Review Latest Revisions To OpenJS SBOM Best Practices & Secure Releases and CVE Management for the JS Ecosystem

[bensternthal]

Jordan has made updates to two more docs, let's discuss and provide feedback:

1. OpenJS SBOM Best Practices https://hackmd.io/ujVlBEjqQCSvxfspqd3gcw
2. Secure Releases and CVE Management for the JS Ecosystem https://hackmd.io/1fnYDGmySt2jQDV8zXgiRw

[wesleytodd]

Docs look generally good. I am wondering for the secure releases, there is still some contention I think between "publish locally" which is what this doc goes over primarily and "publish from ci". Would it be good to call that out in here? And maybe have a section about securely publishing from CI?

Ideally I would say that for a secure CI publish you would have the following:

1. A granular access token on npm
2. A CI workflow for release triggered off SCM push (typically to main, maybe PR and staging releases)
3. Access control is managed at the SCM layer (github user permissions, etc)

There are some systems which also add on user provenance information to these types of setups, but I would guess it is better to start with limited opinions and build from there?

[ljharb]

A granular access token on npm simply isn't secure, because it's a single factor, so I don't think it should be referenced here except as something to avoid.

[ljharb]

Additionally, "provenance" tells you nothing except which workflow published the package, so I think it's premature to recommend it as a "security" practice.

[wesleytodd]

Yeah I see where you are coming from, I am not claiming it is perfect or even "great", but I think it will be something end users ask, and ideally anything is better than nothing if they go off and do some CI publish that is even further from a recommended path. Anyway, Not super opinionated here, just a gap I noticed.

[bensternthal]

Resolving as discussion concluded, comments will be integrated into doc by @ljharb