security-insights-spec
security-insights-spec copied to clipboard
ossf
Machine-readable specification for the attestation of security-relevant data.
This work-in-progress PR builds on top of #138 (hence the "repetition" of the commits in this PR) to demonstrate the change required to publish this module to the CUE Central...
If you run ``` cue vet schema.cue .\SECURITY-INSIGHTS.yml ``` it does not properly enforce the schema, and successfully validates every file. ``` cue vet -d '#SecurityInsights' schema.cue .\SECURITY-INSIGHTS.yml ``` works...
We don't know how the last specification PDF was produced in the release and we would like to produce another one that is consistent with the last released version PDF
## Overview https://github.com/search?q=language%3AYAML+path%3Asecurity-insights+%22schema-version%3A+2.0.0%22&type=code shows me 24 insights files using the v2 schema. Reviewing the usage of `header.url` across those samples, I observed that the majority of these projects are using...
I happened to notice that the specification has two fields named `security-policy`: `vulnerability.security-policy` and `documentation.security-policy`. The template uses different example entries for each, so it's not clear if this is...
## Desired outcome Maintainers of a project that has previously adopted the v1 version of the schema want to easily produce a new insights file using the v2 schema based...
The spec documentation hints at a constraint that is not currently implemented in `schema.cue` The schema declares `header.project-si-source` and `project` as optional, however, the documentation for `project` explains [This field...
https://cuelang.org/docs/concept/schema-definition-use-case/#validating-backwards-compatibility suggests that we might be able to write a Go tool that would give us feedback on changes to `schema.cue` and what they mean with respect to release versioning.
In the 2023 Security Slam, it was reported that it's hard to understand how to fill the `env-dependencies-policy` field in `SECURITY-INSIGHTS.yml`. It would be great to add at least one...
