aaronlippold
commented
5 years ago For example a customer of ours has specifically about proof that inspec has an active remediation and security process. when I went to the security page I wasn't able to easily correlate code levels to CVE and the change log had inconsistent reporting of vulnerability data. If this had been a top level link of a single page specifically designed to report vulnerabilities from version to version it would have made a short conversation.
tas50
As organizations are deploying your products to the Enterprise, The level of trust in those products should be easily maintained. To do this I would suggest that we create an automatically generated vulnerability and CVE page that links back to PRs and code commits and provides a conciselis of which vulnerabilities were remediated and which won our abilities are still in progress of remediation. This should be a top-level page with one click access. If possible given that we recompile upstream sources such as Ruby and other tools we should try to dynamically link to them as well so that if there's a chain of vulnerability we address how we are mitigating that as well. Finally this will help establish pedigree for when chef and it's product lines start to formally validate their products through processes like the common criteria.