Open Source Security and Compliance 2.8.1 CVE 漏洞风险 CVE Vulnerability Risks Gitee 采用棱镜七彩 FossEye 静态扫描了 1.5 万 个 Gitee 平台上具有代表性的优质推荐开 源项目仓库，结果显示有超过 93% 不存在 CVE 漏洞风险。 Gitee used Prism Seven FossEye to were not at risk for CVE vulnerabilities. 其中，在所有存在 CVE 漏洞风险的项目中，存在一个 CVE 漏洞的占比为 18.51%，存在超 过 10 个 CVE 漏洞的占比 2.58%。 Of the projects with CVE vulnerabilities, 18.51% have one CVE vulnerability, and and 2.58% have more than 10 CVE vulnerabilities. 2.8.3 开源合规情况 Open Source Compliance Gitee 采用棱镜七彩 FossEye 扫描了 1.5 万 个 Gitee 平台上具有代表性的优质推荐开源项 目仓库，结果显示有超过 95% 不存在直接 License 冲突风险。 Gitee used Prismatic

2.8 开源安全与合规 2.8.1 CVE 漏洞风险 Gitee 采用棱镜七彩 FossEye 静态扫描了 1.5 万 个 Gitee 平台上具有代表性的优质推荐开源项目仓库， 结果显示有超过 93% 不存在 CVE 漏洞风险。 其中，在所有存在 CVE 漏洞风险的项目中，存在一个 CVE 漏洞的占比为 18.51%，存在超过 10 个 CVE 漏洞的占比 2.58%。 2021 中国开源年度报告 引发人们对开源安全性问题的探讨。12 月 9 日，Apache Log4j2 被曝出第一个高危漏洞 Log4Shell， 并在此之后持续爆雷，至 12 月 22 日已经发现了第三个高危漏洞 CVE-2021-45105。而由于 Log4j 在国际上的流行度，漏洞带来的安全问题是巨大的。根据谷歌安全团队的统计，截至 2021 年 12 月 16 日， 来自 Maven Central 的 35

间使用的评估平台由Scale AI负责开发。 近日，微软发布了一个补丁，用于修复Secure Boot绕过漏洞。在2023年1月份，微软释出补 丁修复了编号为CVE-2022-21894的漏洞，但 攻击者很快找到了绕过方法。本次释出的补丁 修复了新漏洞CVE-2023-24932。微软称，该 漏洞可能被拥有物理访问系统或管理员权限的 攻击者所利用。该修复措施与许多优先级较高 的Windows修复措施存在显著差异，新补丁不

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.5 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.4 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.3 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.7 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.6 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.9 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner

11.1 Released on March 4th 2022. • Fixed missing sanitizing of arguments to Git and Mercurial - CVE-2022-23915, see GHSA-3872-f48p-pxqj for more details. • Fixed loading fuzzy strings from CSV files All changes in detail. 4.8 Weblate 4.11 Released on February 25th 2022. • Fixes stored XSS - CVE-2022-24710, see GHSA-6jp6-9rf9-gc66 for more details. • Fixed add-on installation using API. • Renamed • Reduced false negatives for unchanged translation check. • Raised bleach dependency to address CVE-2020-6802. • Fixed listing project level changes in history. • Fixed stats invalidation in some corner