Skip to content

Upload the Trail of Bits public security assessment report#94

Merged
SteveLasker merged 2 commits intoveraison:mainfrom
ESultanik:trail-of-bits-report
Jul 28, 2022
Merged

Upload the Trail of Bits public security assessment report#94
SteveLasker merged 2 commits intoveraison:mainfrom
ESultanik:trail-of-bits-report

Conversation

@ESultanik
Copy link
Copy Markdown
Contributor

@ESultanik ESultanik commented Jul 26, 2022

@ESultanik ESultanik changed the title Upload the Trail of Bits public security assessment report Upload the Trail of Bits public security assessment report (WIP) Jul 26, 2022
@ESultanik ESultanik marked this pull request as draft July 26, 2022 21:23
@ESultanik
Adds the Trail of Bits go-cose security assessment report
535a715 
Signed-off-by: Evan Sultanik <evan.sultanik@trailofbits.com>
@ESultanik ESultanik force-pushed the trail-of-bits-report branch from c2064ca to 535a715 Compare July 26, 2022 21:24
@ESultanik ESultanik changed the title Upload the Trail of Bits public security assessment report (WIP) Upload the Trail of Bits public security assessment report Jul 26, 2022
@ESultanik ESultanik marked this pull request as ready for review July 26, 2022 21:25
@codecov
Copy link
Copy Markdown

codecov bot commented Jul 27, 2022
edited
Loading

Codecov Report

Merging #94 (535a715) into main (689f87f) will increase coverage by 0.29%.
The diff coverage is n/a.

❗ Current head 535a715 differs from pull request most recent head 6db24d3. Consider uploading reports for the commit 6db24d3 to get more accurate results

@@            Coverage Diff             @@
##             main      #94      +/-   ##
==========================================
+ Coverage   89.48%   89.78%   +0.29%     
==========================================
  Files          10       10              
  Lines        1018     1018              
==========================================
+ Hits          911      914       +3     
+ Misses         72       69       -3     
  Partials       35       35
Impacted Files Coverage Δ
headers.go 93.05% <0.00%> (+0.90%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us.

qmuntal
qmuntal approved these changes Jul 27, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@qmuntal qmuntal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

yogeshbdeshpande
yogeshbdeshpande approved these changes Jul 27, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@yogeshbdeshpande yogeshbdeshpande left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@SteveLasker
Copy link
Copy Markdown
Contributor

SteveLasker commented Jul 27, 2022

Thanks @ESultanik,
The report looks great, and appreciate the links in the doc to the mitigated high and low issues that were identified.
One minor formating, ownership request:
While Microsoft commissioned the report and is supporting the veraison project, the report should reflect the veraison/go-cose project maintainers to properly give credit to the folks at ARM that initiated the effort.

Page 11
s/go-cose: Microsoft’s COSE implementation in Go.
r/The veraison project, go-cose implementation in Go.

Page 19
s/The Microsoft go-cose library is a work in progress with continuous development. Trail of Bits recommends that Microsoft address the findings detailed in this report and take the following additional steps prior to deployment:

r/The veraison/go-cose library is a work in progress with continuous development. Trail of Bits recommends the veraison project address the findings detailed in this report and take the following additional steps prior to deployment:

@ESultanik
Copy link
Copy Markdown
Contributor Author

ESultanik commented Jul 27, 2022

No problem, we will update the report and tag you here when it's ready.

@ESultanik
Updated report with attributions to Veraison
6db24d3 
Signed-off-by: Evan Sultanik <evan.sultanik@trailofbits.com>
@ESultanik
Copy link
Copy Markdown
Contributor Author

ESultanik commented Jul 27, 2022
edited
Loading

@SteveLasker I just pushed an updated version of the report. I didn't rebase this branch, so the old version is still in the git history. Let me know if you'd rather I do a rebase.

SteveLasker
SteveLasker approved these changes Jul 28, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@SteveLasker SteveLasker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ESultanik for the updates and to the Trail of Bits team for the thorough review.

@SteveLasker SteveLasker merged commit b44ee38 into veraison:main Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qmuntal qmuntal qmuntal approved these changes

@SteveLasker SteveLasker SteveLasker approved these changes

@yogeshbdeshpande yogeshbdeshpande yogeshbdeshpande approved these changes

@henkbirkholz henkbirkholz Awaiting requested review from henkbirkholz henkbirkholz is a code owner

@roywill roywill Awaiting requested review from roywill roywill is a code owner

@shizhMSFT shizhMSFT Awaiting requested review from shizhMSFT shizhMSFT is a code owner

@thomas-fossati thomas-fossati Awaiting requested review from thomas-fossati thomas-fossati is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ESultanik @SteveLasker @qmuntal @yogeshbdeshpande