Dependency badging

[ghost]

A concept seem to be mssing: dependancies which are themselves "badged", would not need to be checked for vulnerabilities. This would render the badging process contagious.

[david-a-wheeler]

On September 7, 2015 3:29:40 PM EDT, enosgit notifications@github.com wrote:

A concept seem to be mssing: dependancies that themselves are "badged"
do not need to be checked for vulnerabilities. This would render the
badging process contagious.

---

Reply to this email directly or view it on GitHub:
#16

The idea of checking dependencies is already proposed in the "silver" list. I was concerned about making it part of the basic list, because some projects have huge transitive dependencies that make that hard to handle or meet.
--- David A.Wheeler

[ghost]

I am not suggesting to move it to the basic list, but only that dependencies which have already archieved a badge may not need to be checked for vulnerabilities (although the fact that the badge is self-issued may pose limitations).

[david-a-wheeler]

On September 7, 2015 11:37:57 PM EDT, enosgit notifications@github.com wrote:

I am not suggesting to move it to the basic list, but only that
dependencies which have already archieved a badge may not need to be
checked for vulnerabilities (although the fact that the badge is
self-issued may pose limitations).

---

Reply to this email directly or view it on GitHub:
#16 (comment)

Hmm. Tools like dependency check from owasp do not separate things that way. Also, as you note, the fact that the badges are self-reported means that checking by each project might be the better way to go.
--- David A.Wheeler

[ghost]

Alright thanks, I only wanted to raise the issue. It's a pity though because it would have contributed to spreading the badge.

[david-a-wheeler]

I think we should re-examine this in the future (say in a year or 2). I think once the badge becomes more common, and the tools improve, this might be easier to do.