OSSF process for vulnerability incident response #307
Comments
|
Closing due to lack of progress. This could be reopened if someone has time to write it up. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
During the xz util vulnerability response, OSSF staff asked TAC if each OSSF project had an SBOM to use to analyze to see if any OSSF projects were vulnerable. I think this is a very relevant question. I have started #306 to start driving towards this best practice to create and maintain inventories for OSSF projects for any downstream consumer to use, one of which could be OSSF.
I would like to have a follow up conversation between the TAC and OSSF staff for future incidents, if this incident response is a capability the OSSF should stand up, who should own and maintain the process, to include how the TAC can help support by asking projects to capture those inventories in an SBOM that could be leveraged by an OSSF program for consumption and analysis.
If so, in the OSSF vuln response program, each SBOM could be consumed as an inventory into a centralized dependency location, such as an OSSF instance of GUAC, to analyze if any OSSF projects had the xz util CVE. This would empower OSSF staff to provide a coordinated response on behalf of OSSF stating any impact to OSSF.
Perhaps also this could be added to GUAC PoC #266 to demonstrate the connection between upstream OSS SBOMs and a downstream end user consuming the inventory to wrap a process around the inventory to identify vulnerabilities when they occur over time.
The text was updated successfully, but these errors were encountered: