Skip to content

docs/security: Add Security section to the documentation. #17583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xiaoxiang781216 merged 1 commit into from
Jan 5, 2026
Merged

docs/security: Add Security section to the documentation. #17583

xiaoxiang781216 merged 1 commit into from
Jan 5, 2026
+488 −0

Conversation

@cederom
Copy link
Contributor

@cederom cederom commented Dec 22, 2025
edited
Loading

Summary

  • Each Apache project should have its own security guide.
  • Security section is added to the NuttX documentation.
  • Information about reported and fixed CVEs.
  • Information and hints on how to report and handle security issues in accordance with The Apache Security Team [1] and Committers Guide [2].
  • Information on what is and is not considered a vulnerability.
  • List of existing NuttX CVEs added.

[1] https://www.apache.org/security
[2] https://www.apache.org/security/committers.html

Impact

  • Users are provided with dedicated page about NuttX security.
  • Project members have hints on how to handle security process.
  • List of existing reported/fixed CVEs.

Testing

% uname -a
FreeBSD hexagon 14.3-RELEASE-p5 FreeBSD 14.3-RELEASE-p5 GENERIC amd64

% gmake autobuild
[sphinx-autobuild] > python -m sphinx . _build -j 8 -W
Running Sphinx v6.2.1
loading pickled environment... done
myst v3.0.1: MdParserConfig(commonmark_only=False, gfm_only=False, enable_extensions=set(), disable_syntax=[], all_links_external=False, links_external_new_tab=False, url_schemes=('http', 'https', 'mailto', 'ftp'), ref_domains=None, fence_as_directive=set(), number_code_blocks=[], title_to_header=False, heading_anchors=0, heading_slug_func=None, html_meta={}, footnote_transition=True, words_per_minute=200, substitutions={}, linkify_fuzzy_links=True, dmath_allow_labels=True, dmath_allow_space=True, dmath_allow_digits=True, dmath_double_inline=False, update_mathjax=True, mathjax_classes='tex2jax_process|mathjax_process|math|output_area', enable_checkboxes=False, suppress_warnings=[], highlight_code_blocks=True)
Tags updated
building [mo]: targets for 0 po files that are out of date
writing output...
building [html]: targets for 130 source files that are out of date
updating environment: 0 added, 130 changed, 0 removed
reading sources... [100%] _tags/vendor-elegoo .. _tags/wifi
looking for now-outdated files... none found
pickling environment... done
checking consistency... done
preparing documents... done
writing output... [100%] _tags/vendor-arduino .. index
generating indices... genindex done
writing additional pages... search done
copying downloadable files... [100%] components/drivers/special/usbmonitor_wireshark_linux_example_adb.pcapng
copying static files... done
copying extra files... done
dumping search index in English (code: en)... done
dumping object inventory... done
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*:: net_driver_s'.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*sigaction.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*open.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*close.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*read.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*write.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*ioctl.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*mmap.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*poll.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*dup.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*rewinddir.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*bind.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*unlink.*
build succeeded.

The HTML pages are in _build.
[sphinx-autobuild] Serving on http://127.0.0.1:8000
[sphinx-autobuild] Detected changes (_tags)
[sphinx-autobuild] Rebuilding...

@cederom cederom added Area: Documentation Improvements or additions to documentation Area: Security Security of OS in secure modes labels Dec 22, 2025
@cederom cederom marked this pull request as draft December 22, 2025 01:51
@github-actions github-actions bot added the Size: M The size of the change in this PR is medium label Dec 22, 2025
linguini1
linguini1 reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

@linguini1 linguini1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I think the commit message should start withs docs/security: to be consistent with other messages.

raboof
raboof reviewed Dec 22, 2025
View reviewed changes
jerpelea
jerpelea previously approved these changes Dec 29, 2025
View reviewed changes
hartmannathan
hartmannathan previously approved these changes Dec 29, 2025
View reviewed changes
Copy link
Contributor

@hartmannathan hartmannathan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one minor typo; otherwise, thank you for improving NuttX Documentation!

