search

huserben / TfsExtensions

Extensions for TFS 2015+ such as custom Widgets (require TFS 2017) and Build Tasks
MIT License
45 stars 22 forks source link

Tagging verified publisher label against your extension #202

Closed ranganr closed 2 years ago

ranganr commented 2 years ago

Hi Sir,

Please add label as Verfied publisher against your name wiht respect to your extension as one of the criteria with respect to security assessment

ranganr commented 2 years ago

Hi Huserben Sir,

Please add label as Verfied publisher against your name with respect to your extension "Trigger build task extension" it is one of the criteria with respect to security assessment, Raised request as part of adding extension in Azure devops portal belling to company, the secuity team rejected as your name comes under verified publisher. Please add the lable verifited publisher against your name so that security team will approve the extension request from my end pls help sir

huserben commented 2 years ago

Hi @ranganr

the requirements for being a "Top Publisher" (I assume you mean that with verified publisher) are as follows:

Comprehensive and up-to-date privacy policy Comprehensive and up-to-date license that is, end-user license agreement Comprehensive and up-to-date support policy. Your customers should have access your support URL and see a clear way to get support from you: file a ticket, email your support team, or other ways to contact you. You should offer support for about 8 hours a day for all business days in your local time zone for all your offerings. And a documented low response time for paid offerings for critical issues. Comprehensive and high-quality documentation, which could be hosted in your domain, be within your offering, or hosted in a public GitHub repo. Customers should ideally get an overview, quickstart, and how-to-guides. Timely and satisfactory responses to valid questions under the Q&A section: answer all valid questions under the Q&A section timely (roughly within a week) and satisfactorily. Responses to reviews are welcome too.

Taken from https://docs.microsoft.com/en-us/azure/devops/extend/publish/publicize?view=azure-devops#top-publisher.

As I'm doing this in my free time as a hobby project and not professionally, these criteria are hard to fulfill. Currently I do not have any intention on going in this direction.

I'm sorry if this prevents you from using the extension.

ranganr commented 2 years ago

Hi Sir,

Thanks for the update.

This is an very useful and extraordinary extension as i tried the same using my free account

In order to use the same in our project activities it needs to go through internal assessment by our security team. Based on assessment , we got response in terms of security risks as follows

  1. Vulnerable version of libraries – 11 libraries with known vulnerabilities were found in the add-on files. Some of the libraries are included in several versions with and without vulnerabilities (including the versions, the full list includes 17 dependencies with known vulnerabilities). It is uncertain which version of the libraries are currently use

They suggested me to contacting vendor(you) and ask about extension update by upgrading vulnerable libraries to the latest one (it seems to be possible and quick to implement by extension’s author). After such update they do not see contraindications to implement the sameSo i request your help as part of updating the extension in terms of upgrading the vulnerable libraries to the latest ones

I request you to please update your valuable extension with respect to the above mentioned ones in order to use the same by us at the earliest

Please help me sir

thanks

rangan

On Sat, 15 Jan 2022 at 13:04, Benj Huser @.***> wrote:

Hi @ranganr https://github.com/ranganr

the requirements for being a "Top Publisher" (I assume you mean that with verified publisher) are as follows:

Comprehensive and up-to-date privacy policy Comprehensive and up-to-date license that is, end-user license agreement Comprehensive and up-to-date support policy. Your customers should have access your support URL and see a clear way to get support from you: file a ticket, email your support team, or other ways to contact you. You should offer support for about 8 hours a day for all business days in your local time zone for all your offerings. And a documented low response time for paid offerings for critical issues. Comprehensive and high-quality documentation, which could be hosted in your domain, be within your offering, or hosted in a public GitHub repo. Customers should ideally get an overview, quickstart, and how-to-guides. Timely and satisfactory responses to valid questions under the Q&A section: answer all valid questions under the Q&A section timely (roughly within a week) and satisfactorily. Responses to reviews are welcome too.

Taken from https://docs.microsoft.com/en-us/azure/devops/extend/publish/publicize?view=azure-devops#top-publisher .

As I'm doing this in my free time as a hobby project and not professionally, these criteria are hard to fulfill. Currently I do not have any intention on going in this direction.

I'm sorry if this prevents you from using the extension.

— Reply to this email directly, view it on GitHub https://github.com/huserben/TfsExtensions/issues/202#issuecomment-1013634807, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK5SW5H26KTEAFVQHNTQZITUWEPPPANCNFSM5L6UDCUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

-- Thanks Rangan 9840374669

ranganr commented 2 years ago

Hi Sir,

I request to pleae help on this at the earliest

thanksr rangn

On Thu, 10 Feb 2022 at 15:33, Rangan R @.***> wrote:

Hi Sir,

Thanks for the update.

This is an very useful and extraordinary extension as i tried the same using my free account

In order to use the same in our project activities it needs to go through internal assessment by our security team. Based on assessment , we got response in terms of security risks as follows

  1. Vulnerable version of libraries – 11 libraries with known vulnerabilities were found in the add-on files. Some of the libraries are included in several versions with and without vulnerabilities (including the versions, the full list includes 17 dependencies with known vulnerabilities). It is uncertain which version of the libraries are currently use

They suggested me to contacting vendor(you) and ask about extension update by upgrading vulnerable libraries to the latest one (it seems to be possible and quick to implement by extension’s author). After such update they do not see contraindications to implement the sameSo i request your help as part of updating the extension in terms of upgrading the vulnerable libraries to the latest ones

I request you to please update your valuable extension with respect to the above mentioned ones in order to use the same by us at the earliest

Please help me sir

thanks

rangan

On Sat, 15 Jan 2022 at 13:04, Benj Huser @.***> wrote:

Hi @ranganr https://github.com/ranganr

the requirements for being a "Top Publisher" (I assume you mean that with verified publisher) are as follows:

Comprehensive and up-to-date privacy policy Comprehensive and up-to-date license that is, end-user license agreement Comprehensive and up-to-date support policy. Your customers should have access your support URL and see a clear way to get support from you: file a ticket, email your support team, or other ways to contact you. You should offer support for about 8 hours a day for all business days in your local time zone for all your offerings. And a documented low response time for paid offerings for critical issues. Comprehensive and high-quality documentation, which could be hosted in your domain, be within your offering, or hosted in a public GitHub repo. Customers should ideally get an overview, quickstart, and how-to-guides. Timely and satisfactory responses to valid questions under the Q&A section: answer all valid questions under the Q&A section timely (roughly within a week) and satisfactorily. Responses to reviews are welcome too.

Taken from https://docs.microsoft.com/en-us/azure/devops/extend/publish/publicize?view=azure-devops#top-publisher .

As I'm doing this in my free time as a hobby project and not professionally, these criteria are hard to fulfill. Currently I do not have any intention on going in this direction.

I'm sorry if this prevents you from using the extension.

— Reply to this email directly, view it on GitHub https://github.com/huserben/TfsExtensions/issues/202#issuecomment-1013634807, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK5SW5H26KTEAFVQHNTQZITUWEPPPANCNFSM5L6UDCUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

-- Thanks Rangan 9840374669

-- Thanks Rangan 9840374669

huserben commented 2 years ago

Hi @ranganr

do you happen to have a list of the dependencies where updates are available?

I can try to update the libraries in the near future, but this also will require thorough testing to make sure everything still works as it should. Also in future there might be more of such issues happening and I can't promise updates to happen quickly (or at all). If this would be a problem for your use case, you can also fork the repo and for example create your own version that you keep up to date internally.

ranganr commented 2 years ago

Hi Sir,

I dont have idea on the above, instead i have attached the dependancy files in the attached report.

I request you to please check and update the extension in order to nullify the existing vulnerabilities, if any or applcable

please help on this at the earliest

thanks rangan

On Thu, 10 Feb 2022 at 20:53, Benj Huser @.***> wrote:

Hi @ranganr https://github.com/ranganr

do you happen to have a list of the dependencies where updates are available?

I can try to update the libraries in the near future, but this also will require thorough testing to make sure everything still works as it should. Also in future there might be more of such issues happening and I can't promise updates to happen quickly (or at all). If this would be a problem for your use case, you can also fork the repo and for example create your own version that you keep up to date internally.

— Reply to this email directly, view it on GitHub https://github.com/huserben/TfsExtensions/issues/202#issuecomment-1035048620, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK5SW5CWXOBICRDDEHYIR43U2PKANANCNFSM5L6UDCUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

-- Thanks Rangan 9840374669

huserben commented 2 years ago

Hi @ranganr

I just released a new version of the tasks where I updated all the dependencies. There might still some older dependencies in the dependency tree, but this change was what I could do with the time I had.

If this is not sufficient, I'd need a detailed list of issues, but in general I could not give any guarantee whether I manage to update more in future.