From cb1a380b62657d8be47724c50e4e3c30380f8e8c Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 2 Dec 2024 13:58:28 +0000 Subject: [PATCH 1/8] Add Security Policy --- docs/conf.py | 4 +++- docs/index.rst | 1 + docs/security.rst | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 docs/security.rst diff --git a/docs/conf.py b/docs/conf.py index d3a67d1c..eb0321a8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -21,7 +21,9 @@ 'sphinx.ext.autodoc', 'sphinx.ext.coverage', 'sphinx.ext.viewcode', - 'sphinx_copybutton' + 'sphinx_copybutton', + 'sphinx.ext.intersphinx', + 'sphinx.ext.autosectionlabel', ] source_suffix = '.rst' master_doc = 'index' diff --git a/docs/index.rst b/docs/index.rst index 5f95ba27..2b97c6b7 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -21,3 +21,4 @@ Contents :titlesonly: contributing + security diff --git a/docs/security.rst b/docs/security.rst new file mode 100644 index 00000000..032feb60 --- /dev/null +++ b/docs/security.rst @@ -0,0 +1,34 @@ +Security Policy +=============== + +This documents the security policy and actions to take to secure the security of the package, its deployment and use. + +Supported Versions +------------------ + +Security vulnerabilities are fixed only for the latest version of `icalendar`. + +.. list-table:: Versions to receive security updates + :widths: 25 25 + :header-rows: 1 + + * - Version + - Supported + * - 6.* + - ✅ + * - 5.* + - ❌ + * - 4.* + - ❌ + * - < 4.* + - ❌ + + +Reporting a Vulnerability +------------------------- + +Please report any vulnerabilities you find on this project's +`Security Page `_. +If you cannot do this, please contact one of the +:ref:`maintainers` +directly or open an issue. From 3d82cf45ff4bca9b4348dfa256c27488b915a93b Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 2 Dec 2024 14:02:21 +0000 Subject: [PATCH 2/8] Documentation improvements --- CHANGES.rst | 2 +- CONTRIBUTING.rst | 8 ++++---- docs/contributing.rst | 2 -- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index d50a55c7..17e9bb6c 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -14,7 +14,7 @@ Breaking changes: New features: -- ... +- Add :ref:`Security Policy` Bug fixes: diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 22fa1f7b..8948763b 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -18,12 +18,12 @@ For pull requests, keep this in mind - Add a test which proves your fix and make it pass. -- Describe your change in CHANGES.rst +- Describe your change in ``CHANGES.rst`` -- Add yourself to the docs/credits.rst +- Add yourself to the ``docs/credits.rst`` -Development Setup ------------------ +Setup for Development +--------------------- If you would like to setup icalendar to contribute changes, the `Installation Section diff --git a/docs/contributing.rst b/docs/contributing.rst index 99b206b3..2eabc81a 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -1,5 +1,3 @@ -.. _contributing: - ------------------ Contributing ------------------ From c8709f93308b117ecdf0fb3b17e82af38ca8d887 Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 2 Dec 2024 14:05:29 +0000 Subject: [PATCH 3/8] Add SECURITY.md file as recognized by GitHub --- SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..70e24122 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,7 @@ +# Security Policy + +Please find our [security policy in the documentation](https://icalendar.readthedocs.io/en/latest/security.html). + +See also: + +- [docs/security.rst](docs/security.rst) From 3e08ad2fd80605fdde0c984e036d2686d7fb92b6 Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Sat, 21 Dec 2024 22:27:19 +0000 Subject: [PATCH 4/8] Use Plone's security policy --- docs/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 032feb60..255ae91d 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -27,8 +27,8 @@ Security vulnerabilities are fixed only for the latest version of `icalendar`. Reporting a Vulnerability ------------------------- -Please report any vulnerabilities you find on this project's -`Security Page `_. +Please `report vulnerabilities of icalendar to Plone +`_. If you cannot do this, please contact one of the :ref:`maintainers` directly or open an issue. From 5f69b2c33bf077f6062f0ceb7d72ec202c5ef338 Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Sat, 21 Dec 2024 23:57:38 +0000 Subject: [PATCH 5/8] Update docs/security.rst Co-authored-by: Steve Piercy --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.rst b/docs/security.rst index 255ae91d..5f1e723a 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -1,7 +1,7 @@ Security Policy =============== -This documents the security policy and actions to take to secure the security of the package, its deployment and use. +This documents the security policy