In both MicroProfile and Jakarta EE, someone suggested maintenance releases required for CVEs from 3rd party dependencies. The community was not sure whether some releases were required as a big scale release very likely impacts the current release roadmap. For example, do we need to push back Jakarta EE 11 but release Jakarta EE 10.0.1 to consume the latest version of the plugins, which has some CVEs?
In next week's Architecture Council meeting, I would like to discuss some CVE management policies for specifications under EF in particular, Jakarta EE and MicroProfile.
In more details, Jakarta EE and MicroProfile pull in some plugins for tests or doc generation. Some plugins might have some CVEs. I have the following questions:
1. Is there an automated process to list all CVEs and then notify some plugin version updates?
2. After updating to a recent version of plugins, does the specification project have to do an immediate release to pick up the latest version of a plugin?
3. Would the previous version of the specification also need to do a patch release to update the plugin versions?
This might be related to the SBOM issue mentioned by Wayne. I would like us to think about this and then get together to discuss in more detail next week.
