Comments (7)
Oh, it was github's fault. Re-running the job solved the issue, sorry, just ignore the comment. Thanks!
from little-cms.
Hi Diogo, thanks for your contribution.
Just a couple of quick questions:
- Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
- Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
- Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)
Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?
Thanks
Marti
from little-cms.
Hi Marti,
- Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
- Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
- Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)
-
No. The OSV Scanner will work as part of the Scorecard Action, analysing your repo through public GitHub APIs and showing the results at your Security Panel.
-
No, Scorecards won't require any kind of annotation -- although there is an issue with this idea. After using Scorecard Action, you'll be able to dismiss any false-positives directly on the Security Panel. Then they would not bother you anymore.
-
Don't worry, the action wouldn't send you any emails haha All the notifications are intended to be shown directly on GitHub
Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?
I'm Sorry for that, Marti. I have some contact with the SOS team and have already contacted them. I'll get back to you as soon as I have any information.
from little-cms.
Hello Diogo,
That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality. Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.
Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.
from little-cms.
That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality.
Awesome, I'll raise the PR shortly.
Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.
Absolutely, Marti! Your points are totally valid and I really appreciate your patience and time to consider the tool and talk to me about your concerns. Even after adopting the tool, please feel free to reach me for any questions or feedback and I'll be more than happy to help =)
Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.
For this I'm afraid I won't be able to help much, though. I've contacted the SOS team and they said they'll look into your email, but they also confessed that there is a long backlog of requests. So unfortunately might not be a short reply.
from little-cms.
Hello @diogoteles08
Sorry to bother you, but after activating the scorecard all commits fail. I traced the scorecard parsing is failing with following error:
2023/07/27 10:41:17 error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/mm2/Little-CMS": context deadline exceeded
Is anything I can do aside disabling scorecard? Thanks!
from little-cms.
Hey @mm2! You're not bothering at all -- I'd be happy to get any feedback. Anyways, I'm also happy to know it worked out 😄
Also, I'm honestly not sure it has any relation with your issue, but you might want to take a look on the possibility of running Scorecard with an specific fine grained token. Although it shouldn't change much how it's already working, I forgot to mention in this issue that this PAT is required to completely evaluating checks such Branch-Protection
and (experimental) Webhooks
.
from little-cms.
Related Issues (20)
- version mismatch in some files HOT 1
- 2.16: meson falis HOT 6
- Simple Question: How do I get "cmsICCMeasurementConditions" data in IccProfile? HOT 2
- lcms2-2.16 crashes transforming sRGB float to planar uint16 HOT 9
- Eval4Inputs optimisation HOT 5
- CI: use a dependency update tool to keep GitHub Actions updated
- website blog doesn't announce 2.16 release HOT 1
- Backwards incompatible API-change in 2.16 HOT 5
- The fast float plugin doesn't premultiply alpha HOT 1
- Plugins lack soversion when configured with meson
- Possible NPD in cmsCreate_OkLabProfile HOT 2
- FTBFS since commit c429e37 wrt type checking on pointer types HOT 2
- ICC profile with CICP tag HOT 14
- Unable to find program in file system after install HOT 4
- Overflow checks in cmsCreateExtendedTransform HOT 1
- CIE XYZ D65 profile HOT 5
- Non-equidistant planes in DoTransformLineStride HOT 1
- cmsCreateTransform returns nullptr in 2.16, but works in 2.15- HOT 6
- The build system seems to have obsolete zlib support HOT 1
- MD5 computation of Profile ID seems to zero wrong header field HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from little-cms.