and actions to take to secure the package and its deployment and use. Supported Versions ------------------ From e43536e0673de309ddcea17d1ec30d329d68049e Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Sat, 21 Dec 2024 23:57:59 +0000 Subject: [PATCH 6/8] Update docs/security.rst Co-authored-by: Steve Piercy --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.rst b/docs/security.rst index 5f1e723a..a053ab71 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -6,7 +6,7 @@ This documents the security policy and actions to take to secure the package and Supported Versions ------------------ -Security vulnerabilities are fixed only for the latest version of `icalendar`. +Security vulnerabilities are fixed only for the latest version of ``icalendar``. .. list-table:: Versions to receive security updates :widths: 25 25 From 0ec11d535199114a79dfb6732deafb0de9d5e537 Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 23 Dec 2024 13:12:47 +0000 Subject: [PATCH 7/8] Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 --- docs/security.rst | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index a053ab71..4a4305ac 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -15,20 +15,42 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``. * - Version - Supported * - 6.* - - ✅ + - YES * - 5.* - - ❌ + - no * - 4.* - - ❌ + - no * - < 4.* - - ❌ + - no Reporting a Vulnerability ------------------------- -Please `report vulnerabilities of icalendar to Plone -`_. -If you cannot do this, please contact one of the -:ref:`maintainers` -directly or open an issue. +To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page `_. +If you cannot do this, please contact one of the :ref:`maintainers` directly. + +If we determine that your report may be a security issue with the project, we may contact you for further information. +We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us. +This will allow sufficient time for us to process your report and coordinate disclosure with you. + +Once verified and fixed, the following steps will be taken: + +- We will use GitHub's Security Advisory tool to report the issue. +- GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules. + If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE `_. + This in turn submits the CVE to the `National Vulnerability Database (NVD) `_. + GitHub notifies us of their decision. +- Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps. +- GitHub will publish the CVE to the CVE List. +- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database `_ to all repositories that use our package (and have opted into security alerts). + This includes Dependabot alerts. +- We will make a bug-fix release. +- We will send an announcement through our usual channels: + + - The GitHub release + - The GitHub discussions + - The `Plone Community Forum `_ + +- We will provide credit to the reporter or researcher in the vulnerability notice. From 02f6426d3a116451e74a43aca9b8030981454a1c Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 23 Dec 2024 13:21:19 +0000 Subject: [PATCH 8/8] correct process of disclosure --- docs/security.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 4a4305ac..eb7d7ccd 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -20,7 +20,7 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``. - no * - 4.* - no - * - < 4.* + * - before 4.* - no @@ -30,6 +30,8 @@ Reporting a Vulnerability To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page `_. If you cannot do this, please contact one of the :ref:`maintainers` directly. +The maintainers of ``icalendar`` will then notify `Plone's security team `_. + If we determine that your report may be a security issue with the project, we may contact you for further information. We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us. This will allow sufficient time for us to process your report and coordinate disclosure with you. @@ -43,14 +45,14 @@ Once verified and fixed, the following steps will be taken: GitHub notifies us of their decision. - Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps. - GitHub will publish the CVE to the CVE List. -- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database `_. - GitHub will send `security alerts `_ to all repositories that use our package (and have opted into security alerts). This includes Dependabot alerts. - We will make a bug-fix release. - We will send an announcement through our usual channels: - - The GitHub release - - The GitHub discussions - - The `Plone Community Forum `_ + - The :ref:`Changelog` + - The GitHub releases of ``icalendar`` + - If possible also `Plone's Security Announcements `_ - We will provide credit to the reporter or researcher in the vulnerability notice.