Create SECURITY.md

[juhoinkinen]

It is a good practice to inform how to report vulnerabilities, which is what SECURITY.md file is for.

I have worded this in SECURITY.md file:
> However, the dependencies of a given Annif release are pinned only on minor version level

But this is actually not true; [Edited this part to include a true statement.]
There are the following patch level version pinnings:

• connexion 2.14.2
• fasttext 0.9.2
• lmdb 1.4.1
• yake 0.4.5

Right now I don't remember why they are pinned to patch level. Need to check that. It would be good that all (security) patches of dependencies could be applied without the need to update Annif version. Does some of these dependencies have such a backward compatibility policy that conflicts with Annif's policy?

Also reword the bottom list. [Done.]

Also at the moment Annif repo has Security advisories enabled (I enabled it when looking at this security reporting a while ago), which allows anyone to give a report via navigating to the Security tab in this repo. Having two reporting ways (finto-posti email and this reporting) can be confusing, so maybe the Security advisories functionality should be disabled.

[juhoinkinen]

I don't see a reason to have patch-level pinning of dependencies. I propose to pin only the minor version levels:

• connexion 2.14.2 -> 2.14.*

• fasttext 0.9.2 -> 0.9.*

• lmdb 1.4.1 -> 1.4.*

• yake 0.4.5 -> 0.4.*

This should be done in a separate PR/issue, possibly with the issue #747.

[juhoinkinen]

Gunicorn is about to set up a security policy too, either via SECURITY.md or the Security advisories / Private Vulnerability Reporting: benoitc/gunicorn#3106

We could wait and see what their solution will be.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a501e53) 99.67% compared to head (f4046c2) 99.67%.
Report is 5 commits behind head on main.

❗ Current head f4046c2 differs from pull request most recent head 058fd63. Consider uploading reports for the commit 058fd63 to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #751   +/-   ##
=======================================
  Coverage   99.67%   99.67%           
=======================================
  Files          89       89           
  Lines        6404     6404           
=======================================
  Hits         6383     6383           
  Misses         21       21           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[juhoinkinen]

I asked for a review from ChatGPT and addressed the good comments.

But this is actually not true; there are the following patch level version pinnings:

• connexion 2.14.2
• fasttext 0.9.2
• lmdb 1.4.1
• yake 0.4.5

For this, I reworded the relevant part: "...note that most of the dependencies of a given Annif release are pinned only on minor version level...".

[sonarcloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud