The most recent Annif major/minor release is considered supported, in the sense that if a serious bug or vulnerability is encountered in it, we relase a patch to fix the issue.

Generally, we aim to update all dependencies to their latest versions on each Annif major/minor release. However, note that most of the dependencies of a given Annif release are pinned only on minor version level, so patch level fixes of (most) dependencies can be applied to an Annif installation, by either manually updating the outdated packages or recreating the virtual environment from scratch and reinstalling Annif.

We rebuild and publish a new Docker image of the latest Annif release in the quay.io repository when it is considered necessary in order to update both system packages and Annif dependencies of the image. A new image is published about once every month.

The security scanner that is used on quay.io is Clair. You can see the vulnerabilities detected in an image by navigating via the link in the Security Scan column of the tags view, see the screenshot below.

The scanner typically detects many vulnerabilities, that is several tens, in the packages of the images, even when they have been rebuild recently. However, there exist patches for only some of the vulnerabilities, and due to the way that Annif uses the dependencies, most of the detected vulnerabilities do not apply to Annif use.

We value your findings, and we would be grateful if you report any concerns or vulnerabilities by email to finto-posti@helsinki.fi. Do not create a GitHub issue for security vulnerabilities. Note that Annif team is a part of the larger Finto team, which has resources for the contact service throughout the year.

If the security vulnerability is in a third-party software library, please report it also to the team maintaining it.

Each security concern will be assigned to a handler from our team, who will contact you if there is a need for additional information. We confirm the problem and keep you informed of the fix.

To facilitate a quick and accurate response make sure to include the following details when submitting your report:

• A clear and descriptive title that outlines the report's subject and the software it pertains to (Annif).
• The version(s) of Annif, its dependencies and the (possible) other related software that contribute to the vulnerability.
• Break down the technical aspects of the vulnerability in your description.
• A minimal example showcasing the vulnerability.
• An explanation who has the potential to exploit this vulnerability and the benefits they would derive from doing so.
• Whether the vulnerability is public knowledge or known to third parties, and if so, share relevant details.
• (A remediation suggestion if you have have one.)