security-reviews
security-reviews copied to clipboard
ossf
A community collection of security reviews of open source software components.
Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.9.9 to 0.10.1. Release notes Sourced from packageurl-python's releases. 0.10.0 (Jun 27 2022) What's Changed Upgrade virtualenv.pyz to latest version #85 Replace Travis CI by GitHub Actions...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
We should sort: https://github.com/ossf/security-reviews/blob/main/Overview.md Maybe by package name?
I really like the idea of sharing security audit reports: it's both useful to 1) learn common mistakes to avoid and 2) assess the security practices of projects. I work...
Here is a link to the PDF -- good guidance for using Kubernetes securely. https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
Just in regards to https://github.com/ossf/Project-Security-Reviews#removing-a-security-review This is quite interesting, if someone posts sensitive detail (like a vuln) that is under embargo / unreported it will be in git history. You...
The NPM Security Advisories database is available on GitHub (as structured data) at https://github.com/nodejs/security-advisories. We should consider whether periodically refreshing this content would be a good idea.
The project should consider adding PR criteria including process criteria like maintainer diversity and minimum duration for receiving feedback. The goal should be to set a bar for valuable content...
I know that it may be a trivial question, but what do we mean by "undisclosed security vulnerability"? Do we mean that the vulnerability has no a CVE ID and...
We should conduct a tabletop exercise for different review scenarios, including: - Normal Review -> Someone submits a review PR, which gets reviewed, and then merged. - Disputed Review ->...
We need to describe the dispute process / workflow. If someone disagrees with a review (meaning, it conflicts with the OpenSSF code of conduct, contains false or misleading material, is...