JLLeitschuh
commented
1 year ago This is absolutely the intention moving forward.
For my work in particular working with Modern, we will be attempting to only fix vulnerabilities in test code if non-test code is also impacted.
IE. If only test code is impacted, don't generate a Pull Request. But if non-test code is impacted, apply the fix to the entire project.
I also want to make you aware that this work is moving away from being my personal Project and is now under the Open Source Security Foundation (OpenSSF): Project Alpha Omega.
I've recently accepted a job as the Senior Software Security Researcher for project Alpha Omega, and all of this work will be moving under that banner for future campaigns.
Additionally, there is a newly formed "Autofix" Special Interest Group (SIG) that has been formed under the OpenSSF Vulnerability Disclosure Working Group.
One of the projects being developed under that Autofix SIG is a proposed specification defining "OpenSSF Compliant Automated Vulnerability Fix Campaign"
The document is very much a WIP. But if you're interested in reviewing the proposal and offering your insights and feedback, I'd like to invite you and anyone else at the ASF to do so.
https://docs.google.com/document/d/1_QwN7yQXWGM2tJaostIRNqyZIhVceVlIyXqCrSdC4E8/edit
It is not a security issue when code creates a temp file with test data that's right their in the open source code, and then tests. These are false positives. I have yet to see even an arguable true positive in test code.