-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop reporting problems in test code #20
Comments
This is absolutely the intention moving forward. For my work in particular working with Modern, we will be attempting to only fix vulnerabilities in test code if non-test code is also impacted. IE. If only test code is impacted, don't generate a Pull Request. But if non-test code is impacted, apply the fix to the entire project. I also want to make you aware that this work is moving away from being my personal Project and is now under the Open Source Security Foundation (OpenSSF): Project Alpha Omega. I've recently accepted a job as the Senior Software Security Researcher for project Alpha Omega, and all of this work will be moving under that banner for future campaigns. Additionally, there is a newly formed "Autofix" Special Interest Group (SIG) that has been formed under the OpenSSF Vulnerability Disclosure Working Group. One of the projects being developed under that Autofix SIG is a proposed specification defining "OpenSSF Compliant Automated Vulnerability Fix Campaign" The document is very much a WIP. But if you're interested in reviewing the proposal and offering your insights and feedback, I'd like to invite you and anyone else at the ASF to do so. https://docs.google.com/document/d/1_QwN7yQXWGM2tJaostIRNqyZIhVceVlIyXqCrSdC4E8/edit |
It is not a security issue when code creates a temp file with test data that's right their in the open source code, and then tests. These are false positives. I have yet to see even an arguable true positive in test code.
The text was updated successfully, but these errors were encountered: