Security Policy

Supported Versions

The GoCD community only actively maintains and fixes security issues on top of the most recent released version.

Since breaking changes are rare, and generally sign-posted well in advance, we encourage users to stay on a recent or current version to allow for upgrade as easily as possible in the event of a security defect.

Having said this, wherever possible we will try and provide suggested mitigations or workarounds for older versions.

Reporting a Vulnerability

Please report any issues to https://hackerone.com/gocd according to the listed policy.

Baseline

This represents the oldest versions which have no known exploitable vulnerabilities of a given severity, as assessed by GoCD maintainers and/or NIST NVD via CVSS 3.1. Users are strongly recommended to be on at least these versions; and preferably the latest version.

Please note that this does not mean that there are zero potential vulnerabilities known from GoCD's dependencies in this or subsequent versions. However where such vulnerabilities exist, none have been confirmed to be exploitable via GoCD itself (without a prior non-GoCD breach).

How do I know if I am using a release with known vulnerabilities?

In more recent years, an effort has been made to publish and request CVEs for responsibly disclosed & fixed issues to increase transparency and help users assess risk of running older versions.

While many are available as GitHub Security Advisories, you can generally use the NIST NVD database query tools to search for those affecting your specific version by replacing the version 22.3.0 with your own and clicking "Search".

Note that this unlikely to be a complete listing of all reported, responsibly disclosed and fixed issues. If there is a publicly disclosed historical issue that is missing, please raise an issue to let us know, and we will endeavour to document it properly.

What about potential vulnerabilities from transitive dependencies?

The GoCD team make a concerted effort to keep dependencies up-to-date wherever possible, however GoCD does still have some EOL dependencies with known vulnerabilities that GoCD is not vulnerable to, but which may create noise in scanner reports.

While this is a moving target the GoCD team maintain documented suppressions with commentary via:

• OWASP Dependency Check - Java, JavaScript & Ruby/JRuby dependencies
  • current suppressions
  • build.gocd.org report off master (use Guest login)
• Trivy - built container images (OS and packaged dependencies), especially server
  • current suppressions
  • build.gocd.org Security-Checks-Containers pipeline (use Guest login)