From b3cb6c72d16154a96a17efb5e72facb1b6a5b634 Mon Sep 17 00:00:00 2001 From: Jonah Kowall Date: Sat, 4 Nov 2023 00:53:45 +0200 Subject: [PATCH] Update self-assesment, security-insights, and security.md file for passing CLOMonitor checks ## Description of the changes Updating security files with more details to enable passing CLOMonitor checks. ## How was this change tested? Testing not needed, text only ## Checklist - [X] I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md - [X] I have signed all commits - [Not Needed] I have added unit tests for the new functionality - [Not Needed] I have run lint and test steps successfully --------- Signed-off-by: Jonah Kowall Co-authored-by: Yuri Shkuro Co-authored-by: Matthieu MOREL --- SECURITY-INSIGHTS.yml | 2 ++ SECURITY.md | 2 +- SELF-ASSESMENT.md | 38 ++++++++++++++++++++++++++++++++------ 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 0630b6b0b2d..c0289d5b452 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -62,3 +62,5 @@ dependencies: sbom-url: https://github.com/anchore/sbom-action dependencies-lifecycle: policy-url: https://github.com/jaegertracing/jaeger/blob/main/SECURITY.md#security-patch-policy + env-dependencies-policy: + policy-url: https://github.com/jaegertracing/jaeger/blob/main/SECURITY.md#dependency-policy \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index 8a08214a235..6e19a5fa1ca 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,7 +10,7 @@ Security fixes are given priority and might be enough to cause a new version to CVEs in Jaeger code will be patched in the newest Jaeger releases. -### Dependencies Lifecycle Policy +### Dependency Policy Dependencies are evaluated before being introduced to ensure they: diff --git a/SELF-ASSESMENT.md b/SELF-ASSESMENT.md index 805c9855e41..7a786b6009b 100644 --- a/SELF-ASSESMENT.md +++ b/SELF-ASSESMENT.md @@ -1,9 +1,9 @@ -# Jaeger Self-Assessment -​ -This is a placeholder document for the Jaeger project self-assessment. More details of what this will turn into can be found in the [TAG-Security documented standards.](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md) ​ +# Self-assessment + +# Self-assessment outline + +## Table of contents -## Table of Contents -​ * [Metadata](#metadata) * [Security links](#security-links) * [Overview](#overview) @@ -17,4 +17,30 @@ This is a placeholder document for the Jaeger project self-assessment. More deta * [Project compliance](#project-compliance) * [Secure development practices](#secure-development-practices) * [Security issue resolution](#security-issue-resolution) -* [Appendix](#appendix)## Table of Contents \ No newline at end of file +* [Appendix](#appendix) + +## Metadata + +| | | +| -- | -- | +| Software | https://github.com/jaegertracing/jaeger/ | +| Security Provider | No | +| Languages | Go | +| SBOM | [Software bill of materials](https://github.com/jaegertracing/jaeger/releases/latest/download/jaeger-SBOM.spdx.json) | +| | | + +### Security links + +Provide the list of links to existing security documentation for the project. You may +use the table below as an example: +| Doc | url | +| -- | -- | +| Security file | https://github.com/jaegertracing/jaeger/blob/main/SECURITY.md | + +## Overview + +See [README](https://github.com/jaegertracing/jaeger/#jaeger---a-distributed-tracing-system) + +### Background + +See [README](https://github.com/jaegertracing/jaeger/#jaeger---a-distributed-tracing-system)