Request to Include VEX Documents with Keycloak Releases · keycloak/keycloak#36747

(19 comments) (3 reactions) (3 assignees)Java (34,398 stars) (8,346 forks)batch import

help wantedkind/featurepriority/normalteam/security

Description

Request the inclusion of VEX (Vulnerability Exploitability eXchange) documents with each release of the Keycloak project.

Discussion

No response

Motivation

VEX files would provide us with detailed insights into the actual risks associated with Keycloak's vulnerabilities, including their status—whether they are exploitable, under investigation, or resolved. This information would enable us to prioritize updates more effectively, focusing on the most critical issues first. Additionally, having clear visibility into the status of each vulnerability would allow us to make informed decisions quickly, ensuring our systems remain secure without unnecessary disruptions.

Details

Generate and include a VEX file with each new release of Keycloak as per Vexhub instructions. https://github.com/aquasecurity/vexhub?tab=readme-ov-file#quick-start-adding-vex-documents-to-vex-hub

Contributor guide

Tech stack: java
Domain: security
Issue type: feature
Difficulty: 4
Estimated time: over 1 week
Activity status: blocked
Clarity: clear
Prerequisites: JavaKeycloak release processVEX formatCI/CD pipeline experience
Newbie friendliness: 15
Research direction: Study the Vexhub quick start guide and Keycloak's existing release process. Examine the repository for release related scripts and documentation, such as in the 'ci' folder. Engage with the assignees in the issue comments to understand the current status and any planned implementation steps.