compliance-trestle icon indicating copy to clipboard operation
compliance-trestle copied to clipboard

Published 20 hours ago verified publisher icon oscal-compass

Update trestle release process to assure OpenSSF best practice regarding CVE's is followed

Open degenaro opened this issue 5 months ago • 1 comments

Issue description / feature objectives

Update the trestle release process to assure that the below OpenSSF Best practice is complied with.

OpenSSF Best Practice:

The release notes MUST identify every publicly known run-time vulnerability fixed in this release that already had a CVE assignment or similar when the release was created. This criterion may be marked as not applicable (N/A) if users typically cannot practically update the software themselves (e.g., as is often true for kernel updates). This criterion applies only to the project results, not to its dependencies. If there are no release notes or there have been no publicly known vulnerabilities, choose N/A.

Caveats / Assumptions

None.

Completion Criteria

The release process is augmented with reminder or check or automation that assures the CVE best practice is followed.

degenaro avatar Sep 06 '24 12:09 degenaro