Evaluate OSS for Security

[balteravishay]

Pull Request Template

What are you trying to address

This PR addresses issue #1039 by proposing a set of checks and tools that can be applied when evaluating an OSS package.

Checklist

[READY TO PR? Use the check-list below to ensure your branch is ready for PR.]

• [v] Changes follow the repo structure and land in the appropriate folder and section
• [v] No confidential information
• [v] No duplicated content
• [v] Labeled appropriately
• [v] Added 2 reviewers
• [v] No lint errors
• [v] No lint check errors related to your changes

Note: You may see link check errors on pages you have not touched. This is normal, and due to either broken links or sites that reject link checker bots. The reviewer will help you get to a green state on these.

[superhindupur]

Thanks for adding this, very helpful. As discussed on the EMEA security committee call, it would be great if we can add some guidance to check for the dependency tree of a new open source dependency during a code review.

[balteravishay]

thanks @superhindupur, great feedback! added a section on "When to evaluate OSS", wdyt?