Skip to content

docs: Add SECURITY.md#102

Closed
lurtz wants to merge 1 commit into
eclipse-score:mainfrom
elektrobit-contrib:add-security-policy
Closed

docs: Add SECURITY.md#102
lurtz wants to merge 1 commit into
eclipse-score:mainfrom
elektrobit-contrib:add-security-policy

Conversation

@lurtz

@lurtz lurtz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Eclipse asked us to add SECURITY.md to S-CORE: https://www.eclipse.org/lists/eclipse.org-committers/msg01582.html

Let's start with the module_template and spread it to other repos if agreed on.

Eclipse asked us to add SECURITY.md to S-CORE: https://www.eclipse.org/lists/eclipse.org-committers/msg01582.html

Let's start with the module_template and spread it to other repos if agreed on.

@masc2023 masc2023 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have now already 3 PRs about that, see score and .github folder

eclipse-score/score#3054

eclipse-score/.github#79

Comment thread SECURITY.md
Comment on lines +60 to +67
<!-- ## Supported Versions -->

<!--
Which releases of the project's software are actively maintained and receive security updates?
-->
<!-- Supported versions are:

* there are no supported versions of this project yet -->

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commented because we need a central place for this. Otherwise we have to maintain this list in many repos. My proposal is to point to either the score repo or reference_integration

Comment thread SECURITY.md
Instead, report it using one of the following ways:

* Create a [confidential issue](https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability) in the Eclipse Foundation Vulnerability Reporting Tracker
* Report a [vulnerability](https://github.com/eclipse-score/score/security/advisories/new) directly via private vulnerability reporting on GitHub <!-- EDIT THIS LINE IF YOUR PROJECT USES GITHUB ADVISORIES; DELETE IT OTHERWISE -->

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would collect all S-CORE related security issues at the score repo

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

License Check Results

🚀 The license check job ran with the Bazel command:

bazel run --lockfile_mode=error //:license-check

Status: ⚠️ Needs Review

Click to expand output
[License Check Output]
Extracting Bazel installation...
Starting local Bazel server (8.6.0) and connecting to it...
INFO: Invocation ID: cd22dbaf-e95b-48af-a455-ff0604035646
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Loading: 
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)

Analyzing: target //:license-check (23 packages loaded, 10 targets configured)

Analyzing: target //:license-check (79 packages loaded, 10 targets configured)

Analyzing: target //:license-check (84 packages loaded, 10 targets configured)

Analyzing: target //:license-check (109 packages loaded, 347 targets configured)

Analyzing: target //:license-check (156 packages loaded, 3106 targets configured)

Analyzing: target //:license-check (157 packages loaded, 5844 targets configured)

Analyzing: target //:license-check (160 packages loaded, 8140 targets configured)

Analyzing: target //:license-check (163 packages loaded, 8151 targets configured)

Analyzing: target //:license-check (163 packages loaded, 8151 targets configured)

Analyzing: target //:license-check (163 packages loaded, 8151 targets configured)

Analyzing: target //:license-check (167 packages loaded, 10160 targets configured)

Analyzing: target //:license-check (167 packages loaded, 10160 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

Analyzing: target //:license-check (168 packages loaded, 10280 targets configured)

INFO: Analyzed target //:license-check (169 packages loaded, 11859 targets configured).
[11 / 16] [Prepa] Expanding template external/score_tooling+/dash/tool/formatters/_dash_format_converter.venv/lib/python3.12/site-packages/_bazel_site_init.py [for tool]
INFO: From Generating Dash formatted dependency file ...:
INFO: Successfully converted 2 packages from Cargo.lock to bazel-out/k8-fastbuild/bin/formatted.txt
[14 / 16] JavaToolchainCompileBootClasspath external/rules_java+/toolchains/platformclasspath.jar; 0s disk-cache, processwrapper-sandbox
[15 / 16] Building license.check.license_check.jar (); 0s disk-cache, multiplex-worker
INFO: Found 1 target...
Target //:license.check.license_check up-to-date:
  bazel-bin/license.check.license_check
  bazel-bin/license.check.license_check.jar
INFO: Elapsed time: 216.530s, Critical Path: 2.24s
INFO: 16 processes: 12 internal, 3 processwrapper-sandbox, 1 worker.
INFO: Build completed successfully, 16 total actions
INFO: Running command line: bazel-bin/license.check.license_check ./formatted.txt <args omitted>
usage: org.eclipse.dash.licenses.cli.Main [-batch <int>] [-cd <url>]
       [-confidence <int>] [-ef <url>] [-excludeSources <sources>] [-help] [-lic
       <url>] [-project <shortname>] [-repo <url>] [-review] [-summary <file>]
       [-timeout <seconds>] [-token <token>]

@lurtz

lurtz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

We have now already 3 PRs about that, see score and .github folder

eclipse-score/score#3054

eclipse-score/.github#79

I like the .github approach. Thus closing this one

@lurtz lurtz closed this Jul 1, 2026
@lurtz lurtz deleted the add-security-policy branch July 1, 2026 11:11
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

The created documentation from the pull request is available at: docu-html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

2 participants