Jason Shepherd
Jason Shepherd
Works well on MacOSX and Linux. Need to test on Windows. A couple of test fail for me on JDK 8 < 72: BeanShell1: Caused by: java.io.IOException: Cannot run program...
When a document has packages with package external references those are not written by the jsonyamlxml writer. Compare that behaviour with the [tagvaluewriter](https://github.com/spdx/tools-python/blob/2f4225c5a2eb2d1ee577c53b3b6075c91b0981c1/spdx/writers/tagvalue.py#L272).
Sometimes later versions of containers in a repository can use versions which are lower than previous versions when compared using RPM schematics. For example the container repository `registry.redhat.io/openshift-logging/eventrouter-rhel8` uses floating...
The current launcher-backend Fabric8OpenshiftShiftServiceImpl always trusts the certificate is signed by a trusted CA. This should be verified against the Java trust store certificates, or a different trust store before...
The Log4J developers prior to CVE-2021-44228 allowed uses to load arbitrary variables (and code) from a remote JNDI server using the logging templates. This example comes from the patch for...
Uses the python string format to demonstrate the [Format Strings and Templates ](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#format-strings-and-templates) section of course. This example came from [Be Careful with Python's New-Style String Format](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) by Armin Ronacher...
According to the 'A security policy is published and followed for vulnerability disclosure and response' item in [TAC Security Baseline](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-incubating) we need a SECURITY.md like this [example.](https://github.com/ossf/.github/blob/main/SECURITY.md). We should also...
Take for example [RHSA-2024:4420](https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_4420.json) The fixed in version in the corresponding OSV record have the incorrect fixed version, but only for the Red Hat:enterprise_linux:8::crb ecosystem: [RHSA-2024:4420](https://security.access.redhat.com/data/osv/RHSA-2024:4420.json) ``` { "package": {...
Create and publish a dependencies policy as specified in the 'A dependencies policy is published, maintained and followed.' entry of [TAC Security Baseline](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-incubating)
The [TAC Security Baseline](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-incubating) specifies that dependencies must be locked by the 'Direct dependencies are pinned in internet or infrastructure services and applications your project provides.' entry. While Python and...