Adrian Diglio

For the documentation bug, I suggest we add "sbom-tool" prior to the word generate. I understand that how you invoke "sbom-tool" depends on what environment you are running the tool,...

If we changed the requirement to instead read as follows: "Display OSS vulnerabilities in Pull Requests (PRs)", would that meet your needs? This would allow teams to surface vulnerabilities in...

Hi @joshuagl , thanks for this feedback! Here is the proposed updated graphic. Does this work for you? 

This was address in PR #57

Thanks Josh. We'll open a PR to add this graphic, and then close this Issue. AUD-5 was actually added by accident, so we reversed that change. The community had decided...

Closed with PR

Thanks for this feedback! After discussion from the group today, we do believe that SCA-5 is only about running tools to search for yet-to-be-discovered security issues. However, I can see...

Per discussion on today's call, let's open up a new ossf repo dedicated to build the site. Happy to leverage your help @xee5ch to build the site using GitHub Pages....

Hi Josh, I do think that left-pad is a good example (and is already called out as being mitigated by ING-2, which is part of maturity level 1). Additionally, we...