sethmlarson

SLSA + Python Notes

Created example project: https://github.com/sethmlarson/python-slsa-release-test

Python doesn't have a specific builder yet. Only have source attestation using the generic builder. Used: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Attestation "subject.name" is taken as input from sha256sum, so check the output of that to ensure it's what you want (ie package.tar.gz vs dist/package.tar.gz) For this I had to include a cd dist/ && before the sha256sum * call. Not sure where this matters though?

Success:

sethmlarson

PSF CNA Onboarding

CNA Onboarding Videos

Watch all the informational videos from the CNA onboarding documentation. Approximately an hour of content about the program, becoming a CNA, assigning CVE IDs, and creating CVE records. Slides are available on the website.

• CVE Program Overview (5 minutes)
• Becoming a CNA (15 minutes)
• Assigning CVE IDs (26 minutes)

sethmlarson

# MIT License
#
# Copyright (c) 2023 Seth Michael Larson
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

sethmlarson

"""
Simple script for constructing small XAR files.
License: CC0-1.0
"""

import datetime
import gzip
import hashlib
import io
import struct

sethmlarson

"""JSON serializer for Elasticsearch Python client that
uses the 'orjson' library for performance.

https://github.com/ijl/orjson
"""

# Implement the Serializer.loads() and .dumps() APIs w/ orjson:
import orjson
from elasticsearch import SerializationError, JSONSerializer

sethmlarson