docs: add SECURITY.md and update security.txt#2386
docs: add SECURITY.md and update security.txt#2386morri-son wants to merge 13 commits intoopen-component-model:mainfrom
Conversation
Add a repository-level SECURITY.md based on the NeoNephos security guidelines template. This replaces the inherited SAP boilerplate with a project-specific vulnerability disclosure policy covering GitHub private vulnerability reporting, TSC contact information, supported versions, response timelines, and coordinated disclosure. Update security.txt (RFC 9116) to point to the new reporting channels and refresh the expired date. Closes: open-component-model/ocm-project#1021 Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
✅ Deploy Preview for ocm-website ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a vulnerability disclosure policy and security contacts, updates .well-known/security.txt (contacts and Expires), changes the GitHub Actions workflow to sparse-checkout and bump only the Expires field on weekdays, and extends the spell-check wordlist with three security terms. ChangesSecurity & Release Flow
Spell-check vocabulary
Sequence Diagram(s)sequenceDiagram
participant Workflow as GitHub Actions workflow
participant Repo as Repository (files)
participant GitHub as GitHub API (PR)
participant Runner as Actions runner
Workflow->>Runner: scheduled run (Dec weekdays 09:00 UTC)
Runner->>Repo: sparse-checkout `website/static/.well-known/security.txt`
Runner->>Runner: compute next year (date +1)
Runner->>Repo: rewrite `Expires:` in security.txt
Runner->>GitHub: create branch `security/renew-security-txt` and PR (Expires-only update)
GitHub->>Repo: PR created (title/commit/description reference RFC 9116)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Use absolute GitHub links for security docs (not local relative paths) - Add CVSS, mitigations, and OpenSSF to the spellcheck wordlist Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
github-actions
Bot
added
component/github-actions
The security design and assurance case docs are part of PR open-component-model#2290 which hasn't merged yet. Reference them by path instead of as clickable links to avoid 404 errors during link verification. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Replace the old SAP-internal fetch with a job that bumps the Expires field in our project-owned security.txt by one year. Runs on November 1st annually so a renewal PR is ready well before the April expiry. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
- Set Expires to 2027-12-31 (year-end convention) - Schedule renewal workflow for December 1st to match the new cadence Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Use sparse checkout — only the single security.txt file is needed, no point cloning the entire repo. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
|
neonephos/guidelines-development#7 has been approved, so this PR can make use of the ne SECURITY.md template from NeoNephos. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/website-update-security-txt.yaml (1)
5-7: Adjust Expires calculation to stay within RFC 9116's <1-year horizon.The current workflow runs on December 1st and adds 1 year to the existing Expires timestamp, which typically sets the date to December 31st of the following year. This results in an Expires value ~13 months in the future, exceeding RFC 9116 section 2.5.5's recommendation to keep Expires less than one year ahead.
To comply with the RFC, set the Expires date to approximately 11–12 months from the workflow execution date rather than hardcoding to a fixed end-of-year date.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/website-update-security-txt.yaml around lines 5 - 7, The workflow currently schedules on "0 9 1 12 *" and extends the security.txt Expires field by adding a full year which can push expiry beyond 12 months; change the Expires calculation step so it computes Expires relative to the workflow run date (e.g., run_date + ~330 days or run_date + 11 months) instead of forcing an end-of-year date; update the step that generates the Expires timestamp (the job/step that currently adds 1 year to the existing Expires) to produce a date <1 year ahead (approx 11–12 months) formatted per RFC 9116 before writing security.txt.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/website-update-security-txt.yaml:
- Around line 27-36: The step "Bump Expires date by one year" currently proceeds
even if parsing/computing NEW fails; update the step to validate parsing by
checking that CURRENT is non-empty and NEW was successfully computed (e.g., test
-n "$CURRENT" and test -n "$NEW" or check date exit status) before running sed,
and if either is empty or date failed, print a clear error (including values of
FILE and CURRENT) and exit 1 to fail the job; reference the variables/labels
FILE, CURRENT, NEW and the step name to locate where to add the checks and early
exit.
