Pull-Request submission specification (English version)

About OSCS

Making every open-source project more secure is the goal of the OSCS community (opens new window), which promotes open-source software supply chain security.

The OSCS security community supports white hats in their efforts to identify security risks in open source projects, and enhance the security of these projects by assisting white hats in submitting high-quality PRs (opens new window).

High-quality PR production process

1. Murphysec for security risk detection

Murphysec (opens new window) is used by the OSCS security community to find open source projects and dependencies that have known security vulnerabilities.

murphysec: A well-known GitHub open source project that offers expert project SBOM analysis, the ability to identify open source security risks, and a comprehensive vulnerability knowledge store.

2. Generate PR via murphysec

In order to assess whether there is a security version that can be upgraded for these dependencies with security concerns, OSCS reviews the vulnerability information. After that, it generates PR material.

3. CI Testing

Each PR will undergo CI testing by the OSCS community prior to submission, and the PR will describe the CI testing procedures and outcomes.

4. The community white hat confirms the PR

The content of the PR is judged or edited by the white hats of the OSCS community to ensure that the content is accurate.

5. The community white hat submit PR

The white hat completes the PR submission in the end.

Description of PR content

1. Specification of the description information

• Explain what this PR does
• Explain why this PR was created
• Describe the tests and issues that were performed on this PR

2. Template for description information

**What happened？**

There are 3 security vulnerabilities found in io netty:netty-all 4.1.43.Final

- [CVE-2020-7238](https://www.oscs1024.com/hd/MPS-2020-1320)     
- [CVE-2019-20444](https://www.oscs1024.com/hd/MPS-2020-1526)   
- [MPS-2019-20445](https://www.oscs1024.com/hd/MPS-2020-1527)   

**What did I do？**

Upgrade netty-all from 4.1.43.Final to 4.1.44.Final for vulnerability fix

**What did you expect to happen？**

Ideally, no insecure libs should be used.

**How was this patch tested?**

- Run `mvn clean test` succeeded locally, all tests passed.
- Run `mvn compile` succeeded locally.

**The specification of the pull request**

[PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS

OSCS社区 PR 提交规范（中文版）

关于OSCS社区

OSCS (opens new window) 是开源软件供应链安全社区，致力于让每一个开源项目更安全。

OSCS 安全社区帮助白帽子发现开源项目中存在的安全风险，并辅助白帽子提交一个高质量的PR (opens new window)来帮助开源项目维护者解决这些风险，提升开源项目的安全性。

高质量的PR生产过程

1. 通过murphysec检测安全风险

OSCS安全社区使用 murphysec (opens new window) 检测工具，对开源项目进行检测，识别出其中使用的存在已知安全风险的依赖。

murphysec：知名 GitHub 开源项目，拥有专业的项目 SBOM 分析和开源安全风险识别能力，并且拥有丰富的漏洞知识库。

2. murphysec 生成 PR

针对识别出来存在安全风险的依赖，review 其使用版本和漏洞列表，确定是否存在安全版本可以进行升级并生成对应的 PR 内容。

3. OSCS社区执行 CI 测试

每一个PR被创建之前，会经过 OSCS 社区的 CI 测试，并将 CI 测试的方式和结果在PR中进行说明。

4. 社区白帽子确认PR

由 OSCS 社区白帽子对 PR 的内容进行判断或编辑，确保内容准确。

5. 社区白帽子提交PR

最后由白帽子完成 PR 的提交。

关于 PR 内容的说明

1. 描述信息的规范

• 说明这个 PR 做了什么
• 说明为什么要创建这个 PR
• 说明对这个 PR 进行的测试和存在的问题

2. 描述信息模板

**What happened？**

There are 3 security vulnerabilities found in io netty:netty-all 4.1.43.Final

- [CVE-2020-7238](https://www.oscs1024.com/hd/MPS-2020-1320)     
- [CVE-2019-20444](https://www.oscs1024.com/hd/MPS-2020-1526)   
- [MPS-2019-20445](https://www.oscs1024.com/hd/MPS-2020-1527)  

**What did I do？**

Upgrade netty-all from 4.1.43.Final to 4.1.44.Final for vulnerability fix

**What did you expect to happen？**

Ideally, no insecure libs should be used.

**How was this patch tested?**

- Run `mvn clean test` succeeded locally, all tests passed.
- Run `mvn compile` succeeded locally.

**The specification of the pull request**

[PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS