2021-01-08 Meeting Notes

The FOLIO Security Team should give the Technical Council a proposal how to proceed with STCOR-497 "Node.js TLS, HTTP and OpenSSL security vulnerabilities (CVE-2020-8265, CVE-2020-8287, CVE-2020-1971)" and the pull request stripes-core/pull/982.

Option a): Close as "Won't do" and create a separate Jira to create documentation for DevOps and SysOps about secure Node versions.

Option b): Commit.

The pull request is a one-line change in stripes-core package.json: "node": ">=15.5.1 || ^14.15.4 || ^12.20.1"
It rejects vulnerable Node versions, example from Jenkins:

The engine "node" is incompatible with this module.
Expected version ">=15.5.1 || ^14.15.4 || ^12.20.1". Got "12.20.0"

Stripes developers don't want to take care for DevOps and SysOps that fail to use a fully-patched system and suggest option a) whereas option b) requires less effort for the whole project and results in security by default. For details see the discussion on stripes-core/pull/982.

We talked in the past about having a Security Issue automatically be created if an email is sent to security@folio.org, and, we are currently relying on people reviewing the vulnerability reports.

• Mike to review the creation of an issue from email.
• Discuss next meeting how to handle the vulnerability report digests - perhaps review GitHub security dashboards. - Mike will ask Malc for ideas on this.