MD Formatting of security processes mk. II
Signed-off-by: Chris Walker <chris@webtide.com>
diff --git a/content/en_security_processes.php b/content/en_security_processes.php
index f1e9874..15ee9c6 100644
--- a/content/en_security_processes.php
+++ b/content/en_security_processes.php
@@ -42,60 +42,60 @@
</div>
<div class="olist arabic">
<pre>
- - [ ] On receipt of a security report via <a href="mailto:security@webtide.com">security@webtide.com</a> or other channels, if it cannot be trivially dismissed (already fixed, known not a problem, etc.), then a <a href="https://github.com/eclipse/jetty.project/security/advisories?state=published">Github security advisory</a> is created by project leadership.</p>
+- [ ] On receipt of a security report via <a href="mailto:security@webtide.com">security@webtide.com</a> or other channels, if it cannot be trivially dismissed (already fixed, known not a problem, etc.), then a <a href="https://github.com/eclipse/jetty.project/security/advisories?state=published">Github security advisory</a> is created by project leadership.</p>
- - [ ] Copy this list as a markdown in the security advisory for tracking the completion of various tasks.
+ - [ ] Copy this list as a markdown in the security advisory for tracking the completion of various tasks.
- - [ ] Jetty committers and the reporters are added to the security advisory. Individual committers can also be named in the comments for addition.
+- [ ] Jetty committers and the reporters are added to the security advisory. Individual committers can also be named in the comments for addition.
- - [ ] Initial triage and discussion are performed in the comments of the advisory.
+- [ ] Initial triage and discussion are performed in the comments of the advisory.
- - [ ] If enough information exists to attempt reproduction or fix, then a private repository is created as part of the GitHub security advisory.
+- [ ] If enough information exists to attempt reproduction or fix, then a private repository is created as part of the GitHub security advisory.
- - [ ] If the vulnerability cannot be confirmed then close the security advisory, else continue.
+- [ ] If the vulnerability cannot be confirmed then close the security advisory, else continue.
- - [ ] Generate a <a href="https://www.first.org/cvss/calculator/3.0">CVE score</a> and add it to the advisory description.
+- [ ] Generate a <a href="https://www.first.org/cvss/calculator/3.0">CVE score</a> and add it to the advisory description.
- - [ ] Identify a <a href="https://cwe.mitre.org/data/definitions/699.html">CWE Definition</a> and add it to the advisory description.
+- [ ] Identify a <a href="https://cwe.mitre.org/data/definitions/699.html">CWE Definition</a> and add it to the advisory description.
- - [ ] Identify vulnerable version(s), including current and past versions that are affected (e.g. 9.4.0 through 9.4.35, and 10.0.0.alpha1 through 10.0.0.beta3…​etc.)
+- [ ] Identify vulnerable version(s), including current and past versions that are affected (e.g. 9.4.0 through 9.4.35, and 10.0.0.alpha1 through 10.0.0.beta3…​etc.)
- - [ ] Identify and document workaround(s), if applicable, in the comments of the security advisory.
+- [ ] Identify and document workaround(s), if applicable, in the comments of the security advisory.
- - [ ] Open an <a href="https://bugs.eclipse.org/bugs/">Eclipse Bugzilla</a> issue to have a CVE allocated. The issue should be opened under the <em>Community</em> "Product" category with a "Component" of <em>Vulnerability Reports</em>. The CVE <a href="https://www.eclipse.org/projects/handbook/#vulnerability-cve">should include</a> the following:
- 1. Version(s) affected
- 2. CVE Score
- 3. CWE Identifier(s)
- 4. Brief description of the issue
+- [ ] Open an <a href="https://bugs.eclipse.org/bugs/">Eclipse Bugzilla</a> issue to have a CVE allocated. The issue should be opened under the <em>Community</em> "Product" category with a "Component" of <em>Vulnerability Reports</em>. The CVE <a href="https://www.eclipse.org/projects/handbook/#vulnerability-cve">should include</a> the following:
+ 1. Version(s) affected
+ 2. CVE Score
+ 3. CWE Identifier(s)
+ 4. Brief description of the issue
- - [ ] Once the CVE is allocated update the Security Advisory with the number
+- [ ] Once the CVE is allocated update the Security Advisory with the number
- - [ ] Build and test fix(es) locally and in CI environment.
+- [ ] Build and test fix(es) locally and in CI environment.
- - [ ] Merge tests and fix - ensure description does not mention vulnerability directly. Do not merge directly from the security advisory as it can be traced back before publication.
+- [ ] Merge tests and fix - ensure description does not mention vulnerability directly. Do not merge directly from the security advisory as it can be traced back before publication.
- - [ ] Build and stage release candidate.
+- [ ] Build and stage release candidate.
- - [ ] Notify interested parties of pending security advisory and staged release:
- 1. Include CVE number, CVE score, and CWE
- 2. Include Workarounds
- 3. Stress that it is confidential
- 4. Advise the security advisory will be published in 2 days unless they indicate they need more time.
+- [ ] Notify interested parties of pending security advisory and staged release:
+ 1. Include CVE number, CVE score, and CWE
+ 2. Include Workarounds
+ 3. Stress that it is confidential
+ 4. Advise the security advisory will be published in 2 days unless they indicate they need more time.
- - [ ] If testing is OK, then the release is promoted.
+- [ ] If testing is OK, then the release is promoted.
- - [ ] Interested parties are notified of the availability of release on Maven Central.
+- [ ] Interested parties are notified of the availability of release on Maven Central.
- - [ ] Publish security advisory and CVE publicly.
+- [ ] Publish security advisory and CVE publicly.
- - [ ] Edit VERSION.txt and so that the CVE number is now recorded against merged PR.
+- [ ] Edit VERSION.txt and so that the CVE number is now recorded against merged PR.
- - [ ] Edit the <a href="https://github.com/eclipse/jetty.project/releases">release(s)</a> on Github to identify CVE number that was addressed/resolved.
+- [ ] Edit the <a href="https://github.com/eclipse/jetty.project/releases">release(s)</a> on Github to identify CVE number that was addressed/resolved.
- - [ ] Update downstream images (Docker, etc.).
+- [ ] Update downstream images (Docker, etc.).
- - [ ] Review security processes & completion.
+- [ ] Review security processes & completion.
</pre>
</div>
<div class="sect4">
