You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
that can be leveraged to create an OSS dependency schema.
To incentivize site developers to publish their OSS dependency metadata on their websites, perhaps, as a standard JSON-LD file/endpoint (similar to the DCAT-US Schema of Project Open Data) which exposes a data.json file.
And to incentivize adoption, OSS project maintainers can exhort their users to add their project to their user's OSS dependency endpoints. Apart from helping gather real-world data, they can get the added side-benefit of being proactively notified when there are upgrades/vulnerabilities of their software.
And even for internal sites that are not exposed on the web, the same endpoint can be used by internal security systems to compile their systems inventory.
To prevent bad actors from using the same endpoint for ill use, release metadata can be marked optional.
The text was updated successfully, but these errors were encountered:
Schema.org already has the types/properties for:
that can be leveraged to create an OSS dependency schema.
To incentivize site developers to publish their OSS dependency metadata on their websites, perhaps, as a standard JSON-LD file/endpoint (similar to the DCAT-US Schema of Project Open Data) which exposes a data.json file.
See https://labs.data.gov/dashboard/offices/qa - data.json endpoints is in the last crawl link.
And to incentivize adoption, OSS project maintainers can exhort their users to add their project to their user's OSS dependency endpoints. Apart from helping gather real-world data, they can get the added side-benefit of being proactively notified when there are upgrades/vulnerabilities of their software.
These dependency metrics can even be used to power a Criticality Badge (ossf/wg-securing-critical-projects#20)
And even for internal sites that are not exposed on the web, the same endpoint can be used by internal security systems to compile their systems inventory.
To prevent bad actors from using the same endpoint for ill use, release metadata can be marked optional.
The text was updated successfully, but these errors were encountered: