New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Dynamic Code Analysis to commits #12
Labels
Comments
caniszczyk
added a commit
to oras-project/oras-go
that referenced
this issue
Jan 25, 2022
Closes oras-project/community#12 Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
It's fairly easy to add CodeQL, something like
oras-project/oras-go#105
…On Tue, Jan 25, 2022 at 3:19 PM Steve Lasker ***@***.***> wrote:
It is SUGGESTED that at least one dynamic analysis tool be applied to any
proposed major production release of the software before its release.
[dynamic_analysis]
A dynamic analysis tool examines the software by executing it with
specific inputs. For example, the project MAY use a fuzzing tool (e.g.,
American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af).
In some cases the OSS-Fuzz project may be willing to apply fuzz testing to
your project. For purposes of this criterion the dynamic analysis tool
needs to vary the inputs in some way to look for various kinds of problems
or be an automated test suite with at least 80% branch coverage. The
Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify
some dynamic analysis tools. The analysis tool(s) MAY be focused on looking
for security vulnerabilities, but this is not required.
—
Reply to this email directly, view it on GitHub
<#12>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAPSIJQIR3YJR743HILAYDUX4HUNANCNFSM5MZLY2AA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Cheers,
Chris Aniszczyk
https://aniszczyk.org
|
Thanks, @caniszczyk, I'm cranking through the lists, adding the todos. |
shizhMSFT
pushed a commit
to oras-project/oras-go
that referenced
this issue
May 26, 2022
Closes oras-project/community#12 Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
shizhMSFT
pushed a commit
to oras-project/oras-go
that referenced
this issue
Jun 7, 2022
Closes oras-project/community#12 Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
shizhMSFT
pushed a commit
to oras-project/oras-go
that referenced
this issue
Jun 7, 2022
Closes oras-project/community#12 Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. [dynamic_analysis]
A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.
The text was updated successfully, but these errors were encountered: