Version | Supported |
---|---|
0.x | ✅ |
Please report sensitive security issues via Spotify's bug-bounty program rather than GitHub.
If you have questions about a potential vulnerability, please reach out on Discord by asking for a maintainer in the #support
channel, or via direct message to a maintainer.
Vulnerabilities are handled and published through GitHub Security Advisories.
In the event of a vulnerability the runbook for the maintainers is as follows:
- Create a new draft security advisory. The values and descriptions don't need to be perfect to begin with as they can be edited later. For severity, use the "Assess severity using CVSS" and refer to the guide for help.
- Request a CVE identification number. It can take up to 72h for one to be assigned so be sure to do this early on.
- If there is not already a patch for the vulnerability, collaborate on one in a private fork:
- Head to the security advisory on GitHub and create a private fork
- Invite any collaborators from outside the maintainer team that should be part of creating a fix.
- Create one or multiple Pull Requests with fixes towards the fork. Note that these PRs will not have CI checks run on them, so more care should be taken to run local validation. The PRs are also not merged like normal PRs, but are instead merged straight into the main repo all at once when the merge button is hit on the security advisory.
- Once the fix is ready in a PR or private fork and it is time to release it, there are a couple of options. Either merge into the main branch with a changeset and wait for a regular release, or do a quick release by manually bumping the version in
package.json
of the affected package, along with a manualCHANGELOG.md
entry. Note that a quick release will only work if the package does not have any other pending changes that depend on pending changes in other packages, so be sure to manually check that first, and fall back to an early regular release if needed. In general it's best to stick with the regular release flow, with the quick release being used only for time sensitive fixes. - Finalize and publish the security advisory. Note that once you hit the publish button it's no longer possible to edit the advisory. Just like the CVE number this can take up to 72h, and expect it to be slower than the CVE number request.
Backstage uses Snyk vulnerability scans in order to make sure we minimize vulnerabilities in our dependencies and get notified of new vulnerabilities.
There are many situations where a vulnerability does not affect a particular dependency because of how the vulnerable package is used. In that situation the package authors may choose to stay at the current version rather than bumping the dependency, leading to a warning in the vulnerability scans but no actual vulnerability.
To work around this and other similar issues, Snyk provides a method to ignore vulnerabilities. In order to provide the best visibility and most utility to adopters of Backstage, we store these ignore rules in .snyk
policy files. This allows adopters to rely on our ignore policies if they wish to do so.
Adding a new ignore policy is done by creating or modifying an existing .snyk
file within a package root. See the Snyk Documentation for details on the syntax. Always include a description, full path, and time limit of the ignore policy.