-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create guidance on triaging build time dependency vulnerabilities #855
Comments
Also make sure the time of the attestation is present. New information may change outcomes of the process. |
I'll try to write-up my notes and thoughts on this, I'm currently digging a bit deeper in the Rust ecosystem for this. |
This could become a document to put under https://github.com/cncf/tag-security/tree/main/project-resources! |
Would love to see what you come up with. As the ecosystem evolves, I’ll add
guidance on SBOM integration with CVEs and VEX.
On Mon, Feb 7, 2022 at 7:21 AM Brandon Lum ***@***.***> wrote:
This could become a document to put under
https://github.com/cncf/tag-security/tree/main/project-resources!
—
Reply to this email directly, view it on GitHub
<#855 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABBEGSA76UMYMNZ5LKG3RTUZ7PPRANCNFSM5NM4AXAQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
--
Frederick F. Kautz IV
|
Hi all, apologies for the long delay. I've made a markdown version with some guidance on build-time dependency vulnerabilities available here. Feel free to comment/modify as you please. It's fairly short, I wasn't sure just how much to go into detail and where. |
This is awesome @ionut-arm! Would you like to create a PR for this to the repo? This is definitely something the community at large can benefit from! Would be easier to get comments too! |
Alright, I have finally opened that PR, many apologies for the delay |
This issue has been automatically marked as inactive because it has not had recent activity. |
#887 merged |
Description: Vulnerability scanners detect CVEs in build time dependencies. But, Best practices to triage these vulnerabilities are unclear
Impact: Adding docs based on experiences and anecdotes, that many projects can follow would be useful
Scope: Write best practices with examples like:
Meeting minutes where this was discussed: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.bssmkroi6sff and youtube recording: https://www.youtube.com/watch?v=MBHdvYW6YjI
cc @anvega @lumjjb @fkautz @ionut-arm
The text was updated successfully, but these errors were encountered: