-
Many of us have talked of [Software Bill-of-Materials initiatives](ntia.gov/SBOM) in the past, but I believe GSA specifically, but also all federal agencies generally, are in a unique position to argu…
-
I'm working on validating the software supply chain for another project and I haven't been able to find a definitive statement about the package signing key used by the Mockito project. As a result, w…
-
**Description**
The current index page seems out of order. The rearrangement should be:
- Sigstore Definition
- Why Sigstore
- How it works
- And which tools does Sigstore use.
- Contributing
…
-
Hi,
We notice that you are using topic names from ROS parameters at the following locations:
https://github.com/rst-tu-dortmund/costmap_converter/blob/e8c1d2c8c8d5e34b1980062e28e4a4dc1817bade/src/…
-
When running `steampipe check all` in the GitHub Compliance mod, or `steampipe check benchmark.cis_v150` in the AWS Compliance mod, we sometimes receive the `ERROR: query timeout exceeded (240s)` for …
-
Please tag the latest stable build. I can see 3.0.4 as the latest stable version but I don't see the same in Github releases.
Kindly tag the latest as it will help for our OSS clearance
-
Veracode Software Composition Analysis
===============================
Attribute | Details
| --- | --- |
Library | Apache Commons Collections
Description | The Apache Commons Collections p…
-
It's great to meet @king-gao at [Open Source Software Supply Chain Summit 2020](https://isrc.iscas.ac.cn/summer2020) this weekend at Nanjing, who is an open-source expert works at Huawei and gives a t…
-
*Title*: *Record components used when Envoy was built*
*Description*:
From a software supply chain viewpoint it is desirable to record all dependencies used by a build of Envoy. As different confi…
-
On April 15, Security Week reported,
> Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected si…