You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the xz util vulnerability response, OSSF staff asked TAC if each OSSF project had an SBOM to use to analyze to see if any OSSF projects were vulnerable. I think this is a very relevant question. I have started #306 to start driving towards this best practice to create and maintain inventories for OSSF projects for any downstream consumer to use, one of which could be OSSF.
I would like to have a follow up conversation between the TAC and OSSF staff for future incidents, if this incident response is a capability the OSSF should stand up, who should own and maintain the process, to include how the TAC can help support by asking projects to capture those inventories in an SBOM that could be leveraged by an OSSF program for consumption and analysis.
If so, in the OSSF vuln response program, each SBOM could be consumed as an inventory into a centralized dependency location, such as an OSSF instance of GUAC, to analyze if any OSSF projects had the xz util CVE. This would empower OSSF staff to provide a coordinated response on behalf of OSSF stating any impact to OSSF.
Perhaps also this could be added to GUAC PoC #266 to demonstrate the connection between upstream OSS SBOMs and a downstream end user consuming the inventory to wrap a process around the inventory to identify vulnerabilities when they occur over time.
The text was updated successfully, but these errors were encountered:
During the xz util vulnerability response, OSSF staff asked TAC if each OSSF project had an SBOM to use to analyze to see if any OSSF projects were vulnerable. I think this is a very relevant question. I have started #306 to start driving towards this best practice to create and maintain inventories for OSSF projects for any downstream consumer to use, one of which could be OSSF.
I would like to have a follow up conversation between the TAC and OSSF staff for future incidents, if this incident response is a capability the OSSF should stand up, who should own and maintain the process, to include how the TAC can help support by asking projects to capture those inventories in an SBOM that could be leveraged by an OSSF program for consumption and analysis.
If so, in the OSSF vuln response program, each SBOM could be consumed as an inventory into a centralized dependency location, such as an OSSF instance of GUAC, to analyze if any OSSF projects had the xz util CVE. This would empower OSSF staff to provide a coordinated response on behalf of OSSF stating any impact to OSSF.
Perhaps also this could be added to GUAC PoC #266 to demonstrate the connection between upstream OSS SBOMs and a downstream end user consuming the inventory to wrap a process around the inventory to identify vulnerabilities when they occur over time.
The text was updated successfully, but these errors were encountered: