search

easymock / objenesis

Okay, it's pretty easy to instantiate objects in Java through standard reflection. However there are many cases where you need to go beyond what reflection provides. For example, if there's no public constructor, you want to bypass the constructor code, or set final fields. There are numerous clever (but fiddly) approaches to getting around this and this library provides a simple way to get at them. You will find the official site here.
objenesis.org
Apache License 2.0
597 stars 96 forks source link

Add Security Policy #238

Closed gabibguti closed 11 months ago

gabibguti commented 11 months ago

Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and also raise awareness of when vulnerabilities will be confirmed, fixed and disclosed.

Following up on @joycebrum security recommendation at https://github.com/easymock/objenesis/issues/177, this one also related to security and recommended by Github and Scorecard.

If you agree, I can open a PR to suggest a Security Policy. We can then work together to communicate how the repo can best handle vulnerability reports if you think it's applicable.

Additional Context

Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

henri-tremblay commented 11 months ago

Sure. The answer to that is probably for people to send me an email.

gabibguti commented 11 months ago

Got it. Is your email henri@tremblay.pro, as mentioned in https://blog.tremblay.pro/about.html?

GitHub also has it's own tool for reporting vulnerabilities if you'd like to take a look: https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/

henri-tremblay commented 11 months ago

Ok. I have enable github and added a SECURITY.md. Please tell me if something else is needed.

gabibguti commented 11 months ago

All good.