Re: [DISCUSS] Should we update our policies to include source provenance check
Hi Jarek: On Tue, Apr 2, 2024 at 8:53 AM Jarek Potiuk wrote: [...] > TL;DR; I think that we currently do not explicitly state the requirement of > verifying if the release manager has not tampered with the sources when > preparing the source package - and I believe we should be more explicit > about it and require from PMC members to do such verification. FWIW, back2source [1] may help in the near future. This project is a work in progress with the goal to validate that the code in a VCS tag, the source archives and the binary archives of a release all match correctly. It lives in ScanCode.io [2] [1] https://nlnet.nl/project/Back2source/ [2] https://github.com/nexB/scancode.io -- Cordially Philippe Ombredanne - To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
Re: Using DOAPs for publishing SBOM links (and mandating it)?
r more important because of the crappy CVEs that get published without collaboration with the upstream projects. The Apache projects are best qualified and should provide the ground truth on their own bugs IMHO. [1] https://github.com/nexB/purldb/blob/main/minecode/visitors/apache.py#L23 [2] https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/apache_httpd.py [3] https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/apache_kafka.py [4] https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/apache_tomcat.py [5] https://github.com/nexB/scancode.io/ [6] https://github.com/nexB/scancode-toolkit/ -- Cordially Philippe Ombredanne +1 650 799 0949 | pombreda...@nexb.com AboutCode - Open source for open source - https://www.aboutcode.org VulnerableCode - the open code and open data vulnerability database - https://github.com/nexb/vulnerablecode ScanCode - scan your code, for origin/license/vulnerabilities, report SBOMs - https://github.com/nexB/scancode-toolkit https://github.com/nexB/scancode.io package-url - the mostly universal SBOM identifier for packages - https://github.com/package-url DejaCode - What's in your code?! - http://www.dejacode.com nexB Inc. - http://www.nexb.com - To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
Re: Identifiers (purl, SWID) for Apache artifacts
Dirk, Arnout: Hello! I am the "creator" of PURL and maintainer of VulnerableCode and both were referenced in the initial email of this thread by Arnout. In VulnerableCode, we effectively collect security advisories from Apache projects that offer them (like HTTPD and Tomcat and Kafka [1] ) and eventually from the Apache mailing lists announces otherwise in the future. Dirk: You may recall that we met in Brussels and had dinner after some EC open source meeting earlier this year and discussed PURL back then? You wrote: > 1) Software artefacts of the foundation can be assigned an identifier. > This identifier consists of a ASF specific prefix (asf), followed by the > project name and followed by the software or product name. Separated > by a '/'. Optionally followed by a '#' and a (semantic) version number. > e.g.asf/airflow/providers-airbyte or asf/airflow/airflow-core#2.5.2 I would kindly request that you consider using the PURL syntax instead of inventing a new and different scheme that will require folks to invent their own parsers. You are welcomed to specify the package type (apache or asf) and how each PURL component [2] should be used in this Apache context in the spec, but please avoid coming with a new syntax. PURL is emerging as a de-facto and useful mini-spec in the appsec/infosec world and is now an essential glue to reference software package in tools and databases and it would be great to support it like this is already done in many other tools and databases. Thank you for your consideration! [1] https://github.com/nexB/vulnerablecode/tree/main/vulnerabilities/importers [2] https://github.com/package-url/purl-spec -- Cordially Philippe Ombredanne +1 650 799 0949 | pombreda...@nexb.com AboutCode - Open source for open source - https://www.aboutcode.org - To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org