From 7eb3153987bc04a869ac24ddd81dbb17cbb5a0fc Mon Sep 17 00:00:00 2001 From: Gabriel Cocenza Date: Mon, 21 Oct 2024 15:20:04 -0300 Subject: [PATCH] Add SSDLC - Vulnerability Response --- terraform-plans/configs/dcgm-snap_main.tfvars | 7 ++++++ .../templates/github/SECURITY.md.tftpl | 24 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 terraform-plans/templates/github/SECURITY.md.tftpl diff --git a/terraform-plans/configs/dcgm-snap_main.tfvars b/terraform-plans/configs/dcgm-snap_main.tfvars index 18da458..fa36549 100644 --- a/terraform-plans/configs/dcgm-snap_main.tfvars +++ b/terraform-plans/configs/dcgm-snap_main.tfvars @@ -44,4 +44,11 @@ templates = { epic_key = "SOLENG-46" } } + security = { + source = "./templates/github/SECURITY.md.tftpl" + destination = "SECURITY.md" + vars = { + repository = repository + } + } } diff --git a/terraform-plans/templates/github/SECURITY.md.tftpl b/terraform-plans/templates/github/SECURITY.md.tftpl new file mode 100644 index 0000000..7e9a485 --- /dev/null +++ b/terraform-plans/templates/github/SECURITY.md.tftpl @@ -0,0 +1,24 @@ +# This file is centrally managed as a template file in https://github.com/canonical/solutions-engineering-automation +# To update the file: +# - Edit it in the canonical/solutions-engineering-automation repository. +# - Open a PR with the changes. +# - When the PR merges, the soleng-terraform bot will open a PR to the target repositories with the changes. + +# Security policy + +If the vulnerability affects a dependency, a new version of the component including the updated +dependency will be released in the respective store, meaning that no new feature will be included: +the update will be built on top of the previously last released stable version. + +If the vulnerability affects our charm/snap code itself, a new version will be built including the +security fix on top of the current main branch, meaning that the security update will potentially +include new previously unreleased features. + + +## Reporting a vulnerability +To report a security issue, file a [Private Security Report](https://github.com/canonical/${repository}/security/advisories/new) +with a description of the issue, the steps you took to create the issue, affected versions, and, +if known, mitigations for the issue. + +The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) +contains more information about what you can expect when you contact us and what we expect from you.