We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We take the security of SonarMark seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them using one of the following methods:
- Preferred: GitHub Security Advisories - Use the private vulnerability reporting feature
- Alternative: Contact the project maintainers directly through GitHub
Please include the following information in your report:
- Type of vulnerability (e.g., SQL injection, cross-site scripting, etc.)
- Full path of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
After submitting a vulnerability report, you can expect:
- Acknowledgment: We will acknowledge receipt of your vulnerability report promptly
- Investigation: We will investigate the issue and determine its impact and severity
- Updates: We will keep you informed of our progress as we work on a fix
- Resolution: Once the vulnerability is fixed, we will:
- Release a security patch
- Publicly disclose the vulnerability (with credit to you, if desired)
- Update this security policy as needed
- Initial Response: Promptly
- Status Update: Regular updates as investigation progresses
- Fix Timeline: Varies based on severity and complexity
Security updates will be released as:
- Critical vulnerabilities: Patch release as soon as possible
- High severity: Patch release within 30 days
- Medium/Low severity: Included in the next regular release
When using SonarMark, we recommend following these security best practices:
- Validate SonarQube/SonarCloud API responses before processing
- Be cautious when processing data from untrusted sources
- Use the latest version of SonarMark to benefit from security updates
- Keep SonarMark and its dependencies up to date
- Review the release notes for security-related updates
- Use
dotnet list package --vulnerableto check for vulnerable dependencies
- Run SonarMark with the minimum required permissions
- Avoid running SonarMark as a privileged user unless necessary
- Validate API tokens and credentials are stored securely
SonarMark integrates with SonarQube/SonarCloud APIs. Users should:
- Protect API tokens and credentials
- Use HTTPS connections to SonarQube/SonarCloud
- Validate SSL/TLS certificates
- Be aware that API responses may contain sensitive code quality information
SonarMark reads and writes files on the local file system. Users should:
- Ensure appropriate file permissions are set on output files
- Be cautious when processing files in shared directories
- Validate file paths to prevent directory traversal attacks
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
We will credit security researchers who report vulnerabilities responsibly. If you would like to be credited:
- Provide your name or pseudonym
- Optionally provide a link to your website or GitHub profile
- Let us know if you prefer to remain anonymous
SonarMark relies on third-party packages. We:
- Regularly update dependencies to address known vulnerabilities
- Use Dependabot to monitor for security updates
- Review security advisories for all dependencies
To check for vulnerable dependencies yourself:
dotnet list package --vulnerableFor security concerns, please use GitHub Security Advisories or contact the project maintainers directly through GitHub.
For general bugs and feature requests, please use GitHub Issues.
Thank you for helping keep SonarMark and its users safe!