Stop reporting problems in test code #20
Comments
|
This is absolutely the intention moving forward. For my work in particular working with Modern, we will be attempting to only fix vulnerabilities in test code if non-test code is also impacted. IE. If only test code is impacted, don't generate a Pull Request. But if non-test code is impacted, apply the fix to the entire project. I also want to make you aware that this work is moving away from being my personal Project and is now under the Open Source Security Foundation (OpenSSF): Project Alpha Omega. I've recently accepted a job as the Senior Software Security Researcher for project Alpha Omega, and all of this work will be moving under that banner for future campaigns. Additionally, there is a newly formed "Autofix" Special Interest Group (SIG) that has been formed under the OpenSSF Vulnerability Disclosure Working Group. One of the projects being developed under that Autofix SIG is a proposed specification defining "OpenSSF Compliant Automated Vulnerability Fix Campaign" The document is very much a WIP. But if you're interested in reviewing the proposal and offering your insights and feedback, I'd like to invite you and anyone else at the ASF to do so. https://docs.google.com/document/d/1_QwN7yQXWGM2tJaostIRNqyZIhVceVlIyXqCrSdC4E8/edit |
It is not a security issue when code creates a temp file with test data that's right their in the open source code, and then tests. These are false positives. I have yet to see even an arguable true positive in test code.
The text was updated successfully, but these errors were encountered: