From c5a04e8e90b4b60498abc466d9b17709a58a46d4 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Mon, 6 Nov 2023 07:23:46 -0600 Subject: [PATCH] Added dependencies policy (#3456) Extended SECURITY-INSIGHTS.yml for CLOMonitor score Signed-off-by: Eddie Knight --- CONTRIBUTING.md | 14 ++++++++++++++ SECURITY-INSIGHTS.yml | 3 +++ 2 files changed, 17 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2b70e9fb..33a69ade 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -82,3 +82,17 @@ Date: Thu Feb 2 11:41:15 2018 -0800 Notice how the `Author` and `Signed-off-by` lines match. If they do not match the PR will be rejected by the automated DCO check. If more than one person contributed to a commit than there can be more than one `Signed-off-by` line where each line is a signoff from a different person who contributed to the commit. + + +## Dependencies Policy + +Dependencies must be evaluated before being introduced to ensure they: + +1) are actively maintained +2) are maintained by trustworthy maintainers + +These evaluations vary from dependency to dependencies. + +Dependencies are also scheduled for removal if that project has been deprecated or if the project is no longer maintained. + +CVEs in dependencies will be patched for all supported versions if the CVE is applicable and is assessed as a high or critical severity. diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 44e633cb..bb2f86cf 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -19,3 +19,6 @@ security-contacts: value: cncf-artifacthub-maintainers@lists.cncf.io vulnerability-reporting: accepts-vulnerability-reports: true +dependencies: + env-dependencies-policy: + policy-url: https://github.com/artifacthub/hub/blob/master/CONTRIBUTING.md#dependencies-policy