|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +As a key component in the implementation of API clients and servers, [`oapi-codegen`](https://github.com/oapi-codegen/oapi-codegen) is in an critical position to keep secure. |
| 4 | + |
| 5 | +## Supported versions |
| 6 | + |
| 7 | +Only `oapi-codegen`'s latest minor version is generally supported. |
| 8 | + |
| 9 | +Related: [`oapi-codegen`'s support model (`SUPPORT.md`)](./SUPPORT.md) |
| 10 | + |
| 11 | +However, depending on the severity of a given security vulnerability, there may be case(s) where this would lead to a backport of the patch on a currently unsupported version. |
| 12 | + |
| 13 | +## Reporting Security Issues |
| 14 | + |
| 15 | +<!-- Via https://github.com/github/.github/blob/main/SECURITY.md --> |
| 16 | + |
| 17 | +If you believe you have found a security vulnerability in `oapi-codegen` or any of the related projects in [the `oapi-codegen` GitHub organisation](https://github.com/oapi-codegen/), please report it to us through coordinated disclosure. |
| 18 | + |
| 19 | +> [!IMPORTANT] |
| 20 | +> **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** |
| 21 | +
|
| 22 | +Please report the vulnerability through the GitHub security advisories page. |
| 23 | + |
| 24 | +For instance, for the core `oapi-codegen` CLI, you would report it [on this page](https://github.com/oapi-codegen/oapi-codegen/security/advisories/). |
| 25 | + |
| 26 | +Please include as much of the information listed below as you can to help us better understand and resolve the issue: |
| 27 | + |
| 28 | +* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) |
| 29 | +* Full paths of source file(s) related to the manifestation of the issue |
| 30 | +* The location of the affected source code (tag/branch/commit or direct URL) |
| 31 | +* Any special configuration required to reproduce the issue |
| 32 | +* Step-by-step instructions to reproduce the issue |
| 33 | +* Proof-of-concept or exploit code (if possible) |
| 34 | +* Impact of the issue, including how an attacker might exploit the issue |
| 35 | + |
| 36 | +This information will help us triage your report more quickly. |
| 37 | + |
| 38 | +## CVEs in dependencies |
| 39 | + |
| 40 | +If a dependency that `oapi-codegen` (or its child projects) contains a CVE, we will look to patch that dependency in the following cases: |
| 41 | + |
| 42 | +- The dependency's CVE is exploitable using static analysis, via [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) |
| 43 | +- The dependency's CVE requires a mix of some code changes and a version bump to address the CVE |
| 44 | +- If we are generally updating dependencies (for instance part of general hygiene or as part of updating dependencies ahead of a release) |
| 45 | + |
| 46 | +> [!NOTE] |
| 47 | +> Given the Go ecosystem allows projects to override dependency updates, this allows consumers of `oapi-codegen` to upgrade dependencies separate to `oapi-codegen` making changes upstream. |
| 48 | +> |
| 49 | +> We will strive to make sure that we do update these dependencies on a regular basis, but until a fix or release is made |
0 commit comments