Merge pull request graphql-java#3767 from graphql-java/security-updates

dondonz · web-flow · commit 3d46b3737bf4 · 2024-12-08T19:03:42.000+11:00
Security updates
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,5 +1,7 @@
 # Security Policy
 
+[GraphQL Java is the CVE Numbering Authority (CNA)](https://www.cve.org/PartnerInformation/ListofPartners/partner/graphql-java) for GraphQL Java, Java DataLoader, GraphQL Java Extended Scalars, and GraphQL Java Extended Validation.
+
 ## Supported Versions
 
 As stated in our [Release Policy](https://www.graphql-java.com/blog/release-policy/), we will backport critical bugfixes and security fixes for versions dating back 18 months. These fixes will be backported depending on severity and demand.
diff --git a/security/SECURITY_README.md b/security/SECURITY_README.md
@@ -0,0 +1,9 @@
+## Submitting CVE records
+
+Use https://vulnogram.github.io/ as a UI to write, validate, and submit CVE records.
+
+In this Vulnogram UI, you'll be able to view a JSON preview of the CVE payload. You'll find a sample payload in this directory.
+
+It's better to use the Vulnogram UI as it'll provide extra validation of input.
+
+Also note, as a CNA we do not need to provide a CVSS score for CVEs. This will be done by security vendors instead.
diff --git a/security/cve-sample.json b/security/cve-sample.json
@@ -0,0 +1,75 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.1",
+  "cveMetadata": {
+    "cveId": "",
+    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
+    "requesterUserId": "00000000-0000-4000-9000-000000000000",
+    "serial": 1,
+    "state": "PUBLISHED"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "00000000-0000-4000-9000-000000000000"
+      },
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": ""
+            }
+          ]
+        }
+      ],
+      "impacts": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "value": ""
+            }
+          ]
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "GraphQL Java",
+          "product": "GraphQL Java [or other library]",
+          "versions": [
+            {
+              "status": "affected",
+              "version": ""
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]",
+          "supportingMedia": [
+            {
+              "type": "text/html",
+              "base64": false,
+              "value": "[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://add-github-links-here"
+        }
+      ],
+      "source": {
+        "discovery": "UNKNOWN"
+      },
+      "x_generator": {
+        "engine": "Vulnogram 0.2.0"
+      }
+    }
+  }
+}
