Скачать или смотреть Lights, Camera, GitHub Action! Automating Vulnerability Disclosure Reports for Eclipse Temurin-OCX24

As software supply chain attacks and vulnerabilities become more prevalent and regulators start requiring more rigorous development processes for both open source and proprietary software, it is more important than ever to understand what components go into the software we use – and their potential vulnerabilities. This is especially important for platform-level components like Eclipse Temurin by Adoptium, the Eclipse Foundation’s open source build of the JDK. In this talk, we'll describe what a Vulnerability Disclosure Report (VDR) is, and how we create one for Temurin, incorporating data from multiple sources, including the OpenJDK Vulnerabilities Group and NIST. We'll discuss the challenges in retrieving data from these sources, and how we were able to overcome them, as well as the tooling we used from OWASP and GitHub to create a CycloneDX format vulnerability disclosure report. We’ll dive deep into how we used GitHub Actions to automate this in an easily observable manner that makes auditing the VDR creation process easy, and ensures the final product remains trustworthy.