docs: add a disclaimer about security vulnerabilities

adobe · Jun 11, 2024 · 7e185b7 · 7e185b7
1 parent 2f23af5
commit 7e185b7
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -112,3 +112,32 @@ Setup your local development environment for [AEM as a Cloud Service SDK](https:
 [ARCHETYPE-308](https://issues.apache.org/jira/browse/ARCHETYPE-308) for details).
 
 * You can't use this archetype in Eclipse when starting a new project with `File -> New -> Maven Project` since the post generation script [`archetype-post-generate.groovy`](https://github.com/adobe/aem-project-archetype/blob/master/src/main/resources/META-INF/archetype-post-generate.groovy) will not be executed due to an [Eclipse issue](https://bugs.eclipse.org/bugs/show_bug.cgi?id=514993). Workaround is to use the above command line and then in Eclipse use `File -> Import -> Existing Maven Project`.
+
+### Security Vulnerabilities
+
+The aem-project-archetype is not a product, such as if we update the archetype to address security vulnerabilities it will automatically propagate to all the projects created using it. The archetype is rather a template customers use to start a project from, essentially copy & pasting code and running some post-processing scripts.
+
+Users of the archetype are responsible to update the build-time dependencies of their so created projects themself to address any security vulnerabilities, including any maven dependencies, maven plugin dependencies and npm package dependencies. Furthermore and in particular for maven dependencies it is important to understand that they usually describe the minimal API version the code supports at runtime. The dependency versions effectively used at runtime may be newer and not vulnerable. Please always verify any reported vulnerable (transitive) dependencies against the list of bundles deployed at runtime in AEM as a Cloud Services or the currently used Service Pack on AMS or on-prem.
+
+Please continue to report security vulnerabilities to us. However, we use some 3rd party dependencies, which we only have partial control over. For those it is important to report the vulnerabilies directly to the owner or to the contributors of these dependencies. We will update the archetype once the transitive dependencies have been updated, but that may take a considerable amount of time.
+
+In order to update update transitive dependencies, please exclude the vulnerable transitive dependency and declare a more recent version within the project. For example:
+
+```
+<dependency>
+  <groupId>io.wcm</groupId>
+  <artifactId>io.wcm.testing.aem-mock.junit5</artifactId>
+  <scope>test</scope>
+  <exclusions>
+    <exclusion>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </exclusion>
+  </exclusions>
+</dependency>
+<dependency>
+  <groupId>commons-io</groupId>
+  <artifactId>commons-io</artifactId>
+  <version>2.7</version>
+</dependency>
+```