On 04-04-2023 10:39, Ian Turton wrote:
I've just read this article on assessing security risks -
https://opensource.com/article/23/3/open-source-security-scorecard
<https://opensource.com/article/23/3/open-source-security-scorecard> -
Might be worth implementing as a git action for us.
Any thoughts?
The concept seems to provide a false sense of security and the tool
seems optionated and flawed. eg. scoring points for some badge provided
by the same project, totally missing the GeoTools security policy,
suggesting that test data jar files are executables, not checking for
SBOM...
For reference this is what the GeoTools scorecard looks like:
https://deps.dev/project/github/geotools%2Fgeotools
Mark
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
