Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload the Trail of Bits public security assessment report #94

Merged
merged 2 commits into from
Jul 28, 2022
Merged

Upload the Trail of Bits public security assessment report #94

merged 2 commits into from
Jul 28, 2022

Conversation

ESultanik
Copy link
Contributor

@ESultanik ESultanik changed the title Upload the Trail of Bits public security assessment report Upload the Trail of Bits public security assessment report (WIP) Jul 26, 2022
@ESultanik ESultanik marked this pull request as draft July 26, 2022 21:23
@ESultanik
Adds the Trail of Bits go-cose security assessment report
535a715 
Signed-off-by: Evan Sultanik <evan.sultanik@trailofbits.com>
@ESultanik ESultanik changed the title Upload the Trail of Bits public security assessment report (WIP) Upload the Trail of Bits public security assessment report Jul 26, 2022
@ESultanik ESultanik marked this pull request as ready for review July 26, 2022 21:25
@codecov
Copy link

codecov bot commented Jul 27, 2022
edited
Loading

Codecov Report

Merging #94 (535a715) into main (689f87f) will increase coverage by 0.29%.
The diff coverage is n/a.

❗ Current head 535a715 differs from pull request most recent head 6db24d3. Consider uploading reports for the commit 6db24d3 to get more accurate results

@@            Coverage Diff             @@
##             main      #94      +/-   ##
==========================================
+ Coverage   89.48%   89.78%   +0.29%     
==========================================
  Files          10       10              
  Lines        1018     1018              
==========================================
+ Hits          911      914       +3     
+ Misses         72       69       -3     
  Partials       35       35
Impacted Files Coverage Δ
headers.go 93.05% <0.00%> (+0.90%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us.

qmuntal
qmuntal approved these changes Jul 27, 2022
View reviewed changes
Copy link
Contributor

@qmuntal qmuntal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

yogeshbdeshpande
yogeshbdeshpande approved these changes Jul 27, 2022
View reviewed changes
Copy link
Contributor

@yogeshbdeshpande yogeshbdeshpande left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@SteveLasker
Copy link
Contributor

Thanks @ESultanik,
The report looks great, and appreciate the links in the doc to the mitigated high and low issues that were identified.
One minor formating, ownership request:
While Microsoft commissioned the report and is supporting the veraison project, the report should reflect the veraison/go-cose project maintainers to properly give credit to the folks at ARM that initiated the effort.

Page 11
s/go-cose: Microsoft’s COSE implementation in Go.
r/The veraison project, go-cose implementation in Go.

Page 19
s/The Microsoft go-cose library is a work in progress with continuous development. Trail of Bits recommends that Microsoft address the findings detailed in this report and take the following additional steps prior to deployment:

r/The veraison/go-cose library is a work in progress with continuous development. Trail of Bits recommends the veraison project address the findings detailed in this report and take the following additional steps prior to deployment:

@ESultanik
Copy link
Contributor Author

No problem, we will update the report and tag you here when it's ready.

@ESultanik
Updated report with attributions to Veraison
6db24d3 
Signed-off-by: Evan Sultanik <evan.sultanik@trailofbits.com>
@ESultanik
Copy link
Contributor Author

ESultanik commented Jul 27, 2022
edited
Loading

@SteveLasker I just pushed an updated version of the report. I didn't rebase this branch, so the old version is still in the git history. Let me know if you'd rather I do a rebase.

SteveLasker
SteveLasker approved these changes Jul 28, 2022
View reviewed changes
Copy link
Contributor

@SteveLasker SteveLasker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ESultanik for the updates and to the Trail of Bits team for the thorough review.

@SteveLasker SteveLasker merged commit b44ee38 into veraison:main Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yogeshbdeshpande yogeshbdeshpande yogeshbdeshpande approved these changes

@SteveLasker SteveLasker SteveLasker approved these changes

@qmuntal qmuntal qmuntal approved these changes

@henkbirkholz henkbirkholz Awaiting requested review from henkbirkholz henkbirkholz is a code owner

@roywill roywill Awaiting requested review from roywill roywill is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@thomas-fossati thomas-fossati Awaiting requested review from thomas-fossati thomas-fossati is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ESultanik @SteveLasker @qmuntal @yogeshbdeshpande