Security self-assessment of comver¶
Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/
Table of Contents¶
- Metadata
- Overview
- Self-assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Metadata¶
| Category | Resource |
|---|---|
| Assessment Stage | Incomplete |
| Creator | open-nudge |
| Software | https://github.com/open-nudge/comver ⧉ |
| Website | https://open-nudge.github.io/comver ⧉ |
| Security Provider | No |
| Languages | Python |
| SBOM | https://github.com/open-nudge/comver/releases ⧉ |
Security links¶
| Category | Resource |
|---|---|
| Security File | https://github.com/open-nudge/comver/blob/main/SECURITY.md ⧉ |
| Security Insights | https://github.com/open-nudge/comver/blob/main/SECURITY-INSIGHTS.yml ⧉ |
| Dependencies | https://github.com/open-nudge/comver/blob/main/pyproject.toml ⧉ |
| Release Artifacts | https://github.com/open-nudge/comver/releases ⧉ |
Overview¶
Commit-based semantic versioning - highly configurable and tag-free.
Background¶
Tool creating versions directly from commits (no tag creation, no tag usage), which makes it largely immutable.
Usable with any language as long as the project is git based, but created in and tailored largely towards Python.
Actors¶
- opennudge ⧉ - organization providing core security features
Actions¶
- All security features are provided by opentemplate ⧉
Goals¶
Making semantic versioning ⧉ more reliable and flexible by introducing double versioning scheme.
Non-goals¶
Changing current software versioning standards; this project looks to build upon them and improve the weak points.
Self-assessment use¶
This self-assessment was automatically generated by the opentemplate ⧉ template to provide basic security information about the project. It should be extended by adding project-specific security information.
Important
opennudge ⧉ does not intend to provide a security audit of the project or function as an independent assessment or attestation of its security posture.
Security functions and features¶
| Component | Applicability | Description of Importance |
|---|---|---|
| template | Critical | Base GitHub template of the repository provided by opennudge. Used to provide initial security posture (pipelines, pre-commit, practices, hardening etc.) See open-nudge/comver ⧉ for more information |
Project compliance¶
Project tries to comply with the following security standards:
- SLSA ⧉ - L3+ if the project is public or coming from a GitHub Enterprise Account with Advanced Security, L2 otherwise
- The project is currently not third-party audited or verified
Secure development practices¶
Deployment pipeline¶
Core of the deployment pipeline is based on the following tools:
- opentemplate ⧉ : see open-nudge/opentemplate ⧉ for more information
Communication channels¶
You can reach out to us by Private Security Reporting ⧉ or by:
- means of communication provided at the account level here ⧉
- opening an issue in the repository (somebody will get back to you)
Ecosystem¶
This project is a part of the Python ecosystem.
Security issue resolution¶
The open-nudge/comver ⧉ security policy is maintained in the SECURITY.md ⧉ file.
Responsible disclosure practice¶
The open-nudge/comver ⧉ accepts vulnerability reports as outlined in the security policy defined in SECURITY.md ⧉ file.
Incident response¶
As defined in SECURITY.md ⧉, usually response should take up to a few working days, if not please reach out at security@opennudge.com.
Appendix¶
- Project is largely aligned with the Open Source Security Foundation best practices ⧉
- Some false negatives regarding the best practices were spotted (e.g. not using fuzzing), consult
scorecard.ymlfor more information