transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 2 months ago verified publisher icon CycloneDX

Add option for TEA service in security insights

Open oej opened this issue 11 months ago • 1 comments

https://github.com/ossf/security-insights-spec

oej avatar Jan 02 '25 12:01 oej

Nice finding! :100:

I think that there are many concepts that should be coordinated/synchronized between TEA and the Security Insights Specification.

By looking rapidly at the specification:

  • It is not clear to me what is the TEA object corresponding to project. Since the SIS project has a vulnerability-reporting.reports-accepted property and major versions of a project can drop security support at different times, I think that SIS project corresponds to TEA product (Acme 1.x, Acme 2.x, etc.).
  • The SIS repository on the other hand seems to correspond to a property of a TEA leaf

ppkarwasz avatar Jan 03 '25 10:01 ppkarwasz