Closed fcanogab closed 3 years ago
I very much think the project exists. At least the first 3 bullets are something that we discussed in a few WG meetings as an component of a good security policy for OSS projects.
I am a little less clear on how we might improve it on the tooling side. @fcanogab can you give us a bit more details on what you had in mind?
Not sure Marcin, it's just an idea. Maybe some tools are reporting vulnerabilities just based on package versions, thus reporting wrong information (due to backporting for example). People that develop scanning tools may don't know what open source maintainers would like to receive from their tools. Maybe there is one tool that is specially used and specially wrong on this and that open source maintainers receive lots of false positives? We can analyze it and give specific feedbac. Maybe we could maintain documentation that explains how to manually verify some findings usually reported by tools, and we can ask tool developers to link to it, just to help the people that use that tool (I'm talking specially about any kind of scanning tool) to verify manually findings. The idea would be identify, prioritize, choose push initiatives that would improve tooling, maybe with documentation and code, in a way that open source maintainers receive less false positives from those tools, and for the vulnerabilities they receive, better information.
This sounds like an initiative that could span several different OpenSSF WGs. Perhaps a better place to have this conversation would the OpenSSF Technical Advisory Council?
That said, I think one aspect we definitely want to address at some point are security policies and guiding security researchers how to provide a high quality report is definitely something we want to work on.
Ok. Having that into account, I think it is better to just close this issue by the moment and maybe work on it from within other initiatives. Thanks!
Open source maintainers usually receive a lot of feedback about vulnerabilities found by security tools in open source projects. Sometimes, the quality of the information provided is not very good, and it generates a lot of work for the open source maintainer that maybe could be avoided.
I would like to propose to work, maybe within this working group, on this issue.
I'm thinking about things like:
I'm not saying to create anything new, if something exists, but work on whatever it takes to:
1- Do you think that the problem exists and the project is worth it or not? 2- Do you think if it is a project that may fit in this project?