diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 8db6f2a98d792..5bb3dfcc04766 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -4,16 +4,19 @@ -- [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-) -- [How to report the issue ?](#how-to-report-the-issue-) -- [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-) -- [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-) -- [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-) -- [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-) -- [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-) +- [Apache Airflow Security](#apache-airflow-security) + - [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-) + - [How to report the issue ?](#how-to-report-the-issue-) + - [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-) + - [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-) + - [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-) + - [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-) + - [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-) +# Apache Airflow Security + This document contains information on how to report security vulnerabilities in Apache Airflow and how security issues reported to the Apache Airflow security team are handled. If you would like to learn more, head to the @@ -30,7 +33,7 @@ e-mail address [security@airflow.apache.org](mailto:security@airflow.apache.org) Before sending the report, however, please read the following guidelines first. The guidelines should answer the most common questions you might have about reporting vulnerabilities. -### What should be and should NOT be reported ? +## What should be and should NOT be reported ? **Only** use the security e-mail address to report undisclosed security vulnerabilities in Apache Airflow and to manage the process of fixing such vulnerabilities. We do not accept regular @@ -45,13 +48,13 @@ with dependencies in Airflow Docker reference image - there is a page that descr [Airflow reference Image is fixed at release time](https://airflow.apache.org/docs/docker-stack/index.html#fixing-images-at-release-time) and providing helpful instructions explaining how you can build your own image and manage dependencies of Airflow in your own image. -### How to report the issue ? +## How to report the issue ? Please send one plain-text email for each vulnerability you are reporting including an explanation of how it affects Airflow security. We may ask that you resubmit your report if you send it as an image, movie, HTML, or PDF attachment when you could as easily describe it with plain text. -### Is this really a security vulnerability ? +## Is this really a security vulnerability ? Before reporting vulnerabilities, please make sure to read and understand the [security model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html) of Airflow, because some of the potential security vulnerabilities that are valid for projects that are @@ -69,7 +72,7 @@ a lot of time on preparing the issue report to follow the guidelines above and w save time for yourself and for the Airflow Security team by reading and understanding the security model before reporting the issue. -### How do we assess severity of the issue ? +## How do we assess severity of the issue ? Severity of the issue is determined based on the criteria described in the [Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software Foundation Security team. @@ -79,7 +82,7 @@ do not apply to Airflow, or have a different severity than some generic scoring (for example `CVSS`) calculation suggests. So we are not using any generic scoring system. -### What happens after you report the issue ? +## What happens after you report the issue ? The Airflow Security Team will get back to you after assessing the report. You will usually get confirmation that the issue is being worked (or that we quickly assessed it as invalid) within several @@ -100,7 +103,7 @@ Security issues in Airflow are handled by the Airflow Security Team. Details abo Team and how members of it are chosen can be found in the [Contributing documentation](https://github.com/apache/airflow/blob/main/contributing-docs/01_roles_in_airflow_project.rst#security-team). -### Does CVE in Airflow Providers impact Airflow core package ? +## Does CVE in Airflow Providers impact Airflow core package ? Airflow core package is released separately from provider distributions. While Airflow comes with ``constraints`` which describe which version of providers have been tested when the version of Airflow was released, the @@ -110,7 +113,7 @@ not apply to the Airflow core package. There are also Airflow providers released Airflow community is not responsible for releasing and announcing security vulnerabilities in them, this is handled entirely by the 3rd-parties that release their own providers. -### Where do I find more information about Airflow Security ? +## Where do I find more information about Airflow Security ? If you wish to know more about the ASF security process, the [ASF Security team's page](https://www.apache.org/security/) describes diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d528887fdd224..db45e1b9869df 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,7 +39,7 @@ repos: language: python language_version: python311 - repo: https://github.com/thlorenz/doctoc.git - rev: 68f070c98b9a053eabfa7f8899d1f42b9919f98c # frozen: v2.2.0 + rev: d7815f1f950f8d5ec933fa4f70208bf316bb13f8 # frozen: v2.3.0 hooks: - id: doctoc name: Add TOC for Markdown and RST files diff --git a/dev/breeze/doc/adr/0001-record-architecture-decisions.md b/dev/breeze/doc/adr/0001-record-architecture-decisions.md index d2e25cf852f59..46002151ec11a 100644 --- a/dev/breeze/doc/adr/0001-record-architecture-decisions.md +++ b/dev/breeze/doc/adr/0001-record-architecture-decisions.md @@ -19,7 +19,6 @@ -**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* - [1. Record architecture decisions](#1-record-architecture-decisions) - [Status](#status) @@ -27,6 +26,8 @@ - [Decision](#decision) - [Consequences](#consequences) + + # 1. Record architecture decisions Date: 2021-11-28 diff --git a/dev/breeze/doc/ci/README.md b/dev/breeze/doc/ci/README.md index bf20a3a700923..c5153e0757aa1 100644 --- a/dev/breeze/doc/ci/README.md +++ b/dev/breeze/doc/ci/README.md @@ -17,6 +17,10 @@ under the License. --> + + + + This directory contains detailed design of the Airflow CI setup. * [CI Environment](01_ci_environment.md) - contains description of the CI environment diff --git a/dev/system_tests/README.md b/dev/system_tests/README.md index 80cbc1471c7b2..00cd02a7e9875 100644 --- a/dev/system_tests/README.md +++ b/dev/system_tests/README.md @@ -17,6 +17,10 @@ under the License. --> + + + + Small tool to update status of all AIP-47 issues. Simply: