-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open SSF Best Practices Regular #1957
Comments
Remaining pieces for auditing purposes:
Security specific for Secrets SDK - CLI Squad needs to take a look @adam-wolfe
|
I've added responses after the bullet points: Security specific for Secrets SDK - CLI Squad needs to take a look @adam-wolfe
Within the context of the Secrets for Zowe SDK (keytar replacement), we simply interact via standard APIs with the Windows credential manager, MacOS keychain, and libsecret on Linux/BSD systems. Zowe CLI and the Secrets SDK do not do anything cryptographically.
Zowe CLI and the Secrets SDK do not re-implement any cryptographic functions.
Zowe CLI does not rely on proprietary/closed source cryptographic functions.
According to https://www.npmjs.com/package/ssh2, the package we use for handling ssh comms, indicates that the default list of ciphers does not include CBC ciphers. We do not override the defaults, so I think we are fine.
I do not think that this applies to Zowe CLI. We do not generate keys or do anything like this.
I think this requirement is intended more for websites/apps that external users log in to. Since only the local user will be storing passwords using Zowe CLI and the secrets SDK, I think N/A is valid for this requirement.
Zowe CLI and the secrets SDK do not generate cryptographic keys. |
Thanks @adam-wolfe for the thorough analysis. Added it to the table. Current state of remaining pieces for auditing purposes:
|
Prepare a space within the Community repo that will document that we are achieving the regular Best Practices badge and that can be used for auditing purposes.
The text was updated successfully, but these errors were encountered: