Support "Open Source Security Foundation" Best Practises ("passed")

[In-Ko]

Description Following the OpenSSF Best Practises and earning its Badge is a great way to show the world that Open Source Projects take security of their Projects serious. The process is described on the website, and a first assessment questionnaire for OCM is already available.

• Main goal for now is to reach a 100% fulfilment of that questionnaire to get the "passed" badge, the missing tasks can be seen in the linked questionnaire
• After that, we should try and follow all best practises to reach the "silver" state (and get the respective badge)

All criteria for all three levels (passing, silver and gold) are listed here: https://bestpractices.coreinfrastructure.org/en/criteria

[In-Ko]

Currently open issues to get to the "passed" level:

• [x] Area "Reporting": Vulnerability Reporting: https://bestpractices.coreinfrastructure.org/en/projects/7156#reporting
• [x] Area "Security": Fixing Security Issues: https://bestpractices.coreinfrastructure.org/en/projects/7156#security
• [x] Area "Analysis": golangci lint: Enable linter checking for vulnerability checks: https://bestpractices.coreinfrastructure.org/en/projects/7156#analysis

[ThormaehlenFred]

Hi @In-Ko thank you for creating this issue. Please label it with area/ipcei, area/security and area/compliance. See those issues as an example https://github.com/gardener/gardener/issues?q=is%3Aissue+is%3Aopen+label%3Aarea%2Fipcei

[In-Ko]

I think this has been closed a bit to early:

• First subtask is now done (providing a way how to report security issues is on the website now: https://ocm.software/project/security/
• Second task "Publicly known vulnerabilities fixed": Let's quickly discuss this
• Third task: Including a look for common vulnerabilities in the golangci lint: Let's check.

Only if the two remaining subtasks are also done, the questionnaire been updated accordingly, and the OSSF "passed" badge is visible in our Repos (I propose: OCM Repo and maybe also on our website somewhere), this task can be closed.

[In-Ko]

As agreed in the meeting today, we now fulfil also the 5 remaining issues of the questionnaire. After the questionnaire has been updated accordingly and the Badge is displayed in the OCM Repo and on the OCM Website, we can close this issue.

[In-Ko]

I was able to update the questionnaire now based on our discussions, so that now we have a 100% passing for the initial badge.

@phoban01 : As discussed, you can now go ahead and add the Badge to the OCM Repo itself and to our ocm.website. Markdown: [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7156/badge)](https://bestpractices.coreinfrastructure.org/projects/7156)

HTML: <a href="https://bestpractices.coreinfrastructure.org/projects/7156"><img src="https://bestpractices.coreinfrastructure.org/projects/7156/badge"></a>

Thanks!