Create SECURITY.md #143
Merged
Create SECURITY.md #143
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard. A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :) With this security policy, we shoot for simplicity: - Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest. - Lay out simple instructions for reporting a vulnerability - Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.
cameracker
force-pushed
the
cameracker-security-policy
branch
from
8444686
to
7e2b96f
Compare
dylan-bourque
approved these changes
May 13, 2024
SECURITY.md
Outdated
|
|
||
| One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs, | ||
| it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding | ||
| to reported exploits. As a result, periods of low active maintance are to be expected. |
There was a problem hiding this comment.
"maintenance" is misspelled here
SECURITY.md
Outdated
| ## Supported Versions | ||
|
|
||
| We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version | ||
| (provided it exists) irrespective of whether it was introduced to a prior version. |
There was a problem hiding this comment.
Should be "... introduced in a prior version."
cameracker
commented
May 13, 2024
cameracker
commented
May 13, 2024
nono
referenced
this pull request
in cozy/cozy-stack
Sep 16, 2024
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/gofrs/uuid/v5](https://redirect.github.com/gofrs/uuid) | `v5.2.0` -> `v5.3.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gofrs/uuid (github.com/gofrs/uuid/v5)</summary> ### [`v5.3.0`](https://redirect.github.com/gofrs/uuid/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/gofrs/uuid/compare/v5.2.0...v5.3.0) #### Summary In this release, we updated the package to participate in OpenSSF Scorecard and tuned several development workflows and added some fuzz tests. Additionally, We added `AtTime` generators for V1, V6, and V7 so that users may generate UUIDs from time stamps. **NOTE** Technically, the additional of the `AtTime` generators is a breaking change to the `Generator` interface. We decided to go with a `minor` update because of the unlikelihood of this interface being implemented by a consumer, and to reduce the impact of releasing a major version for this feature. #### What's Changed - Add "AtTime" generators for V1, V6, and V7 by [@​kohenkatz](https://redirect.github.com/kohenkatz) in [https://github.com/gofrs/uuid/pull/142](https://redirect.github.com/gofrs/uuid/pull/142) - Fix typo in URL in README by [@​kohenkatz](https://redirect.github.com/kohenkatz) in [https://github.com/gofrs/uuid/pull/141](https://redirect.github.com/gofrs/uuid/pull/141) - Add OpenSSF Best Practices Badge to README by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/144](https://redirect.github.com/gofrs/uuid/pull/144) - Create SECURITY.md by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/143](https://redirect.github.com/gofrs/uuid/pull/143) - Add OpenSSF Scorecard badge to readme by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/149](https://redirect.github.com/gofrs/uuid/pull/149) - Update fuzz tests to use go fuzz features by [@​cameracker](https://redirect.github.com/cameracker) in [https://github.com/gofrs/uuid/pull/148](https://redirect.github.com/gofrs/uuid/pull/148) #### New Contributors - [@​ldez](https://redirect.github.com/ldez) made their first contribution in [https://github.com/gofrs/uuid/pull/168](https://redirect.github.com/gofrs/uuid/pull/168) **Full Changelog**: gofrs/uuid@v5.2.0...v5.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cozy/cozy-stack). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard.
A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)
With this security policy, we shoot for simplicity: