oscerd commented on code in PR #23503: URL: https://github.com/apache/camel/pull/23503#discussion_r3297230204
########## docs/user-manual/modules/ROOT/pages/security-model.adoc: ########## @@ -510,6 +667,166 @@ they are, the change is announced through the normal upgrade-guide channel. defaults. A report against Camel must show the Camel framework, not the underlying client, is the cause. +=== Known non-findings + +Patterns that automated scanners, AI-assisted analysers and human +reviewers repeatedly report against Camel that are *not* framework +vulnerabilities under this model. Each entry names the recurring claim, +cites the section of this document that discharges it, and where +appropriate states the suppression shape. This list is the +highest-leverage input for an automated triage pass; it can be fed back +to a scanner verbatim as a negative prompt or suppression configuration. +Disposition is `KNOWN-NON-FINDING` (see _Triage dispositions_). + +* *"Component X depends on a JAR with CVE-Z, therefore Camel is + vulnerable."* Out of scope per the transitive-dependency entry in + _Out of scope_, unless the report demonstrates a Camel-exposed code Review Comment: I'm restricting that -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
