Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track adoption of potential OpenJSF Security Program #23

Open
achrinza opened this issue May 13, 2022 · 1 comment
Open

Track adoption of potential OpenJSF Security Program #23

achrinza opened this issue May 13, 2022 · 1 comment

Comments

@achrinza
Copy link
Member

achrinza commented May 13, 2022
edited
Loading

The OpenJS Foundation (OpenJSF) (and previously Node.js Foundation) has indicated plans of creating a new security program for the Node.js ecosystem, scoped more narrowly to the OpenJSF projects.

The previous Node.js Third-Party Ecosystem Security Program that was managed by the Node.js Security Working Group was scoped to:

  • Managed a HackerOne Program with bounties for select NPM packages
  • Managed a vulnerability database for NPM packages (initially donated by NSP)

Although it's not clear at this moment what this new program would entail, it seems like it might be a lift-and-shift, but with a focus on OpenJSF projects.

This issue is to track this work of the OpenJSF and to hold discussions on its applicability to LoopBack.

see: openjs-foundation/cross-project-council#826 (comment)
see: nodejs/security-wg#662 (comment)
see: nodejs/security-wg#494 (comment)
see: aboutcode-org/vulnerablecode#488 (comment)
@achrinza achrinza mentioned this issue May 13, 2022
Draft
14 tasks
@achrinza achrinza moved this to Current/Backlog in LoopBack Common Project Board May 13, 2022
@achrinza achrinza changed the title Adopt Potential OpenJSF Security Program Track adoption of potential OpenJSF Security Program May 14, 2022
@achrinza achrinza moved this from Current/Backlog to Icebox in LoopBack Common Project Board May 14, 2022
achrinza added a commit to loopbackio/strong-error-handler that referenced this issue Nov 9, 2023
@achrinza
ci: align CI configuration
a17e4f3 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
achrinza added a commit to loopbackio/strong-error-handler that referenced this issue Nov 9, 2023
@achrinza
ci: align CI configuration
e94a396 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
achrinza added a commit to loopbackio/strong-error-handler that referenced this issue Nov 9, 2023
@achrinza
ci: align CI configuration
af2cc8d 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
achrinza added a commit to loopbackio/strong-error-handler that referenced this issue Nov 9, 2023
@achrinza
ci: align CI configuration
c20006d 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
achrinza added a commit to loopbackio/strong-error-handler that referenced this issue Nov 9, 2023
@achrinza
ci: align CI configuration
1b9571f 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
@achrinza
Copy link
Member Author

OpenJSF is becoming a CNA. Summary:

Currently we are using GitHub as a CNA (and IBM before that). Switching to OpenJSF would mean:

  1. We have closer line of support with publishing and updating advisories,
    This is the recommendation by MITRE themselves that we should be using a CNA that is as closely scoped to our project as possible

  2. We can dispute CVEs of our project published through other CNAs
    IIRC this is why Node.js has their own CNA even when they publish CVEs via HackerOne

As OpenJSF will also have their own security advisories database, we would need a playbook for generating and syncing any new advisories from our database to theirs:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
LoopBack Common Project Board
Status: Icebox
Milestone
No milestone
Development

No branches or pull requests
1 participant
@achrinza