stevespringett
commented
4 years ago Related to: SCVS 1.1 - All components and their versions are known at completion of a build SCVS 5.6 - An automated process of identifying non-specified component versions is used
Note: SCVS is currently in pre-draft and is subject to change
lirantal
Due to recent research I published with regards to lockfile security - I'd be happy if we also cover lockfiles as a general use-case, but also the traits of lockfiles, such as whether they are tracked for direct or all dependencies, do they include signatures or checksums and so on.