Skip to content

DOC: Add Security section to the documentation. #17583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
cederom wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

DOC: Add Security section to the documentation. #17583

cederom wants to merge 1 commit into from
+159 −0

Conversation

@cederom
Copy link
Contributor

@cederom cederom commented Dec 22, 2025

Summary

  • Each Apache project should have its own security guide.
  • Security section is added to the NuttX documentation.
  • Information about reported and fixed CVEs.
  • Information and hints on how to report and handle security issues in accordance with The Apache Security Team [1] and Committers Guide [2].
  • Information on what is and is not considered a vulnerability.

[1] https://www.apache.org/security
[2] https://www.apache.org/security/committers.html

Impact

  • Users are provided with dedicated page about NuttX security.
  • Project members have hints on how to handle security process.
  • List of existing reported/fixed CVEs.

Testing

% uname -a
FreeBSD hexagon 14.3-RELEASE-p5 FreeBSD 14.3-RELEASE-p5 GENERIC amd64

% gmake autobuild
[sphinx-autobuild] > python -m sphinx . _build -j 8 -W
Running Sphinx v6.2.1
loading pickled environment... done
myst v3.0.1: MdParserConfig(commonmark_only=False, gfm_only=False, enable_extensions=set(), disable_syntax=[], all_links_external=False, links_external_new_tab=False, url_schemes=('http', 'https', 'mailto', 'ftp'), ref_domains=None, fence_as_directive=set(), number_code_blocks=[], title_to_header=False, heading_anchors=0, heading_slug_func=None, html_meta={}, footnote_transition=True, words_per_minute=200, substitutions={}, linkify_fuzzy_links=True, dmath_allow_labels=True, dmath_allow_space=True, dmath_allow_digits=True, dmath_double_inline=False, update_mathjax=True, mathjax_classes='tex2jax_process|mathjax_process|math|output_area', enable_checkboxes=False, suppress_warnings=[], highlight_code_blocks=True)
Tags updated
building [mo]: targets for 0 po files that are out of date
writing output...
building [html]: targets for 130 source files that are out of date
updating environment: 0 added, 130 changed, 0 removed
reading sources... [100%] _tags/vendor-elegoo .. _tags/wifi
looking for now-outdated files... none found
pickling environment... done
checking consistency... done
preparing documents... done
writing output... [100%] _tags/vendor-arduino .. index
generating indices... genindex done
writing additional pages... search done
copying downloadable files... [100%] components/drivers/special/usbmonitor_wireshark_linux_example_adb.pcapng
copying static files... done
copying extra files... done
dumping search index in English (code: en)... done
dumping object inventory... done
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*:: net_driver_s'.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*sigaction.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*open.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*close.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*read.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*write.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*ioctl.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*mmap.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*poll.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*dup.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*rewinddir.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*bind.*
WARNING:root:Unused expression: .*Duplicate C declaration.*\n.*'\.\. c:.*::.*unlink.*
build succeeded.

The HTML pages are in _build.
[sphinx-autobuild] Serving on http://127.0.0.1:8000
[sphinx-autobuild] Detected changes (_tags)
[sphinx-autobuild] Rebuilding...
@cederom
DOC: Add Security section to the documentation.
08c9d37 
* Each Apache project should have its own security guide.
* Security section is added to the NuttX documentation.
* Information about reported and fixed CVEs.
* Information and hints on how to report and handle security issues
  in accordance with The Apache Security Team [1] and Committers Guide [2].
* Information on what is and is not considered a vulnerability.

