Monitor third-party dependencies for vulnerabilities

In addition to addressing security vulnerabilities in its own software, Perforce monitors third-party dependencies for security vulnerabilities to help address issues on a timely basis. Perforce also monitors end-of-life schedules for third-party dependencies to help ensure currency. You can retrieve a list of the third-party software licenses that P4 Server uses by running the p4 help legal command.

Perforce publishes a common vulnerabilities and exposures (CVE) list for vulnerabilities found in Perforce-maintained code and components. These CVEs apply only to Perforce products and do not include vulnerabilities in third-party software that is not maintained by Perforce.

You can filter the common list to view CVEs specific to P4: Security CVEs P4. For details about CVE fixes, see the product release notes.

If a Software Bill of Materials (SBOM) containing more information about the third-party software is required, contact the Perforce Security team at security@perforce.com.

To help avoid security issues, ensure that your Perforce software is current. For a list of currently supported releases, see P4 End of Life (EOL) Schedule.