-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #143
Create SECURITY.md #143
Conversation
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard. A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :) With this security policy, we shoot for simplicity: - Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest. - Lay out simple instructions for reporting a vulnerability - Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.
8444686
to
7e2b96f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved, with a couple grammatical nits
SECURITY.md
Outdated
|
||
One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs, | ||
it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding | ||
to reported exploits. As a result, periods of low active maintance are to be expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"maintenance" is misspelled here
SECURITY.md
Outdated
## Supported Versions | ||
|
||
We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version | ||
(provided it exists) irrespective of whether it was introduced to a prior version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be "... introduced in a prior version."
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/gofrs/uuid/v5](https://redirect.github.com/gofrs/uuid) | `v5.2.0` -> `v5.3.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgofrs%2fuuid%2fv5/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgofrs%2fuuid%2fv5/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgofrs%2fuuid%2fv5/v5.2.0/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgofrs%2fuuid%2fv5/v5.2.0/v5.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gofrs/uuid (github.com/gofrs/uuid/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/gofrs/uuid/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/gofrs/uuid/compare/v5.2.0...v5.3.0) #### Summary In this release, we updated the package to participate in OpenSSF Scorecard and tuned several development workflows and added some fuzz tests. Additionally, We added `AtTime` generators for V1, V6, and V7 so that users may generate UUIDs from time stamps. **NOTE** Technically, the additional of the `AtTime` generators is a breaking change to the `Generator` interface. We decided to go with a `minor` update because of the unlikelihood of this interface being implemented by a consumer, and to reduce the impact of releasing a major version for this feature. #### What's Changed - Add "AtTime" generators for V1, V6, and V7 by [@​kohenkatz](https://redirect.github.com/kohenkatz) in [https://github.com/gofrs/uuid/pull/142](https://redirect.github.com/gofrs/uuid/pull/142) - Fix typo in URL in README by [@​kohenkatz](https://redirect.github.com/kohenkatz) in [https://github.com/gofrs/uuid/pull/141](https://redirect.github.com/gofrs/uuid/pull/141) - Add OpenSSF Best Practices Badge to README by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/144](https://redirect.github.com/gofrs/uuid/pull/144) - Create SECURITY.md by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/143](https://redirect.github.com/gofrs/uuid/pull/143) - Add OpenSSF Scorecard badge to readme by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/149](https://redirect.github.com/gofrs/uuid/pull/149) - Update fuzz tests to use go fuzz features by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/148](https://redirect.github.com/gofrs/uuid/pull/148) #### New Contributors - [@​ldez](https://redirect.github.com/ldez) made their first contribution in [https://github.com/gofrs/uuid/pull/168](https://redirect.github.com/gofrs/uuid/pull/168) **Full Changelog**: gofrs/uuid@v5.2.0...v5.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cozy/cozy-stack). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard.
A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)
With this security policy, we shoot for simplicity: