From ab1ef1a98df68abd2e7cdfa71e87bbb04e4780c1 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 30 Dec 2024 16:13:18 -0600 Subject: [PATCH 1/4] chore: preparing for v2 release Signed-off-by: Eddie Knight --- CONTRIBUTING.md => .github/CONTRIBUTING.md | 0 .../siep.yml | 0 .github/security-insights.yml | 45 +++++++++++++++++ README.md | 14 +++++- SECURITY-INSIGHTS.yml | 49 ------------------- GOVERNANCE.md => docs/GOVERNANCE.md | 0 MAINTAINERS.md => docs/MAINTAINERS.md | 0 schema.cue | 6 +-- specification-details/aliases.md | 2 +- specification-details/header.md | 2 +- specification-details/project.md | 2 +- specification-details/repository.md | 2 +- template-full.yml | 2 +- template-minimum.yml | 2 +- 14 files changed, 66 insertions(+), 60 deletions(-) rename CONTRIBUTING.md => .github/CONTRIBUTING.md (100%) rename .github/{ISSUE_TEMPLATES => ISSUE_TEMPLATE}/siep.yml (100%) create mode 100644 .github/security-insights.yml delete mode 100644 SECURITY-INSIGHTS.yml rename GOVERNANCE.md => docs/GOVERNANCE.md (100%) rename MAINTAINERS.md => docs/MAINTAINERS.md (100%) diff --git a/CONTRIBUTING.md b/.github/CONTRIBUTING.md similarity index 100% rename from CONTRIBUTING.md rename to .github/CONTRIBUTING.md diff --git a/.github/ISSUE_TEMPLATES/siep.yml b/.github/ISSUE_TEMPLATE/siep.yml similarity index 100% rename from .github/ISSUE_TEMPLATES/siep.yml rename to .github/ISSUE_TEMPLATE/siep.yml diff --git a/.github/security-insights.yml b/.github/security-insights.yml new file mode 100644 index 0000000..29c790a --- /dev/null +++ b/.github/security-insights.yml @@ -0,0 +1,45 @@ +header: + schema-version: 1.0.0 + last-updated: '2021-09-01' + last-reviewed: '2022-09-01' + url: https://github.com/ossf/security-insights-spec + comment: This file contains the security information for the Security Insights project. + +project: + name: Security Insights + administrators: + - name: Christopher Robinson + affiliation: Linux Foundation + primary: true + repositories: + - name: Security Insights + url: https://github.com/ossf/security-insights-spec + comment: | + Security Insights is the core repo for the Security Insights project. + vulnerability-reporting: + reports-accepted: true + bug-bounty-available: false + +repository: + status: active + url: https://github.com/ossf/security-insights-spec + accepts-change-request: true + accepts-automated-change-request: false + no-third-party-packages: true + core-team: + - name: Eddie Knight + affiliation: Sonatype + primary: true + license: + url: https://github.com/ossf/security-insights-spec/blob/main/LICENSE + expression: MIT AND Community Specification License 1.0 + security: + assessments: + self: + evidence: https://github.com/ossf/security-insights-spec/blob/main/docs/threat-model + comment: | + A light-weight threat model was completed when the project was first started, + and it remains accurate to-date. + documentation: + contributing-guide: https://github.com/ossf/security-insights-spec/blob/main/.github/CONTRIBUTING.md + governance: https://github.com/ossf/security-insights-spec/blob/main/docs/GOVERNANCE.md diff --git a/README.md b/README.md index 5993172..3ccd0cb 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,18 @@ This specification provides a mechanism for projects to report information about The data tracked within this specification is intended to fill the gaps between simplified solutions such as `SECURITY.md` and comprehensive automatable solutions such as SBOMs. In that gap lay elements that must be self-reported by projects to allow end-users to make informed security decisions. +## Usage + +Projects should include a `security-insights.yml` file in the root of their repository, or in the appropriate source forge directory such as `.github/` or `.gitlab/`. Users should assume the contents of that file will be updated any time the relevant information changes. + +To ensure you are adhering to an official version of the specification, please refer to the [latest release](https://github.com/ossf/security-insights/releases/latest). + +This repository often remains unchanged from the latest release, but may diverge as incremental development takes place in preparation for an upcoming release. Any differences between the latest release and the main branch should only be considered previews of the next release. + As the adoption of Security Insights grows, so does the opportunity to automatically ingest it. For example, the Linux Foundation's [CLOMonitor](https://clomonitor.io/) parses a project's Security Insights file to determine whether projects have reported on select security factors prioritized by the foundation. -All information regarding the maintenance, security, and consumption of the Security Insights Specification can be found in this repo within the latest version of the [official specification file](/specification.md). +## Maintenance + +Discussion and feedback should take place in [GitHub Issues](https://github.com/ossf/security-insights/issues). -Please use GitHub issues to discuss the maintenance of this specification, and review the [Contributor Guidelines](./CONTRIBUTING.md) for more information. +Because this specification recieves light maintenance and infrequent updates, beginning in 2025 we ask that you follow the [Security Insights Enhancement Proposal](./docs/GOVERNANCE.md#security-insights-enhancement-proposals) process to explore potential changes to the specification. diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml deleted file mode 100644 index a827276..0000000 --- a/SECURITY-INSIGHTS.yml +++ /dev/null @@ -1,49 +0,0 @@ -header: - schema-version: 1.0.0 - last-updated: '2023-09-28' - last-reviewed: '2023-09-28' - expiration-date: '2024-09-28T01:00:00.000Z' - project-url: https://github.com/ossf/security-insights-spec - project-release: '1.0.0' -project-lifecycle: - status: active - bug-fixes-only: false - core-team: - - contact: github:luigigubello - - contact: github:eddie-knight -contribution-policy: - accepts-pull-requests: true - accepts-automated-pull-requests: true - code-of-conduct: https://openssf.org/community/code-of-conduct -documentation: -- https://github.com/ossf/security-insights-spec/blob/main/specification.md -distribution-points: -- https://github.com/ossf/security-insights-spec -security-artifacts: - threat-model: - threat-model-created: true - evidence-url: - - https://github.com/ossf/security-insights-spec/blob/main/docs/threat-model.md -security-testing: -- tool-type: sca - tool-name: Dependabot - tool-version: latest - integration: - ad-hoc: false - ci: true - before-release: true - comment: | - Dependabot is enabled for this repo. -security-contacts: -- type: email - value: security@openssf.org -vulnerability-reporting: - accepts-vulnerability-reports: true - security-policy: https://github.com/ossf/security-insights-spec/security/policy - email-contact: security@openssf.org - comment: | - The first and best way to report a vulnerability is by using private security issues in GitHub. -dependencies: - third-party-packages: true - dependencies-lists: - - https://github.com/ossf/security-insights-spec/blob/main/validators/python/requirements.txt diff --git a/GOVERNANCE.md b/docs/GOVERNANCE.md similarity index 100% rename from GOVERNANCE.md rename to docs/GOVERNANCE.md diff --git a/MAINTAINERS.md b/docs/MAINTAINERS.md similarity index 100% rename from MAINTAINERS.md rename to docs/MAINTAINERS.md diff --git a/schema.cue b/schema.cue index 8a05f73..dbb07f3 100644 --- a/schema.cue +++ b/schema.cue @@ -16,9 +16,9 @@ import ( } #Attestation: { - name: string - location: #URL - "predicate-uri": string + name: string + location: #URL + "predicate-uri": string comment?: string } diff --git a/specification-details/aliases.md b/specification-details/aliases.md index c3e9129..050f440 100644 --- a/specification-details/aliases.md +++ b/specification-details/aliases.md @@ -1,4 +1,4 @@ -# Aliases +# Aliases _(v2.0.0)_ The following aliases are used throughout the schema for consistency. diff --git a/specification-details/header.md b/specification-details/header.md index a336a2f..c4b324b 100644 --- a/specification-details/header.md +++ b/specification-details/header.md @@ -1,4 +1,4 @@ -# `header` +# `header` _(v2.0.0)_ The `header` object captures high-level metadata about the schema. diff --git a/specification-details/project.md b/specification-details/project.md index 2770801..aa411e2 100644 --- a/specification-details/project.md +++ b/specification-details/project.md @@ -1,4 +1,4 @@ -# `project` +# `project` _(v2.0.0)_ The `project` object describes the overall project, including basic info, documentation links, repositories, vulnerability reporting, and security details. diff --git a/specification-details/repository.md b/specification-details/repository.md index 15d9da3..3011f35 100644 --- a/specification-details/repository.md +++ b/specification-details/repository.md @@ -1,4 +1,4 @@ -# `repository` +# `repository` _(v2.0.0)_ The `repository` object specifies repository-related configurations, including status, policies, team members, documentation, license, releases, and security posture. diff --git a/template-full.yml b/template-full.yml index 4a1bae8..b13dadf 100644 --- a/template-full.yml +++ b/template-full.yml @@ -1,5 +1,5 @@ header: - schema-version: 1.0.0 + schema-version: 2.0.0 last-updated: '2021-09-01' last-reviewed: '2022-09-01' url: https://foo.bar/foo/bar diff --git a/template-minimum.yml b/template-minimum.yml index bb839ac..1fd9755 100644 --- a/template-minimum.yml +++ b/template-minimum.yml @@ -1,5 +1,5 @@ header: - schema-version: 1.0.0 + schema-version: 2.0.0 last-updated: '2021-09-01' last-reviewed: '2022-09-01' url: https://foo.bar/kubernetes/kubernetes From eaf516777d1ad06a9498ab09507f03fbf84f523e Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 30 Dec 2024 16:26:08 -0600 Subject: [PATCH 2/4] Added release info to this repo's SI file Signed-off-by: Eddie Knight --- .github/security-insights.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/security-insights.yml b/.github/security-insights.yml index 29c790a..0e9241d 100644 --- a/.github/security-insights.yml +++ b/.github/security-insights.yml @@ -43,3 +43,8 @@ repository: documentation: contributing-guide: https://github.com/ossf/security-insights-spec/blob/main/.github/CONTRIBUTING.md governance: https://github.com/ossf/security-insights-spec/blob/main/docs/GOVERNANCE.md + release: + automated-pipeleine: false + distribution-points: + - uri: https://github.com/ossf/security-insights-spec/releases + comment: GitHub Release Page From b6b7ed6a4ff3529f69169fed9aeff48494f0b572 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 30 Dec 2024 16:57:34 -0600 Subject: [PATCH 3/4] Updated readme Signed-off-by: Eddie Knight --- SECURITY.md => .github/SECURITY.md | 0 README.md | 9 ++++++++- 2 files changed, 8 insertions(+), 1 deletion(-) rename SECURITY.md => .github/SECURITY.md (100%) diff --git a/SECURITY.md b/.github/SECURITY.md similarity index 100% rename from SECURITY.md rename to .github/SECURITY.md diff --git a/README.md b/README.md index 3ccd0cb..a65492c 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ The data tracked within this specification is intended to fill the gaps between Projects should include a `security-insights.yml` file in the root of their repository, or in the appropriate source forge directory such as `.github/` or `.gitlab/`. Users should assume the contents of that file will be updated any time the relevant information changes. -To ensure you are adhering to an official version of the specification, please refer to the [latest release](https://github.com/ossf/security-insights/releases/latest). +To ensure you are adhering to an official version of the specification, please refer to the `specification.md` in the [latest release](https://github.com/ossf/security-insights/releases/latest), which is a versioned compilation of all details. This repository often remains unchanged from the latest release, but may diverge as incremental development takes place in preparation for an upcoming release. Any differences between the latest release and the main branch should only be considered previews of the next release. @@ -18,6 +18,13 @@ As the adoption of Security Insights grows, so does the opportunity to automatic ## Maintenance +The specification maintenance occurs in the following places: + +- `specification/`: Contains markdown details for all specification values +- `schema.cue`: Contains the CUE schema that can be used to validate files against the specification +- `template-full.yml`: Contains a template that includes all possible fields +- `template-minimal.yml`: Contains a template that includes only the required fields + Discussion and feedback should take place in [GitHub Issues](https://github.com/ossf/security-insights/issues). Because this specification recieves light maintenance and infrequent updates, beginning in 2025 we ask that you follow the [Security Insights Enhancement Proposal](./docs/GOVERNANCE.md#security-insights-enhancement-proposals) process to explore potential changes to the specification. From 0f6dd6ab72eeaba2a706c98a98c4a42d6513d8a2 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 30 Dec 2024 16:58:56 -0600 Subject: [PATCH 4/4] changed specification dir name Signed-off-by: Eddie Knight --- {specification-details => specification}/aliases.md | 0 {specification-details => specification}/header.md | 0 {specification-details => specification}/project.md | 0 {specification-details => specification}/repository.md | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {specification-details => specification}/aliases.md (100%) rename {specification-details => specification}/header.md (100%) rename {specification-details => specification}/project.md (100%) rename {specification-details => specification}/repository.md (100%) diff --git a/specification-details/aliases.md b/specification/aliases.md similarity index 100% rename from specification-details/aliases.md rename to specification/aliases.md diff --git a/specification-details/header.md b/specification/header.md similarity index 100% rename from specification-details/header.md rename to specification/header.md diff --git a/specification-details/project.md b/specification/project.md similarity index 100% rename from specification-details/project.md rename to specification/project.md diff --git a/specification-details/repository.md b/specification/repository.md similarity index 100% rename from specification-details/repository.md rename to specification/repository.md