vdeturckheim
commented
6 years ago I love the idea, but I am not certain regarding the application. would that need some engineering on our side?
Closed dgonzalez closed 6 years ago
vdeturckheim
commented
6 years ago I love the idea, but I am not certain regarding the application. would that need some engineering on our side?
dgonzalez
commented
6 years ago I can do it. I build a vulnerability scanner based on the node.js swg (https://github.com/dgonzalez/gammaray) and issuing the badge depending on the security status is actually trivial (just need to add a http handler, somewhere to deploy it and off you go). Do not mind to migrate the repo to Node.js (it is golang as of now just for the convenience of being able to ship it in a container without any library dependency).
lirantal
commented
6 years ago I think if we do something like this then it has to be an officially supported (from our/the foundation side), production-ready service and properly maintained. It's easy and tempting to spin up lambdas for this or whatever, but taking it seriously in terms of pushing it to other repos and creating awareness means that this service shouldn't incur down-times or somehow become un-maintained after 3 months - it will not be very professional of us.
dgonzalez
commented
6 years ago Yeah that is true. Giving it a spin is almost a company like product....
vdeturckheim
commented
6 years ago looks like it's more a job for NSP and Snyk IMHO.
dgonzalez
commented
6 years ago Yeah... it almost look like a product. The idea came as it is an easy way to make sure that my module does not have any known vulnerability by the Node.js security working group (kinda official) but the logistics can be a bit problematic and suck up time.
mhdawson
commented
6 years ago I agree that we don't necessarily want to take on support for what would need to be a production application.
dgonzalez
commented
6 years ago So if no one else has any other objection, I will close this issue in a couple of days.
didac-pf
commented
6 years ago Related: #251
(Thanks @dgonzalez for pointing it out, and sorry for not checking it before by my side)
dgonzalez
commented
6 years ago No need to be sorry! It is not 100% the same so it is worth opening a different issue.
On 9 May 2018 at 11:49, Didac notifications@github.com wrote:
Related: #251 https://github.com/nodejs/security-wg/issues/251
(Thanks @dgonzalez https://github.com/dgonzalez for pointing it out, and sorry for not checking it before by my side)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nodejs/security-wg/issues/157#issuecomment-387700132, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHkOtZ81J7ZLxLxRqxJfPv0PK4zN9E1ks5twsmhgaJpZM4Sn46f .
Similar to coveralls or travis, now that we have all the vulnerabilities information from npm modules automated, we can create a badging system similar to the one from coveralls so that we can issue badges for the
README.mdon whether they have any vulnerability on the security-wg or not.Not 100% sure about this but I think it is an idea worth exploring.