openjs-foundation / pkg-vuln-collab-space Goto Github PK
View Code? Open in Web Editor NEWProject for work on improved Package Vulnerability Management & Reporting
License: Apache License 2.0
Project for work on improved Package Vulnerability Management & Reporting
License: Apache License 2.0
We need to pick a time for a recurring meeting. As we will be announcing the Collab Space officially around the OpenJS World Event, we should shoot for the first one being the week right after. The consensus from the folks on the kick off call was Tuesday morning is the best time. That means the first meeting would be Tuesday June 8th. To make sure we most effectively use our time I propose we start with a monthly cadence to the meetings.
First Meeting (All times PST, more timezones in the links):
Monday June 7th
๐ 8:00 am
๐ 9:00 am
๐ 10:00 am
Tuesday June 8th (All times PST, more timezones in the links)
๐ 8:00 am
๐ 9:00 am
โค๏ธ 10:00 am
Vote for as many times as you can attend. Additionally, once we get a feel for the regular attendance we can re-evaluate and do alternating times if necessary.
In README.md, in last section, there is a link to join the Slack channel and it does not work.
https://github.com/openjs-foundation/pkg-vuln-collab-space/blob/main/README.md#links--resources
โ๏ธ
Hey Everyone!
Big thanks to @rginn for scheduling the meeting time! Here is the agenda:
Zoom link: https://zoom.us/j/6263062106
Notes: https://hackmd.io/@nottherealwes/H1BPiHJCO/edit
cc @naugtur @boneskull @mhdawson @dominykas @ljharb @MarcinHoppe @rginn @darcyclarke @lirantal @JamieSlome
https://security.googleblog.com/2021/06/announcing-unified-vulnerability-schema.html
This new vulnerability schema aims to address some key problems with managing vulnerabilities in open source. We found that there was no existing standard format which:
- Enforces version specification that precisely matches naming and versioning schemes used in actual open source package ecosystems. For instance, matching a vulnerability such as a CVE to a package name and set of versions in a package manager is difficult to do in an automated way using existing mechanisms such as CPEs.
- Can be used to describe vulnerabilities in any open source ecosystem, while not requiring ecosystem-dependent logic to process them.
- Is easy to use by both automated systems and humans.
This is the gist of it:
{
"id": string,
"modified": string,
"published": string,
"withdrawn": string,
"aliases": [ string ],
"related": [ string ],
"package": {
"ecosystem": string,
"name": string,
"purl": string,
},
"summary": string,
"details": string,
"affects": [ {
"ranges": [ {
"type": string,
"repo": string,
"introduced": string,
"fixed": string
} ],
"versions": [ string ]
} ],
"references": [ {
"type": string,
"url": string
} ],
"ecosystem_specific": { see spec },
"database_specific": { see spec },
}
Here is the spec doc: https://docs.google.com/document/d/1sylBGNooKtf220RHQn1I8pZRmqXZQADDQ_TOABrKTpA/edit
@bnb created an npm RFC PR after a recent RFC meeting. With their permission, I am sharing that issue here.
To get the collab space kicked off, we are going to be running a session at OpenJS World 2021. To get this planned, we would like to do a session sometime early next week. Our proposed agenda (open for discussion to make sure we cover the most important things):
To make sure the most folks who want to participate can attend we thought we would open up a short vote. All times are PST.
Monday May 10th
Tuesday May 10th
Vote for as many as you can attend and we will choose the best time (with the added restriction that both @darcyclarke and I can attend as the champions). We will leave this open until Friday, so get your votes in if you would like to attend.
cc @pkg-vuln-collab-space (looks like this doesn't work yet?)
@naugtur @boneskull @mhdawson @dominykas @ljharb @MarcinHoppe @rginn
One constant in this discussion has been how we align incentives across the process. Today we only seem to align on one goal: "improving security". But at what cost? Today different parts of the ecosystem make decisions without considering the impact those decisions have on other parts. I would like to provide a forum here for folks to discuss what their incentives structures are, so we can better understand where they overlap and where the diverge.
Maybe we can start here with brainstorming with some user story style perspectives, but I would like to make a doc in the repo about this at some point. I will start with my incentives:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.