vulnerabilities: integrate vulnerabilities into documentation page (#21889)

* vulnerailities: integrate vulnerabilities into documentation page * vulnerabilities: add signature file * vulnerabilities: add CVE * vulnerabilities: more info about github advisories * vulnerabilities: link to GH advisories
4 years ago · be1f08b12f
parent 995a2a38d9
commit be1f08b12f
4 changed files with 29 additions and 3 deletions
--- a/_config.yml
+++ b/_config.yml
@ -71,3 +71,9 @@ collections:
    caption: Whisper
    sidebar_index: 8
    frontpage: _whisper/Whisper-Overview.md
+  vulnerabilities:
+    output: true
+    permalink: docs/:collection/:slug
+    caption: Vulnerabilities
+    sidebar_index: 9
+    frontpage: _vulnerabilies/vulnerabilities.md
--- a/docs/_vulnerabilities/vulnerabilities.json
+++ b/docs/_vulnerabilities/vulnerabilities.json
--- a/docs/_vulnerabilities/vulnerabilities.json.minisig
+++ b/docs/_vulnerabilities/vulnerabilities.json.minisig
@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RWQk7Lo5TQgd+6yVey1A8y2f2GZduUSb95pD+1lmBDFQvhVULfofBQnW+/c3xHoBxB/0OoJjlEO/IPP44u1m7gJmYCFZF4S19gc=
+trusted comment: timestamp:1606134012	file:vulnerabilities.json
+K09k9CDs8910uUdom54obtZJh5In7o8c3Phto4RDdM94ONPGDFA/3/QrwZ44Wr2F6qmI52P4mmOg7OGQHpq3CQ==
--- a/docs/_vulnerabilities/vulnerabilities.md
+++ b/docs/_vulnerabilities/vulnerabilities.md
@ -1,4 +1,9 @@
-## Vulnerability disclosures
+---
+title: Vulnerability disclosure
+sort_key: A
+---
+
+## About disclosures

 In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers. 

@ -47,7 +52,9 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo

 ## Disclosed vulnerabilities

-In this folder, you can find a JSON-formatted list of some of the known security-relevant vulnerabilities concerning `geth`. 
+In this folder, you can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant vulnerabilities concerning `geth`. 
+
+As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected by any publically disclosed vulnerability, using the command `geth version-check`. This command will fetch the latest json file (and the accompanying [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own version number.

 The file itself is hosted in the Github repository, on the `gh-pages`-branch. 
 The list was started in November 2020, and covers mainly `v1.9.7` and forward.
@ -75,4 +82,13 @@ The JSON file of known vulnerabilities below is a list of objects, one for each
  - Takes into account the severity of impact and likelihood of exploitation.
 - `check`
  - This field contains a regular expression, which can be used against the reported `web3_clientVersion` of a node. If the check 
-    matches, the node is with a high likelyhood affected by the vulnerability.
+    matches, the node is with a high likelyhood affected by the vulnerability.
+- `CVE`
+  - The assigned `CVE` identifier, if available (optional)
+
+### What about Github security advisories
+
+We prefer to not rely on Github as the only/primary publishing protocol for security advisories, but 
+we plan use the Github-advisory process as a second channel for disseminating vulnerability-information. 
+
+Advisories published via Github can be accessed [here](https://github.com/ethereum/go-ethereum/security/advisories?state=published).