Skip to content

Commit

Permalink
Add security/CVE page (#192)
Browse files Browse the repository at this point in the history
  • Loading branch information
jodastephen authored Apr 16, 2024
1 parent 0cc27b9 commit adcdbc4
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/site/markdown/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Various documentation is available:

* The [Javadoc](apidocs/index.html)
* The [change notes](changes-report.html) for each release
* The [security](security.html) issues page
* The [GitHub](https://github.com/ThreeTen/threetenbp) source repository
* The mechanism to [update](update-tzdb.html) the time-zone information

Expand Down
37 changes: 37 additions & 0 deletions src/site/markdown/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
## Threeten-Backport Security

### Security Policy

**Supported Versions**

If a security issue occurs, only the latest version is guaranteed to be patched.

**Reporting a Vulnerability**

To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
Tidelift will coordinate the fix and disclosure.


### CVEs

**[CVE-2024-23081](https://www.cve.org/CVERecord?id=CVE-2024-23081)**

This was raised publicly on 2024-04-10.
There was no prior warning or private disclosure.

The CVE is nonsense. It was raised by an AI-driven bot.
The CVE describes that a `NullPointerException` is thrown when `null` is passed into a method.
As any Java developer knows, this is perfectly normal and not a security issue or CVE.

Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.

**[CVE-2024-23082](https://www.cve.org/CVERecord?id=CVE-2024-23082)**

This was raised publicly on 2024-04-10.
There was no prior warning or private disclosure.

The CVE is nonsense. It was raised by an AI-driven bot.
The CVE describes that a `StringIndexOutOfBoundsException` is thrown when a certain input is passed into a method.
As any Java developer knows, this is a perfectly normal exception and not a security issue or CVE.

Users of ThreeTen-Backport do not need to take any action as the CVE is invalid.
1 change: 1 addition & 0 deletions src/site/site.xml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@
<menu name="Releases">
<item name="Release notes" href="changes-report.html"/>
<item name="Dependency info" href="dependency-info.html"/>
<item name="Security" href="security.html"/>
<item name="Download" href="https://search.maven.org/search?q=g:org.threeten%20AND%20a:threetenbp&amp;core=gav"/>
</menu>

Expand Down

0 comments on commit adcdbc4

Please sign in to comment.