dev  

Messages by Thread

• • Re: [I] Project Creation Race Condition Between Existence Check and Insert (tooling-trusted-releases) via GitHub
• [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
  • Re: [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
  • Re: [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
• [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
• [I] Pre-Extraction Safety Checks Do Not Verify Total Uncompressed Size (tooling-trusted-releases) via GitHub
  • Re: [I] Pre-Extraction Safety Checks Do Not Verify Total Uncompressed Size (tooling-trusted-releases) via GitHub
• [I] Admin Blueprint post Decorator Bypasses LDAP Active Account Check (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Blueprint post Decorator Bypasses LDAP Active Account Check (tooling-trusted-releases) via GitHub
• [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
• [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
  • Re: [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
  • Re: [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
• [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
• [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
  • Re: [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
  • Re: [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
• [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
  • Re: [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
  • Re: [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
• [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
• [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
• [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
• [I] Form Hidden Field Validated Against Wrong Source (tooling-trusted-releases) via GitHub
  • Re: [I] Form Hidden Field Validated Against Wrong Source (tooling-trusted-releases) via GitHub
• [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
• [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
  • Re: [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
• [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
  • Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
  • Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
• [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
  • Re: [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
• [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
  • Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
• [I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases) via GitHub
  • Re: [I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases) via GitHub
• [I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases) via GitHub
• [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
• [I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases) via GitHub
  • Re: [I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases) via GitHub
• [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
• [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
  • Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
  • Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
• [I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases) via GitHub
  • Re: [I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases) via GitHub
• [I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases) via GitHub
  • Re: [I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases) via GitHub
• [I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases) via GitHub
  • Re: [I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases) via GitHub
• [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
• [I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases) via GitHub
• [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
  • Re: [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
• [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
  • Re: [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
• [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
  • Re: [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
• [I] Sequential Template Substitution Allows Variable Injection in Email Templates (tooling-trusted-releases) via GitHub
• [I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases) via GitHub
  • Re: [I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases) via GitHub
• [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
  • Re: [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
  • Re: [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
• [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
  • Re: [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
• [I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases) via GitHub
  • Re: [I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases) via GitHub
• [I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases) via GitHub
• [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
  • Re: [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
  • Re: [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
• [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
• [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
• [I] Missing Centralized Documentation of Resource-Intensive Operations (tooling-trusted-releases) via GitHub
• [I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases) via GitHub
  • Re: [I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases) via GitHub
• [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
• [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
• [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
  • Re: [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
• [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
  • Re: [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
  • Re: [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
• [I] Missing Project-Level Access Control on Multiple GET Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Missing Project-Level Access Control on Multiple GET Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Missing Project-Level Access Control on Multiple GET Endpoints (tooling-trusted-releases) via GitHub
• [I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases) via GitHub
• [I] IDOR in Check Ignore Operations via Numeric ID (tooling-trusted-releases) via GitHub
  • Re: [I] IDOR in Check Ignore Operations via Numeric ID (tooling-trusted-releases) via GitHub
  • Re: [I] IDOR in Check Ignore Operations via Numeric ID (tooling-trusted-releases) via GitHub
• [I] IDOR on check_id in Check Result Data Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] IDOR on check_id in Check Result Data Endpoint (tooling-trusted-releases) via GitHub
  • Re: [I] IDOR on check_id in Check Result Data Endpoint (tooling-trusted-releases) via GitHub
• [I] OAuth Authentication Does Not Terminate Prior Session Token (tooling-trusted-releases) via GitHub
  • Re: [I] OAuth Authentication Does Not Terminate Prior Session Token (tooling-trusted-releases) via GitHub
  • Re: [I] OAuth Authentication Does Not Terminate Prior Session Token (tooling-trusted-releases) via GitHub
• [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
  • Re: [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
• [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
• [I] SBOM Task Functions Use File Paths Without Containment Validation (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM Task Functions Use File Paths Without Containment Validation (tooling-trusted-releases) via GitHub
• [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
• [I] Upload Staging Endpoint Ignores Authentication Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Endpoint Ignores Authentication Context (tooling-trusted-releases) via GitHub
  • Re: [I] Upload Staging Endpoint Ignores Authentication Context (tooling-trusted-releases) via GitHub
• [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
  • Re: [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
  • Re: [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
• [I] Release Vote Logic Validation Always Passes Due to Catch-All Pattern (tooling-trusted-releases) via GitHub
  • Re: [I] Release Vote Logic Validation Always Passes Due to Catch-All Pattern (tooling-trusted-releases) via GitHub
  • Re: [I] Release Vote Logic Validation Always Passes Due to Catch-All Pattern (tooling-trusted-releases) via GitHub
• [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
  • Re: [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
  • Re: [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
• [I] Trusted Publishing Cross-Field Validation Bypassed Via Web Form (tooling-trusted-releases) via GitHub
  • Re: [I] Trusted Publishing Cross-Field Validation Bypassed Via Web Form (tooling-trusted-releases) via GitHub
• [I] Unsanitized Markdown-to-HTML Conversion Allows Stored XSS in SBOM Vulnerability Descriptions (tooling-trusted-releases) via GitHub
  • Re: [I] Unsanitized Markdown-to-HTML Conversion Allows Stored XSS in SBOM Vulnerability Descriptions (tooling-trusted-releases) via GitHub
• [I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases) via GitHub
• [I] OpenPGP Key Management Entirely Lacks Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] OpenPGP Key Management Entirely Lacks Audit Logging (tooling-trusted-releases) via GitHub
  • Re: [I] OpenPGP Key Management Entirely Lacks Audit Logging (tooling-trusted-releases) via GitHub
• [I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases) via GitHub
• [I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases) via GitHub
  • Re: [I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases) via GitHub

• Earlier messages
• Later messages