[1] https://www.apache.org/security
[2] https://www.apache.org/security/committers.html

Signed-off-by: Tomasz 'CeDeROM' CEDRO <tomek@cedro.info>
@cederom cederom added Area: Documentation Improvements or additions to documentation Area: Security Security of OS in secure modes labels Dec 22, 2025
@cederom cederom marked this pull request as draft December 22, 2025 01:51
@github-actions github-actions bot added the Size: M The size of the change in this PR is medium label Dec 22, 2025
linguini1
linguini1 reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

@linguini1 linguini1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I think the commit message should start withs docs/security: to be consistent with other messages.
Documentation/security.rst
NuttX CVEs
==========

TODO
Copy link
Contributor

@linguini1 linguini1 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use the .. todo:: directive here to indicate to contributors what is left to be done in the hopes that they might add some information.
Documentation/security.rst
Vulnerabilities and Exposures) identifiers. List of known, responsibly
disclosed, and fixed vulnerabilities are publicly available online at
`CVE.ORG <https://www.cve.org/CVERecord/SearchResults?query=nuttx>`_.
Offline bundled version is located at the bottom of this page in the
Copy link
Contributor

@linguini1 linguini1 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need that?
Copy link
Contributor Author

@cederom cederom Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other websites have it so we can have it too.. or mark as todo and add in a free moment :-)
Documentation/security.rst
but most importanly fix patches are more than welcome.**

5. There are problems that we are well aware of, and have been reported
to us many times, but we do not class as a security vulnerability, see
Copy link
Contributor

@linguini1 linguini1 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not classify
raboof
raboof reviewed Dec 22, 2025
View reviewed changes
Documentation/security.rst
Below is an extract of the most important information:

1. Please report potential security vulnerabilities over email to
security@apache.org and security@nuttx.apache.org **before disclosing
Copy link
Member

@raboof raboof Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't have a security@nuttx.apache.org list yet, right? You can request one (see https://apache.org/security/committers.html#lists), but I'm not sure it's necessary for nuttx.
Copy link
Contributor Author

@cederom cederom Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope we do not have one yet, i asked pmc if we want one, it seems automated with security@apache.. will probably make a vote or retry the internal discussion, thanks! :-)
Documentation/security.rst
any reference to the security nature of the commit.


Below is an extract of the most important information:
Copy link
Member

@raboof raboof Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you seem to repeat most of the workflow at https://apache.org/security/committers.html . I'm not opposed to it, but it doesn't seem necessary.
Copy link
Contributor Author

@cederom cederom Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, just to have all-in-one place hints for reporters and handlers and part of the documentation :-)
Documentation/security.rst
Comment on lines +130 to +153
Not security vulnerabilities
============================

Apache NuttX RTOS is highly portable to over 15 different CPU architectures,
including microcontrollers with as tiny memory resources as single kilobytes
of RAM/Flash memory. Putting additional checks outside a generic nature would
dramatically impact final firmware performance and size.
**Function parameters and incoming data validation rests on the
custom application/firmware developer.**

Special care should be taken when handling:

* syscalls.
* pointers (always set to NULL before and after use).
* structures (always initialize with ``{0}`` before use).
* user controllable data (type and size).
* network data.
* dynamically allocated buffers.

.. note::
If you find a generic problem in existing code base that
may impact Confidentiality, Integrity, or Availability (i.e. information
leak, denial of service, remote code execution) and is not your own custom
application specific, please send us a security report.
Copy link
Member

@raboof raboof Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!
hartmannathan
hartmannathan approved these changes Dec 29, 2025
View reviewed changes
Copy link
Contributor

@hartmannathan hartmannathan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one minor typo; otherwise, thank you for improving NuttX Documentation!
Documentation/security.rst
urgent cases special patch releases may be created to address the issue.
In order to keep this process smooth please provide us with as much
details as possible. **Reproducible examples, proof-of-concept code,
but most importanly fix patches are more than welcome.**
Copy link
Contributor

@hartmannathan hartmannathan Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
but most importanly fix patches are more than welcome.**
but most importantly fix patches are more than welcome.**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Area: Documentation Improvements or additions to documentation Area: Security Security of OS in secure modes Size: M The size of the change in this PR is medium

5 participants

@cederom @raboof @jerpelea @hartmannathan @linguini1