Conversation
Kielek
force-pushed
the
security-insight-v2
branch
from
31f3841 to
129e740
Compare
|
@martincostello, you might be interested in this PR. |
|
Ah nice. If this works we'd be able to revert open-telemetry/opentelemetry-dotnet#6898. |
| - A valid OpenSSF Security Insights *manifest file* is found. The following locations are searched in order (first match wins): | ||
|
|
||
| ```sh | ||
| "security-insights.yml" # v2 (root) |
There was a problem hiding this comment.
Does the file name case need to change?
There was a problem hiding this comment.
Yes, that's what stated in the documentation. Technically, we could detect the version only based on the name, but I think that it could be errorprone.
Kielek
force-pushed
the
security-insight-v2
branch
from
129e740 to
e891503
Compare
Signed-off-by: Piotr Kiełkowicz <pkielkow@cisco.com>
Kielek
force-pushed
the
security-insight-v2
branch
from
e891503 to
cd13561
Compare
|
Hi @Kielek 👋 Thank you for your PR 🙂 There are some problems with this implementation. The security insights datasource module is now mixing v1 and v2 types with suffixes. These are not fully consistent, as many types are not version suffixed and, when v2 is extended (we should, as v2 manifests validation is too permissive at the moment, and can easily mark invalid manifests as valid), there can be conflicts/collisions (or confusion, not knowing what types belong to what version). This would probably be better handled using a separate submodule for each version, plus a shared small facade. There are some other minor issues as well. We appreciate your effort, but we'd rather take care of this ourselves. I understand you filed the related issue some time ago and that this work is needed. We'll try to prioritize it and work on it as soon as possible. We (the maintainers of this project) have been focused on some other projects (specially https://github.com/cncf/open-community-groups) for the last few months, and have postponed some non-urgent requests a bit. But we'll get back to this soon 😇 |
|
@tegioz, looking forward for any progress here. Feel free to close this PR when/if needed. |
3 participants
Fixes: #1779
It is needed mostly to be able to work together with other cncf scanning/status tool: https://insights.linuxfoundation.org/project/opentelemetry/repository/open-telemetry_opentelemetry-dotnet/security?timeRange=past365days&start=2025-03-30&end=2026-03-30 (the source of this is under https://github.com/ossf/pvtr-github-repo-scanner).
The new tools is supporting v2.
To make both tools happy, it is better to bring support for new versions here.