record (most often: product and vendor) and there is no way to change them other than asking the GitHub team separately every single time.

We (the EF Security Team staff) have had numerous discussions with the GitHub team about those issues. Currently, GitHub does not have an elegant and user-friendly solution, and we are not the only CNA in this situation. As a result, from now on, GitHub will refuse CVE assignments for Eclipse Foundation projects. They will send an email redirecting EF projects to request CVEs at https://gitlab.eclipse.org/security/cve-assignement/-/issues/new#

In summary, instead of simply clicking the "Request CVE" button on the GitHub private advisory, you will now need to open a ticket requesting a CVE at the link above. There is no need to copy all the information you have already filed in the private advisory. The EF security staff will transfer the relevant data from the private advisory to the CVE entry. This is hopefully a temporary measure until GitHub and EF create tooling to make this process more seamless.

We’ll be communicating more broadly about the new CNA rules in the coming weeks, as certain aspects affect all our projects.

We know that the temporary solution adds additional steps to the process and we are motivated to create the needed tooling as soon as possible.

If you have any questions, please let us know.

Kind regards,

Marta Rybczynska for the Eclipse Foundation Security Team

Prev by Date: Re: [jetty-dev] # Unable to initiate spring boot application using Jetty 11.0.21
Previous by thread: [jetty-dev] # Unable to initiate spring boot application using Jetty 11.0.21
Index(es):
- Date
- Thread

Breadcrumbs