-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency badging #16
Comments
On September 7, 2015 3:29:40 PM EDT, enosgit notifications@github.com wrote:
The idea of checking dependencies is already proposed in the "silver" list. I was concerned about making it part of the basic list, because some projects have huge transitive dependencies that make that hard to handle or meet. |
I am not suggesting to move it to the basic list, but only that dependencies which have already archieved a badge may not need to be checked for vulnerabilities (although the fact that the badge is self-issued may pose limitations). |
On September 7, 2015 11:37:57 PM EDT, enosgit notifications@github.com wrote:
Hmm. Tools like dependency check from owasp do not separate things that way. Also, as you note, the fact that the badges are self-reported means that checking by each project might be the better way to go. |
Alright thanks, I only wanted to raise the issue. It's a pity though because it would have contributed to spreading the badge. |
I think we should re-examine this in the future (say in a year or 2). I think once the badge becomes more common, and the tools improve, this might be easier to do. |
A concept seem to be mssing: dependancies which are themselves "badged", would not need to be checked for vulnerabilities. This would render the badging process contagious.
The text was updated successfully, but these errors were encountered: