s2c2f icon indicating copy to clipboard operation
s2c2f copied to clipboard

Published 20 hours ago verified publisher icon ossf

Suggestion: be less prescriptive on where UPD-3 happens

Open joshuagl opened this issue 10 months ago • 2 comments

Is it strictly required that UPD-3 be part of a PR workflow, or is it better to make this requirement more general so that developers are made aware of known vulnerabilties and updates which can remediate them through one or more methods as appropriate for their workflow?

I.e., if notifications are triggered during CI/CD, or as email, or ...

joshuagl avatar Apr 18 '24 14:04 joshuagl

If we changed the requirement to instead read as follows: "Display OSS vulnerabilities in Pull Requests (PRs)", would that meet your needs? This would allow teams to surface vulnerabilities in different ways, so long as they are surfaced at PR time.

adriandiglio avatar Apr 23 '24 19:04 adriandiglio

What about changing it to "Display OSS vulnerabilities in developer contribution flow (i.e. Pull Requests)" ?

That keeps PRs as the primary recommended mechanism, but allows for slightly different (often older or non-git) workflows where the information might be surfaced to a developer by a CI system or otherwise.

I think the important thing is that this information is surfaced to developers before the change is merged?

joshuagl avatar May 01 '24 11:05 joshuagl

This was address in PR #57

adriandiglio avatar Aug 27 '24 19:08 adriandiglio