From 3074be8d17b99188baa3c721c5dd1277e3036f09 Mon Sep 17 00:00:00 2001
From: Alexey Milovidov <milovidov@yandex-team.ru>
Date: Thu, 26 May 2022 22:19:15 +0200
Subject: [PATCH 1/4] Add security generator

---
 utils/security-generator/SECURITY.md.sh | 80 +++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100755 utils/security-generator/SECURITY.md.sh

diff --git a/utils/security-generator/SECURITY.md.sh b/utils/security-generator/SECURITY.md.sh
new file mode 100755
index 00000000000..c8b8840b07d
--- /dev/null
+++ b/utils/security-generator/SECURITY.md.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# This is a script to automate the SECURITY.md generation in the repository root.
+# The logic is the following:
+# We support the latest ClickHouse Y.M stable release,
+# the two releases before the latest stable,
+# and the two latest LTS releases (which may be already included by the criteria above).
+# The LTS releases are every Y.3 and Y.8 stable release.
+
+echo "
+# Security Policy
+
+## Security Announcements
+Security fixes will be announced by posting them in the [security changelog](https://clickhouse.com/docs/en/whats-new/security-changelog/).
+
+## Scope and Supported Versions
+
+The following versions of ClickHouse server are currently being supported with security updates:
+"
+
+clickhouse-local --query "
+SELECT
+    concat(CAST(y, 'String'), '.', if(y < ((toYear(today()) - 2000) - 1), '*', CAST(m, 'String'))) AS Version,
+    if((n <= 3) OR (is_lts AND (lts_n <= 2)), '✔️', 'x') AS Supported
+FROM
+(
+    SELECT
+        y,
+        m,
+        count() OVER (ORDER BY y DESC, m DESC) AS n,
+        m IN (3, 8) AS is_lts,
+        countIf(is_lts) OVER (ORDER BY y DESC, m DESC) AS lts_n
+    FROM
+    (
+        WITH
+            extractGroups(version, 'v(\\d+).(\\d+)') AS v,
+            CAST(v[1], 'UInt8') AS y,
+            CAST(v[2], 'UInt8') AS m
+        SELECT
+            y,
+            m
+        FROM file('$(dirname "${BASH_SOURCE[0]}")/../list-versions/version_date.tsv', TSV, 'version String, date String')
+        ORDER BY
+            y DESC,
+            m DESC
+        LIMIT 1 BY
+            y,
+            m
+    )
+)
+LIMIT 1 BY Version
+FORMAT Markdown"
+
+echo "
+## Reporting a Vulnerability
+
+We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community. All reports are thoroughly investigated by developers.
+
+To report a potential vulnerability in ClickHouse please send the details about it to [security@clickhouse.com](mailto:security@clickhouse.com).
+
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in ClickHouse
+- You are unsure how a vulnerability affects ClickHouse
+
+### When Should I NOT Report a Vulnerability?
+
+- You need help tuning ClickHouse components for security
+- You need help applying security related updates
+- Your issue is not security related
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by ClickHouse maintainers within 5 working days.
+As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.
+
+## Public Disclosure Timing
+
+A public disclosure date is negotiated by the ClickHouse maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. 
+"

From 359e36f42179704257ae0e6d5533e2d5124f39f6 Mon Sep 17 00:00:00 2001
From: Alexey Milovidov <milovidov@yandex-team.ru>
Date: Thu, 26 May 2022 22:21:49 +0200
Subject: [PATCH 2/4] Readability

---
 utils/security-generator/SECURITY.md.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/utils/security-generator/SECURITY.md.sh b/utils/security-generator/SECURITY.md.sh
index c8b8840b07d..71a7275c2ca 100755
--- a/utils/security-generator/SECURITY.md.sh
+++ b/utils/security-generator/SECURITY.md.sh
@@ -20,8 +20,8 @@ The following versions of ClickHouse server are currently being supported with s
 
 clickhouse-local --query "
 SELECT
-    concat(CAST(y, 'String'), '.', if(y < ((toYear(today()) - 2000) - 1), '*', CAST(m, 'String'))) AS Version,
-    if((n <= 3) OR (is_lts AND (lts_n <= 2)), '✔️', 'x') AS Supported
+    y::String || '.' || (y < toYear(today()) - 2000 - 1 ? '*' : m::String) AS Version
+    (n <= 3 OR (is_lts AND lts_n <= 2)) ? '✔️' : 'x' AS Supported
 FROM
 (
     SELECT
@@ -34,8 +34,8 @@ FROM
     (
         WITH
             extractGroups(version, 'v(\\d+).(\\d+)') AS v,
-            CAST(v[1], 'UInt8') AS y,
-            CAST(v[2], 'UInt8') AS m
+            v[1]::UInt8 AS y,
+            v[2]::UInt8 AS m
         SELECT
             y,
             m

From 434d8729dec29b9ce600e631949596b05657263c Mon Sep 17 00:00:00 2001
From: Alexey Milovidov <milovidov@yandex-team.ru>
Date: Thu, 26 May 2022 22:22:14 +0200
Subject: [PATCH 3/4] Readability

---
 utils/security-generator/SECURITY.md.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/security-generator/SECURITY.md.sh b/utils/security-generator/SECURITY.md.sh
index 71a7275c2ca..fbb22b4a2ce 100755
--- a/utils/security-generator/SECURITY.md.sh
+++ b/utils/security-generator/SECURITY.md.sh
@@ -20,7 +20,7 @@ The following versions of ClickHouse server are currently being supported with s
 
 clickhouse-local --query "
 SELECT
-    y::String || '.' || (y < toYear(today()) - 2000 - 1 ? '*' : m::String) AS Version
+    y::String || '.' || (y < toYear(today()) - 2000 - 1 ? '*' : m::String) AS Version,
     (n <= 3 OR (is_lts AND lts_n <= 2)) ? '✔️' : 'x' AS Supported
 FROM
 (

From aeacfa0d7ecfc59af7bf9d4958245fd373f81e45 Mon Sep 17 00:00:00 2001
From: Alexey Milovidov <milovidov@yandex-team.ru>
Date: Thu, 26 May 2022 22:23:37 +0200
Subject: [PATCH 4/4] Readability

---
 utils/security-generator/SECURITY.md.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/security-generator/SECURITY.md.sh b/utils/security-generator/SECURITY.md.sh
index fbb22b4a2ce..97c696c1227 100755
--- a/utils/security-generator/SECURITY.md.sh
+++ b/utils/security-generator/SECURITY.md.sh
@@ -21,7 +21,7 @@ The following versions of ClickHouse server are currently being supported with s
 clickhouse-local --query "
 SELECT
     y::String || '.' || (y < toYear(today()) - 2000 - 1 ? '*' : m::String) AS Version,
-    (n <= 3 OR (is_lts AND lts_n <= 2)) ? '✔️' : 'x' AS Supported
+    (n <= 3 OR (is_lts AND lts_n <= 2)) ? '✔️' : '❌' AS Supported
 FROM
 (
     SELECT