You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: dev_docs/contributing/third_party_dependencies.mdx
+68Lines changed: 68 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,6 +67,74 @@ on Github:
67
67
[Permitted Open Source Licenses list](https://github.com/elastic/open-source/blob/main/elastic-product-policy.md#permitted-licenses-list).
68
68
</DocCallOut>
69
69
70
+
### Dependency evaluation
71
+
72
+
To manage workload effectively during this stopgap period, the evaluation is applicable only to new third-party dependencies.
73
+
Dependency upgrades are not considered, as reviewing them would be excessively time-consuming.
74
+
75
+
1.**Justification and context**.
76
+
- What is this dependency used for? Briefly explain its role in your changes and the problem it solves.
77
+
- Why is adding this specific external dependency the best approach compared to other solutions?
78
+
- Were other options considered (e.g., using existing internal libraries/utilities, implementing the functionality directly)? If so, why was this dependency chosen over them?
79
+
- Does Kibana have a dependency providing similar functionality? If so, why is the new one preferred?
80
+
81
+
Responsible: PR author
82
+
83
+
2.**Snyk health check**. Setting the healthy threshold at 70 provides pragmatic balance: prioritizes maintenance, filters out major security risks and indicates acceptable quality. Score is calculated as a weighted mean based on maintenance, security, quality and popularity.
84
+
- Ensure a minimum health score is >= 70 in [Snyk Advisor](https://snyk.io/advisor).
85
+
- If the health score is below 70, a valid business justification must be provided.
86
+
87
+
Responsible: PR author
88
+
89
+
3.**Vulnerability assessment**. Check vulnerability reports from Snyk for the exact dependency version, available through [Snyk Advisor](https://snyk.io/advisor).
90
+
If vulnerabilities are present:
91
+
92
+
-**Critical (CVSS 9.0 - 10.0)**:
93
+
-**False positive:** Proceed to Step 4.
94
+
-**Confirmed vulnerability:** Reject dependency.
95
+
96
+
-**High (CVSS 7.0 - 8.9)**:
97
+
-**False positive:** Proceed to Step 4.
98
+
-**Confirmed vulnerability:** Reject dependency.
99
+
100
+
-**Medium/Low (CVSS 0.0 - 6.9)**:
101
+
-**False positive:** Proceed to Step 4.
102
+
-**Confirmed vulnerability:** Exception can be granted if the vulnerability is confirmed to be impossible to exploit and and there is no better alternative.
103
+
104
+
Responsible: PR author
105
+
106
+
4.**Handling false positives**. If a vulnerability is considered to be a false positive:
107
+
- Clearly document why the vulnerability is considered a false positive.
108
+
- Submit an exception request following the Vulnerability Exception Policy and Procedures.
109
+
- The exception request must be created **before merging** the dependency.
110
+
- Initial exception timeframe is suggested to be 30 days. If there would be no upgrade path available after a month, longer exception timeframe can be requested.
111
+
112
+
Responsible: PR author
113
+
114
+
5.**Approval**. Document the entire assessment clearly, including:
115
+
- Final health score.
116
+
- CVSS scores of identified issues if applicable.
117
+
- Justification for any accepted false positives if applicable.
Copy file name to clipboardExpand all lines: src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_attack_discovery_schema.ts
0 commit comments