This document includes information about the vulnerability reporting, patch, release, and disclosure processes, as well as general security posture for CanScan.
- Supported Versions
- Reporting a Vulnerability
- When Should I Report a Vulnerability?
- When Should I NOT Report a Vulnerability?
- Vulnerability Response
- Security Release & Disclosure Process
- Security Posture
- Security Team
- Security Policy Updates
The following versions are currently supported and receive security updates.
| Version | Supported |
|---|---|
| >=1.1.0.0 | ✅ |
| <1.1.0.0 | ❌ |
Vulnerabilities are reported privately via GitHub's Security Advisories feature.
Report a vulnerability for CanScan
- You discovered a potential security vulnerability in CanScan.
- You are unsure how a vulnerability affects the application.
- You found a vulnerability in a dependency (e.g., ZXing, FlatLaf, LGoodDatePicker) as used by CanScan.
- You need help with the Java installation or running the JAR.
- Your issue is a general bug (e.g., UI glitch) not affecting data integrity or security.
Each report is acknowledged within 14 days. Any information shared stays within the CanScan project security team.
Fixes are developed in temporary private forks.
Vulnerabilities are disclosed publicly as GitHub Security Advisories.
We use the following tools and practices to ensure CanScan security:
- Static Analysis: SpotBugs and SonarCloud integration.
- Code Quality: Checkstyle and Spotless formatting.
- Dependency Tracking: Regular updates of Maven dependencies.
- Testing: JUnit 5 and Mockito with JaCoCo coverage.
- Lob2018 (@Lob2018)
Changes are reviewed and approved by the Security Team.