@cederom cederom dismissed stale reviews from hartmannathan and jerpelea via 19a6e71 January 1, 2026 21:56
@cederom cederom force-pushed the 20251221-cederom-doc-security branch 2 times, most recently from 19a6e71 to a91410f Compare January 1, 2026 21:58
@cederom
Copy link
Contributor Author

cederom commented Jan 1, 2026
edited
Loading

  • Thank you everyone for verification and feedback!
  • Sorry for the delay it was really hard year and I needed some offline rest at least during Christmas time with my family out of my lab.
  • Not security vulnerability section was moved up to below known vulnerabilities.
  • Security issues handling section was split into 4 steps for clarity: reporting, investigation, the fix, public announcement. I think it is good to have it here because we will all know what the process is and not to skip any important steps.
  • Added list of existing CVEs including these published today. By the way I took a second look at our last reports and got some ideas on improvements below.
  • I noticed that placing all people involved in credits may improve things on our end by providing motivation and public credits.
  • I realized I missed @raboof as coordinator in the credits, my sincere apologies and big thank you for really perfect support coordination and patience!! Credits added to our docs and will update cves after review is closed :-)
  • I noticed that older CVEs contain private emails, while it should be apache related emails where possible. I fixed that in the docs, please verify.
  • After we review this document I will also update existing CVEs.
  • @simbit18 can you please provide first and last name + email to put in credits please? Do you have apache email?
  • @xiaoxiang781216 can you please verify reviewers credits are all info correct?
  • One RST formatting question: is it possible to break long URL links so we keep line length at 80 chars or it has to be long line?

@cederom cederom force-pushed the 20251221-cederom-doc-security branch from a91410f to db45385 Compare January 1, 2026 22:15
@linguini1
Copy link
Contributor

linguini1 commented Jan 1, 2026

  • One RST formatting question: is it possible to break long URL links so we keep line length at 80 chars or it has to be long line?

To my knowledge the URL must be one continuous line

linguini1
linguini1 previously approved these changes Jan 1, 2026
View reviewed changes
simbit18
simbit18 reviewed Jan 2, 2026
View reviewed changes
simbit18
simbit18 previously approved these changes Jan 2, 2026
View reviewed changes
@cederom cederom force-pushed the 20251221-cederom-doc-security branch 3 times, most recently from b29eb57 to b020fc4 Compare January 4, 2026 12:18
@cederom
docs/security: Add Security section to the documentation.
0d322db 
* Each Apache project should have its own security guide.
* Security section is added to the NuttX documentation.
* Information about reported and fixed CVEs.
* Information and hints on how to report and handle security issues
  in accordance with The Apache Security Team [1] and Committers Guide [2].
* Information on what is and is not considered a vulnerability.
* List of existing NuttX CVEs added.

[1] https://www.apache.org/security
[2] https://www.apache.org/security/committers.html

Signed-off-by: Tomasz 'CeDeROM' CEDRO <[email protected]>
@cederom cederom force-pushed the 20251221-cederom-doc-security branch from b020fc4 to 0d322db Compare January 4, 2026 12:33
@cederom cederom changed the title DOC: Add Security section to the documentation. docs/security: Add Security section to the documentation. Jan 4, 2026
@cederom cederom self-assigned this Jan 4, 2026
@cederom cederom marked this pull request as ready for review January 4, 2026 12:58
@cederom
Copy link
Contributor Author

cederom commented Jan 4, 2026

Okay, details updated, mailing list creation requested, ready for review and merge, thank you! :-)

@xiaoxiang781216 xiaoxiang781216 merged commit 3ab698c into apache:master Jan 5, 2026
3 checks passed
@raboof
Copy link
Member

raboof commented Jan 6, 2026

Great! You might also want to point the 'Security' link in the menu of your website to https://nuttx.apache.org/docs/latest/security.html instead of https://www.apache.org/security/ , to make the NuttX-specific instructions more prominent.

@raboof
Copy link
Member

raboof commented Jan 6, 2026

(I updated the links at https://security.apache.org/projects/)

@cederom
Copy link
Contributor Author

cederom commented Jan 6, 2026

Big thank you @raboof for all of your support :-) Will update the website in a free moment good idea! :-)

@cederom
Copy link
Contributor Author

cederom commented Jan 7, 2026

WWW updates and fixes ready for review here apache/nuttx-website#162 thanks @raboof :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@linguini1 linguini1 linguini1 approved these changes

@jerpelea jerpelea jerpelea left review comments

@hartmannathan hartmannathan hartmannathan left review comments

@simbit18 simbit18 simbit18 left review comments

@raiden00pl raiden00pl Awaiting requested review from raiden00pl raiden00pl is a code owner

@acassis acassis Awaiting requested review from acassis acassis is a code owner

@michallenc michallenc Awaiting requested review from michallenc

+1 more reviewer

@raboof raboof raboof left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@cederom cederom

Labels

Area: Documentation Improvements or additions to documentation Area: Security Security of OS in secure modes Size: M The size of the change in this PR is medium

Projects

Apache NuttX RTOS
Status: Done
Apache NuttX RTOS: WWW/DOC.
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@cederom @linguini1 @raboof @jerpelea @xiaoxiang781216 @hartmannathan @simbit18