---
Nitpick comments:
In @.github/workflows/website-update-security-txt.yaml:
- Around line 5-7: The workflow currently schedules on "0 9 1 12 *" and extends
the security.txt Expires field by adding a full year which can push expiry
beyond 12 months; change the Expires calculation step so it computes Expires
relative to the workflow run date (e.g., run_date + ~330 days or run_date + 11
months) instead of forcing an end-of-year date; update the step that generates
the Expires timestamp (the job/step that currently adds 1 year to the existing
Expires) to produce a date <1 year ahead (approx 11–12 months) formatted per RFC
9116 before writing security.txt.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b6067089-1525-4689-b6f7-d182f52b6e90
📒 Files selected for processing (4)
.github/config/wordlist.txt.github/workflows/website-update-security-txt.yamlSECURITY.mdwebsite/static/.well-known/security.txt
Skarlso
left a comment
Skarlso
left a comment
There was a problem hiding this comment.
This closes the attached issue but where is assurance-case.md and secure-design.md docs? Is that another PR?
- Add Canonical field to security.txt (RFC 9116) - Add set -euo pipefail and validation guards to renewal workflow - Run renewal workflow every weekday in December (idempotent) - Remove stale "None yet" text from Past Security Advisories Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Gerald Morrison <67469729+morri-son@users.noreply.github.com>
|
|
||
| | Name | Handle | Role | | ||
| |------|--------|------| | ||
| | Jakob Moeller | [@jakobmoellerdev](https://github.com/jakobmoellerdev) | TSC Chair / Lead Security Contact | |
There was a problem hiding this comment.
This is incorrect. I'm the chair and Fabian is the Tech Lead.
There was a problem hiding this comment.
This is not for the SIG runtime, it is TSC. As long as we have dedicated security contacts I pinned it to the TSC Chair.
frewilhelm
left a comment
frewilhelm
left a comment
There was a problem hiding this comment.
The neonephos PR is not merged yet - should we wait?
| - name: Bump Expires date by one year | ||
| run: | | ||
| set -euo pipefail | ||
| FILE=website/static/.well-known/security.txt | ||
| CURRENT=$(sed -n 's/^Expires:[[:space:]]*//p' "$FILE") | ||
| if [[ -z "${CURRENT}" ]]; then | ||
| echo "::error::Missing Expires field in ${FILE}" | ||
| exit 1 | ||
| - name: Bump Expires date by one year |
There was a problem hiding this comment.
This looks redundant. What is the reason behind it?
There was a problem hiding this comment.
Now it always writes 31.12.xxxx as expiry data and moved the year +1. Simple
| # Job runs every day in December at 00:00 UTC | ||
| - cron: '0 0 * 12 *' | ||
| # Run every weekday in December at 09:00 UTC. The create-pull-request | ||
| # action is idempotent so repeated runs simply update the same PR branch. |
There was a problem hiding this comment.
What happens if the branch get merged? Will the PR get recreated until the end of december?
There was a problem hiding this comment.
I changed the job a bit. Now it always writes 31.12.xxxx as expiry data. So all future runs after a merge will detect no changes, so no new PR.
|
|
||
| ## Supported Versions | ||
|
|
||
| Only the latest minor release receives security updates. Given the project's pre-1.0 status and |
There was a problem hiding this comment.
I believe this contradicts the policy that was decided in the release-manager ADR
There was a problem hiding this comment.
copy paste and not adopted :-). Now adopted to our relase process Latest 3 minors (y, y-1, y-2)
| - Secure Design (in `docs/security/secure-design.md`) | ||
| - Security Assurance Case (in `docs/security/assurance-case.md`) |
|
|
||
| ## Response Process | ||
|
|
||
| This project follows the [NeoNephos Security Guidelines](https://github.com/neonephos/guidelines-development/blob/main/security-guidelines/security-guidelines.md) |
There was a problem hiding this comment.
These guidelines are still in development so we cannot rely on them until they are approved unfortunately. We can note that we are working on integrating with the foundation policy but for now we must use our own or rely on LF
There was a problem hiding this comment.
Then my proposal would be to make this PR draft and wait for the security guidelines PR merged in the NeoNephos repo and get approved.
| | Latest minor (currently 0.x) | Yes | | ||
| | Older minors | No | | ||
|
|
||
| ## Response Process |
There was a problem hiding this comment.
Currently this guide is written as if there was a stable submission process but there isn't any. What are our security issue submission channels actually now?
There was a problem hiding this comment.
The ones GH offers and in addition via email, like described under ## Reporting a Vulnerability
…olicy Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
…component-model into docs/add-security-policy Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/website-update-security-txt.yaml (1)
27-54:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winRemove the incomplete duplicate step — it causes a bash syntax error on every run.
Lines 27–34 contain an abandoned partial copy of the "Bump Expires" step, missing the closing
fifor theif [[ -z ... ]]block. GitHub Actions executes both list items sequentially; the first one causes bash to exit withunexpected end of fileunderset -euo pipefail, so the workflow always fails before the correct step (lines 35–54) can execute.The incomplete step also uses the
::error::annotation style inconsistent with the>&2pattern in the real step, and contains none of the date-computation logic — it is clearly a stale draft left over when the "fail-fast" fix from the previous review round was appended rather than merged in-place.🐛 Proposed fix — drop the orphaned first step
- - name: Bump Expires date by one year - run: | - set -euo pipefail - FILE=website/static/.well-known/security.txt - CURRENT=$(sed -n 's/^Expires:[[:space:]]*//p' "$FILE") - if [[ -z "${CURRENT}" ]]; then - echo "::error::Missing Expires field in ${FILE}" - exit 1 - - name: Bump Expires date by one year run: | set -euo pipefail🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/website-update-security-txt.yaml around lines 27 - 54, Remove the stray/incomplete duplicate job step named "Bump Expires date by one year" (the first occurrence) that is missing the closing fi and uses the ::error:: annotation; keep only the complete "Bump Expires date by one year" step that parses CURRENT, computes NEW with date and replaces the Expires line. In practice, delete the earlier run: | block (the abandoned partial copy) so the workflow contains a single correct Bump Expires step (the one that sets FILE, extracts CURRENT, computes NEW with date -u -d ... || date -u -j ..., checks NEW, runs sed -i, and prints the update).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/website-update-security-txt.yaml:
- Around line 27-54: Remove the stray/incomplete duplicate job step named "Bump
Expires date by one year" (the first occurrence) that is missing the closing fi
and uses the ::error:: annotation; keep only the complete "Bump Expires date by
one year" step that parses CURRENT, computes NEW with date and replaces the
Expires line. In practice, delete the earlier run: | block (the abandoned
partial copy) so the workflow contains a single correct Bump Expires step (the
one that sets FILE, extracts CURRENT, computes NEW with date -u -d ... || date
-u -j ..., checks NEW, runs sed -i, and prints the update).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2a29f7b1-b863-489e-8fab-7c0d75e8ac3d
📒 Files selected for processing (2)
.github/config/wordlist.txt.github/workflows/website-update-security-txt.yaml
✅ Files skipped from review due to trivial changes (1)
- .github/config/wordlist.txt
Remove duplicate broken step and replace complex date-parsing logic with a simple idempotent approach: always set Expires to Dec 31 of next year. This ensures repeated runs produce no diff after merge. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Update supported versions section to reflect the "latest 3 minors (y, y-1, y-2)" policy from the release strategy ADR instead of claiming only the latest minor is supported. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
|
put this back to draft, until neonephos/guidelines-development#7 is merged AND approved by NeoNephos TAG. |
Pull request was converted to draft
6 participants
Summary
SECURITY.mdbased on the NeoNephos Security Guidelines template, replacing the inherited SAP boilerplate with an OCM-specific vulnerability disclosure policywebsite/static/.well-known/security.txt(RFC 9116) to reference the new reporting channels and refresh the expired dateCloses open-component-model/ocm-project#1021
Details
The
SECURITY.mdcovers:docs/security/secure-design.mdanddocs/security/assurance-case.mdTest plan
SECURITY.mdrenders correctly on GitHubsecurity.txtis valid per RFC 9116 (e.g. via https://securitytxt.org/)