Releases: ossf/security-insights-spec
v2.0.0
This release completely overhauls the specification based on feedback gained throughout 2024.
The artifacts attached to the bottom of this release contain a PDF version of the specification, two example templates, a Cue schema that can be used to validate a file's contents, and the source code at the time of release.
A go library was added in the latest release of SI Tooling to support the programatic ingestion of security insights files published on GitHub. This tooling is expected to gain additional features soon.
Read more about the work leading up to this release here: #97
What's Changed
- Fix examples by @luigigubello in #66
- SECURITY INSIGHTS v1.1 Roadmap by @luigigubello in #69
- Documention Enhancement by @AOrps in #71
- fix: use status instead of stage by @mmorel-35 in #73
- Doc: Fix WG name by @scovetta in #78
- Replace
core-maintainerswithcore-teamby @luigigubello in #76 - Update README.md by @eddie-knight in #81
- Governance Docs by @eddie-knight in #89
- Segment specification in repo for maintainability by @eddie-knight in #82
- Fix typo in specification.md ("specificaion") by @david-a-wheeler in #92
- break: Revamped schema based on ecosystem feedback by @eddie-knight in #96
- fix: Improved clarity around required values by @eddie-knight in #98
- fix: broken links by @eddie-knight in #99
- chore: preparing for v2 release by @eddie-knight in #100
- chore: updated this repo's SI schema-version to v2.0.0 by @eddie-knight in #102
- chore: Updated this repo's SI: last reviewed date by @eddie-knight in #103
New Contributors
- @AOrps made their first contribution in #71
- @mmorel-35 made their first contribution in #73
- @david-a-wheeler made their first contribution in #92
- Feedback contributors are highlighted in the linked issues on #97
Full Changelog: v1.0.0...v2.0.0
Contributors
Assets 6
v1.0.0
This release is the culmination of more than two years of discussion led by the Open Source Security Foundation within the Identifying Security Threats Working Group. In that time, there has been significant iteration, including limited adoption and feedback from security-minded developers.
As of this release, maintenance is focused on the specification.md file, where readers may find the reasoning behind the project, information about its development, and instructions for usage. The security-insights-schema.yaml schema file is fully compatible with JSON Schema Draft-7 and allows for validation of user's SECURITY_INSIGHTS.yml documents.
Below is an overview of the pull request history from the project's first commit until this release.
What's Changed
- Enforcing schema requirements by @luigigubello in #1
- Require maintainers contacts under certain conditions by @luigigubello in #2
- Improve schema by @luigigubello in #3
- Update readme by @luigigubello in #4
- Add comment property and expiration date property by @luigigubello in #5
- Adding STRIDE Threat Model by @luigigubello in #6
- Accept international URL by @luigigubello in #7
- Add in-scope and out-scope properties in vulnerability-reporting property by @luigigubello in #8
- Add code-of-conduct by @luigigubello in #9
- Add support to SBOM standards by @luigigubello in #10
- Fix errors and improve regex for security contacts by @luigigubello in #12
- Add title and enum version in schema by @luigigubello in #15
- Add command line tool to validate or create yaml by @luigigubello in #13
- Fix some copy-paste typos by @luigigubello in #16
- Boolean value for bot-generated pull requests by @luigigubello in #17
- Add support for PURLs by @luigigubello in #21
- Add
bots-listtocontribution-policyby @luigigubello in #19 - Versioning policy by @luigigubello in #35
- Add Dockerfile for Python script by @luigigubello in #38
- Basic SECURITY.md by @luigigubello in #39
- Changed 'sbom-name' value to 'sbom-format' by @eddie-knight in #34
- Security Artifacts Schema Change by @eddie-knight in #32
- removed .DS_Store by @eddie-knight in #43
- Removed requirements for some header values by @eddie-knight in #44
- Added sbom-creation value by @eddie-knight in #45
- Extend dependencies schema by @luigigubello in #46
- Add
release-cycleandrelease-processby @luigigubello in #47 - Change type object to array by @luigigubello in #48
- Change from stage to status and add more status. by @luigigubello in #52
- Document the specification in markdown format by @eddie-knight in #37
- Adjusted comment handling for vulnerability reporting by @eddie-knight in #56
- Moved threat model docs by @eddie-knight in #55
- Create SECURITY-INSIGHTS.yml by @scovetta in #51
- Removed parent-security-insights from spec by @eddie-knight in #57
- Added LICENSE.md to cover spec and code by @eddie-knight in #50
- Changed security contact emails by @eddie-knight in #59
- Simplified README.md & moved content to intro by @eddie-knight in #60
- Removed tooling from spec repo by @eddie-knight in #61
- Added simple contribution policy by @eddie-knight in #63
- Rename schema to security-insights-schema.yaml by @eddie-knight in #65
New Contributors
- @luigigubello made their first contribution in #1
- @eddie-knight made their first contribution in #34
- @scovetta made their first contribution in #51
Full Changelog: https://github.com/ossf/security-insights-spec/commits/v1.0.0