This release is the culmination of more than two years of discussion led by the Open Source Security Foundation within the Identifying Security Threats Working Group. In that time, there has been significant iteration, including limited adoption and feedback from security-minded developers.
As of this release, maintenance is focused on the specification.md file, where readers may find the reasoning behind the project, information about its development, and instructions for usage. The security-insights-schema.yaml schema file is fully compatible with JSON Schema Draft-7 and allows for validation of user's SECURITY_INSIGHTS.yml documents.
Below is an overview of the pull request history from the project's first commit until this release.
What's Changed
- Enforcing schema requirements by @luigigubello in #1
- Require maintainers contacts under certain conditions by @luigigubello in #2
- Improve schema by @luigigubello in #3
- Update readme by @luigigubello in #4
- Add comment property and expiration date property by @luigigubello in #5
- Adding STRIDE Threat Model by @luigigubello in #6
- Accept international URL by @luigigubello in #7
- Add in-scope and out-scope properties in vulnerability-reporting property by @luigigubello in #8
- Add code-of-conduct by @luigigubello in #9
- Add support to SBOM standards by @luigigubello in #10
- Fix errors and improve regex for security contacts by @luigigubello in #12
- Add title and enum version in schema by @luigigubello in #15
- Add command line tool to validate or create yaml by @luigigubello in #13
- Fix some copy-paste typos by @luigigubello in #16
- Boolean value for bot-generated pull requests by @luigigubello in #17
- Add support for PURLs by @luigigubello in #21
- Add
bots-listtocontribution-policyby @luigigubello in #19 - Versioning policy by @luigigubello in #35
- Add Dockerfile for Python script by @luigigubello in #38
- Basic SECURITY.md by @luigigubello in #39
- Changed 'sbom-name' value to 'sbom-format' by @eddie-knight in #34
- Security Artifacts Schema Change by @eddie-knight in #32
- removed .DS_Store by @eddie-knight in #43
- Removed requirements for some header values by @eddie-knight in #44
- Added sbom-creation value by @eddie-knight in #45
- Extend dependencies schema by @luigigubello in #46
- Add
release-cycleandrelease-processby @luigigubello in #47 - Change type object to array by @luigigubello in #48
- Change from stage to status and add more status. by @luigigubello in #52
- Document the specification in markdown format by @eddie-knight in #37
- Adjusted comment handling for vulnerability reporting by @eddie-knight in #56
- Moved threat model docs by @eddie-knight in #55
- Create SECURITY-INSIGHTS.yml by @scovetta in #51
- Removed parent-security-insights from spec by @eddie-knight in #57
- Added LICENSE.md to cover spec and code by @eddie-knight in #50
- Changed security contact emails by @eddie-knight in #59
- Simplified README.md & moved content to intro by @eddie-knight in #60
- Removed tooling from spec repo by @eddie-knight in #61
- Added simple contribution policy by @eddie-knight in #63
- Rename schema to security-insights-schema.yaml by @eddie-knight in #65
New Contributors
- @luigigubello made their first contribution in #1
- @eddie-knight made their first contribution in #34
- @scovetta made their first contribution in #51
Full Changelog: https://github.com/ossf/security-insights-spec/commits/v1.0.0
