Naveen Srinivasan is a contributor and maintainer of multiple http://github.com/ossf/ projects, a member and contributor to the http://github.com/sigstore organization. His contributions have earned him recognition with Google Peer Bonus awards in 2021 https://twitter.com/snaveen/status/1422921438764453897 and 2022 https://twitter.com/snaveen/status/1563194155333222400. He has consistently contributed to the open-source community for an extended period, with no gaps in activity for the past two years.In addition to his technical contributions, He is a sought-after speaker at conferences, discussing topics related to supply chain security and mitigating risks in open-source software. He can be found on Twitter (@Naveen_Srini) at https://twitter.com/Naveen_Srini_.
#! /bin/sh | |
curl -O http://download.linqpad.net/preview/LINQPad4.zip | |
unzip -q -o -d /cygdrive/c/tools/ LINQPad4.zip | |
rm LINQPad4.zip |
package packager | |
import ( | |
"reflect" | |
"testing" | |
"github.com/defenseunicorns/zarf/src/types" | |
) | |
type generateValuesOverridesTestCase struct { |
hello I am Jeff Mendoza software engineer at kusari and welcome to the guacademy video series this is the first video in the series and I'm here to introduce you to guac guac is an open source project licensed with the Apache License it is a tool that helps you understand your software supply chain it stands for it stands for graph for understanding artifact composition it's sort of a database or graph that you add supporting tools to as part of the project and it collects data and insight on your supply chain and then you can use it for Discovery in that supply chain so you might ask how does a graph help with the these supply chain questions so we'll look at some diagrams to show you first we'll start with some s-bombs or software bill of materials these s-bombs cover a single service package or deliverable and then includes the other software pieces that are in that package so you can then load all of those s-bombs into guac and you can see that you have well a bunch of disparate graphs here with the root |
ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000007, Labels: [handler:HelloWorldHandler code:200] | |
ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000006, Labels: [handler:HelloWorldHandler code:200] | |
ObserveHistogram - Name: http_request_duration_seconds, Value: 0.000003, Labels: [handler:HelloWorldHandler code:200] |
scorecard --local . --show-details --format json | jq .
{
"date": "2023-02-22",
"repo": {
"name": "file://.",
"commit": "unknown"
},
"scorecard": {
Naveen Srinivasan https://github.com/naveensrinivasan
Have you ever thought about how to ensure that the open source software you're using is secure? It's easy to spend more time researching restaurant reviews than evaluating the security of a new open source dependency, but the consequences of not doing so can be far more serious. Software supply chain attacks are becoming increasingly common, and attackers are targeting vulnerabilities in dependencies early in the supply chain to amplify the impact of their attacks.
Dependency security is in the spotlight, as evidenced by a 742% average annual increase in software supply chain attacks over the past three years. As a result, consumers of open source software need to be informed about the projects they rely on to safeguard their own projects against the next major supply chain attack. Is it safe to use the dependencies
WITH top_repos AS ( | |
SELECT | |
REGEXP_REPLACE(repo.url, '^https://', '') as repo_name | |
FROM | |
`openssf.criticality_score_cron.criticality-score-v0` | |
WHERE | |
collection_date = ( | |
SELECT | |
MAX(collection_date) | |
FROM |
package main | |
import ( | |
"encoding/json" | |
"fmt" | |
"io/ioutil" | |
"net/http" | |
"sync" | |
"sync/atomic" | |
) |
package main | |
import ( | |
"fmt" | |
"os" | |
"strings" | |
) | |
func main() { | |
getenvironment := func(data []string, getkeyval func(item string) (key, val string)) map[string]string { |