Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #143

Merged
merged 2 commits into from
May 13, 2024
Merged

Create SECURITY.md #143

merged 2 commits into from
May 13, 2024

Conversation

cameracker
Copy link
Collaborator

This PR creates a security policy based off of recommendations from the OpenSSF Scorecard.

A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)

With this security policy, we shoot for simplicity:

  • Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest.
  • Lay out simple instructions for reporting a vulnerability
  • Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.

This PR creates a security policy based off of recommendations from the OpenSSF Scorecard. 

A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid.  Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)

With this security policy, we shoot for simplicity:

- Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest.
- Lay out simple instructions for reporting a vulnerability
- Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.
@cameracker cameracker force-pushed the cameracker-security-policy branch from 8444686 to 7e2b96f Compare May 13, 2024 03:34
Copy link
Member

@dylan-bourque dylan-bourque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, with a couple grammatical nits

SECURITY.md Outdated

One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs,
it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding
to reported exploits. As a result, periods of low active maintance are to be expected.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"maintenance" is misspelled here

SECURITY.md Outdated
## Supported Versions

We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version
(provided it exists) irrespective of whether it was introduced to a prior version.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be "... introduced in a prior version."

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@cameracker cameracker merged commit 2419b93 into master May 13, 2024
4 checks passed
@cameracker cameracker deleted the cameracker-security-policy branch May 13, 2024 04:01
nono referenced this pull request in cozy/cozy-stack Sep 16, 2024
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/gofrs/uuid/v5](https://redirect.github.com/gofrs/uuid) |
`v5.2.0` -> `v5.3.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgofrs%2fuuid%2fv5/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgofrs%2fuuid%2fv5/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgofrs%2fuuid%2fv5/v5.2.0/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgofrs%2fuuid%2fv5/v5.2.0/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>gofrs/uuid (github.com/gofrs/uuid/v5)</summary>

###
[`v5.3.0`](https://redirect.github.com/gofrs/uuid/releases/tag/v5.3.0)

[Compare
Source](https://redirect.github.com/gofrs/uuid/compare/v5.2.0...v5.3.0)

#### Summary

In this release, we updated the package to participate in OpenSSF
Scorecard and tuned several development workflows and added some fuzz
tests. Additionally, We added `AtTime` generators for V1, V6, and V7 so
that users may generate UUIDs from time stamps.

**NOTE** Technically, the additional of the `AtTime` generators is a
breaking change to the `Generator` interface. We decided to go with a
`minor` update because of the unlikelihood of this interface being
implemented by a consumer, and to reduce the impact of releasing a major
version for this feature.
 

#### What's Changed

- Add "AtTime" generators for V1, V6, and V7 by
[@&#8203;kohenkatz](https://redirect.github.com/kohenkatz) in
[https://github.com/gofrs/uuid/pull/142](https://redirect.github.com/gofrs/uuid/pull/142)
- Fix typo in URL in README by
[@&#8203;kohenkatz](https://redirect.github.com/kohenkatz) in
[https://github.com/gofrs/uuid/pull/141](https://redirect.github.com/gofrs/uuid/pull/141)
- Add OpenSSF Best Practices Badge to README by
[@&#8203;cameracker](https://redirect.github.com/cameracker) in
[https://github.com/gofrs/uuid/pull/144](https://redirect.github.com/gofrs/uuid/pull/144)
- Create SECURITY.md by
[@&#8203;cameracker](https://redirect.github.com/cameracker) in
[https://github.com/gofrs/uuid/pull/143](https://redirect.github.com/gofrs/uuid/pull/143)
- Add OpenSSF Scorecard badge to readme by
[@&#8203;cameracker](https://redirect.github.com/cameracker) in
[https://github.com/gofrs/uuid/pull/149](https://redirect.github.com/gofrs/uuid/pull/149)
- Update fuzz tests to use go fuzz features by
[@&#8203;cameracker](https://redirect.github.com/cameracker) in
[https://github.com/gofrs/uuid/pull/148](https://redirect.github.com/gofrs/uuid/pull/148)

#### New Contributors

- [@&#8203;ldez](https://redirect.github.com/ldez) made their first
contribution in
[https://github.com/gofrs/uuid/pull/168](https://redirect.github.com/gofrs/uuid/pull/168)

**Full Changelog**:
gofrs/uuid@v5.2.0...v5.3.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone
Europe/Paris, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cozy/cozy-stack).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants