├── scripts
├── requirements.txt
└── sync_overview.sh
├── docs
├── index.html
├── readme.txt
└── js
│ └── global.js
├── .github
├── dependabot.yml
├── workflows
│ ├── validate.yml
│ ├── generate-overview.yml
│ └── codeql-analysis.yml
└── settings.yml
├── SECURITY.md
├── reviews
├── npm
│ ├── clap
│ │ └── review-1.md
│ ├── file-loader
│ │ └── review-1.md
│ ├── cryo
│ │ └── review-1.md
│ ├── atom-node-module-installer
│ │ └── review-1.md
│ ├── left-pad
│ │ └── review-1.md
│ ├── iter-server
│ │ └── review-1.md
│ ├── cityhash
│ │ └── review-1.md
│ └── mime
│ │ └── review-1.md
├── nuget
│ ├── markdig
│ │ └── review-1.md
│ └── redis-64
│ │ └── review-1.md
├── github
│ ├── rook
│ │ └── rook.md
│ ├── helm
│ │ └── helm.md
│ ├── etcd-io
│ │ └── etcd.md
│ ├── standardnotes
│ │ └── snjs-sncrypto.md
│ ├── freedomofpress
│ │ └── securedrop-workstation
│ │ │ └── SecureDropWorkstation.md
│ ├── westerndigitalcorporation
│ │ └── sweet-b
│ │ │ └── sweet-b.md
│ ├── open-policy-agent
│ │ └── OPAGatekeeper.md
│ ├── fail2ban
│ │ └── fail2ban
│ │ │ └── 2021-07-01-GitHub-Security-Lab.md
│ ├── madler
│ │ └── zlib
│ │ │ └── trail-of-bits-2016.md
│ ├── zerotier
│ │ └── zerotier-protocol.md
│ └── argoproj
│ │ └── argo.md
├── sigstore
│ └── sigstore.md
├── kubeedge
│ └── kubeedge.md
├── rustls
│ └── review-1.md
├── slf4j
│ └── slf4j.md
├── core-infrastructure-initiative
│ └── cii.md
├── C-ares
│ └── C-ares.md
├── argo
│ └── argo.md
├── _general_
│ └── attacks
│ │ └── dependency-confusion-poc-2.md
├── cri-o
│ └── crio.md
├── linux-distributions
│ └── red-hat-enterprise-linux-8.2.md
├── fluxcd
│ └── flux2.md
└── _omega_
│ └── npm
│ ├── ms
│ ├── omega-review-2.0.0-2022-05-07.md
│ ├── omega-review-2.1.1-2022-05-09.md
│ ├── omega-review-2.1.2-2022-05-09.md
│ └── omega-review-2.1.3-2022-05-07.md
│ ├── has
│ └── omega-review-1.0.3-2022-05-06.md
│ ├── methods
│ └── omega-review-1.1.2-2022-05-09.md
│ ├── through2
│ └── omega-review-0.6.5-2022-05-07.md
│ ├── inherits
│ ├── omega-review-2.0.3-2022-05-06.md
│ └── omega-review-2.0.4-2022-05-06.md
│ ├── p-try
│ ├── omega-review-2.2.0-2022-05-09.md
│ └── omega-review-3.0.0-2022-05-07.md
│ ├── strip-ansi
│ ├── omega-review-3.0.1-2022-05-07.md
│ ├── omega-review-4.0.0-2022-05-09.md
│ └── omega-review-7.0.1-2022-05-07.md
│ ├── ansi-regex
│ ├── omega-review-2.1.1-2022-05-05.md
│ └── omega-review-2.0.0-2022-05-08.md
│ ├── color-name
│ └── omega-review-1.1.4-2022-05-05.md
│ ├── destroy
│ └── omega-review-1.0.4-2022-05-08.md
│ ├── is-buffer
│ └── omega-review-1.1.6-2022-05-06.md
│ ├── isarray
│ └── omega-review-2.0.5-2022-05-06.md
│ ├── encodeurl
│ └── omega-review-1.0.2-2022-05-08.md
│ ├── find-up
│ └── omega-review-6.3.0-2022-05-06.md
│ ├── isobject
│ └── omega-review-3.0.1-2022-05-06.md
│ ├── onetime
│ └── omega-review-6.0.0-2022-05-09.md
│ ├── p-limit
│ └── omega-review-4.0.0-2022-05-07.md
│ ├── pkg-dir
│ └── omega-review-6.0.1-2022-05-09.md
│ ├── buffer-from
│ └── omega-review-1.1.1-2022-05-05.md
│ ├── core-util-is
│ ├── omega-review-1.0.1-2022-05-05.md
│ └── omega-review-1.0.2-2022-05-05.md
│ ├── globals
│ └── omega-review-13.14.0-2022-05-08.md
│ ├── has-flag
│ ├── omega-review-3.0.0-2022-05-06.md
│ └── omega-review-5.0.1-2022-05-06.md
│ ├── mimic-fn
│ └── omega-review-4.0.0-2022-05-09.md
│ ├── p-locate
│ └── omega-review-6.0.0-2022-05-07.md
│ ├── path-key
│ └── omega-review-4.0.0-2022-05-09.md
│ ├── callsites
│ └── omega-review-4.0.0-2022-05-08.md
│ ├── has-value
│ └── omega-review-2.0.2-2022-05-06.md
│ ├── imurmurhash
│ └── omega-review-0.1.4-2022-05-08.md
│ ├── is-stream
│ ├── omega-review-1.1.0-2022-05-06.md
│ └── omega-review-3.0.0-2022-05-08.md
│ ├── os-tmpdir
│ └── omega-review-1.0.2-2022-05-07.md
│ ├── set-blocking
│ └── omega-review-2.0.0-2022-05-07.md
│ ├── is-windows
│ └── omega-review-1.0.2-2022-05-08.md
│ └── lazy-cache
│ └── omega-review-2.0.2-2022-05-08.md
└── Review_Template.md
/scripts/requirements.txt:
--------------------------------------------------------------------------------
1 | better-profanity==0.7.0
2 | packageurl-python==0.11.2
3 | PyYAML==6.0.1
4 |
--------------------------------------------------------------------------------
/docs/index.html:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
--------------------------------------------------------------------------------
/scripts/sync_overview.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | git add ./Overview.md
4 | git commit -m "Update Overview.md"
5 | git push origin main
6 |
--------------------------------------------------------------------------------
/docs/readme.txt:
--------------------------------------------------------------------------------
1 | This template was made by Colorlib (https://colorlib.com)
2 | Please visit our website for more awesome templates, themes and tools.
3 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | # To get started with Dependabot version updates, you'll need to specify which
2 | # package ecosystems to update and where the package manifests are located.
3 | # Please see the documentation for all configuration options:
4 | # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
5 |
6 | version: 2
7 | updates:
8 | - package-ecosystem: "pip"
9 | directory: "/"
10 | schedule:
11 | interval: "daily"
12 |
13 |
--------------------------------------------------------------------------------
/docs/js/global.js:
--------------------------------------------------------------------------------
1 | (function ($) {
2 | 'use strict';
3 |
4 | try {
5 | var selectSimple = $('.js-select-simple');
6 |
7 | selectSimple.each(function () {
8 | var that = $(this);
9 | var selectBox = that.find('select');
10 | var selectDropdown = that.find('.select-dropdown');
11 | selectBox.select2({
12 | dropdownParent: selectDropdown
13 | });
14 | });
15 |
16 | } catch (err) {
17 | console.log(err);
18 | }
19 |
20 |
21 | })(jQuery);
22 |
--------------------------------------------------------------------------------
/.github/workflows/validate.yml:
--------------------------------------------------------------------------------
1 | # This workflow will install Python dependencies and run the validate.py script to ensure all reviews are complete.
2 |
3 | name: Python application
4 |
5 | on:
6 | push:
7 | branches: [ main ]
8 | pull_request:
9 | branches: [ main ]
10 |
11 | jobs:
12 | build:
13 |
14 | runs-on: ubuntu-latest
15 |
16 | steps:
17 | - uses: actions/checkout@v2
18 | - name: Set up Python 3.x
19 | uses: actions/setup-python@v3
20 | with:
21 | python-version: 3.x
22 | - name: Install dependencies
23 | run: |
24 | python -m pip install --upgrade pip
25 | if [ -f ./scripts/requirements.txt ]; then pip install -r ./scripts/requirements.txt; fi
26 | - name: Run validator
27 | run: |
28 | # stop the build if there are any errors (errcode 0 means 'pass')
29 | python ./scripts/validate.py
30 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security
2 |
3 | **Do not disclose "new" or "unknown" vulnerabilities to this project or to this repository about other projects.**
4 |
5 | So, if you find a vulnerability (or evidence of one)
6 | in a specific project other than this one,
7 | and that vulnerability is not already well-known
8 | publicly, please report the vulnerability to *that* project.
9 |
10 | If you find a vulnerability (or evidence of one)
11 | in this specific project (e.g,. its scripts), please *do* report such
12 | vulnerabilities to us.
13 |
14 | We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
15 | [main repository's security tab](https://github.com/ossf/security-reviews/security), in the left sidebar, under "Reporting", click Advisories, then click "Report a vulnerability" to open the advisory form.
16 |
--------------------------------------------------------------------------------
/.github/workflows/generate-overview.yml:
--------------------------------------------------------------------------------
1 | # This workflow will install Python dependencies and refresh the Overview.md page.
2 |
3 | name: Python application
4 |
5 | on:
6 | push:
7 | branches: [ main ]
8 |
9 | jobs:
10 | build:
11 |
12 | runs-on: ubuntu-latest
13 |
14 | steps:
15 | - uses: actions/checkout@v3
16 | - name: Set up Python 3
17 | uses: actions/setup-python@v3
18 | with:
19 | python-version: 3.x
20 | - name: Install dependencies
21 | run: |
22 | python -m pip install --upgrade pip
23 | if [ -f ./scripts/requirements.txt ]; then pip install -r ./scripts/requirements.txt; fi
24 | - name: Generate overview
25 | run: |
26 | # stop the build if there are any errors (errcode 0 means 'pass')
27 | python ./scripts/generate_overview.py --directory ./reviews
28 | - name: Setup git config
29 | run: |
30 | git config user.name ${{ secrets.USERNAME }}
31 | git config user.email ${{ secrets.EMAIL }}
32 | - name: Commit changes
33 | run: |
34 | chmod +x ./scripts/sync_overview.sh
35 | ./scripts/sync_overview.sh
36 |
--------------------------------------------------------------------------------
/.github/settings.yml:
--------------------------------------------------------------------------------
1 | repository:
2 | # See https://developer.github.com/v3/repos/#edit for all available settings.
3 |
4 | # The name of the repository. Changing this will rename the repository
5 | name: project-template
6 |
7 | # A short description of the repository that will show up on GitHub
8 | description: OpenSSF Project Template
9 |
10 | # A URL with more information about the repository
11 | homepage: https://openssf.org
12 |
13 | # Collaborators: give specific users access to this repository.
14 | # see /governance/roles.md for details on write access policy
15 | # note that the permissions below may provide wider access than needed for
16 | # a specific role, and we trust these individuals to act according to their
17 | # role. If there are questions, please contact one of the chairs.
18 | collaborators:
19 | # Chairs and Admin Help
20 | - username:
21 | permission: admin
22 |
23 | # Contributors
24 | # all permissions except admin
25 |
26 | - username:
27 | permission: push
28 |
29 | labels:
30 | - name: helpwanted
31 | color: ffff54
32 | - name: good first issue
33 | color: ff8c00
34 | - name: meeting
35 | color: 00ff00
36 |
37 | # additional colors in this palette:
38 | # 7f0000 , 1e90ff, ffdab9, ff69b4
39 |
--------------------------------------------------------------------------------
/reviews/npm/clap/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: None
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - Web-Search
13 | Package-URLs:
14 | - pkg:npm/clap@1.2.3
15 | Issues-Identified: None
16 | Review-Date: 2019-10-03
17 | Scope: Implementation/Full
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | No security issues identified.
25 |
26 | ### Details
27 |
28 | No security issues identified.
29 |
30 | ### Methodology
31 |
32 | This review was conducted by the Microsoft Open Source Security Team using of automated
33 | tools (including static analysis), custom tools, a targeted code review, and some
34 | effort to identify already-known security defects.
35 |
36 | ### External References
37 |
38 | No external references exist for this review.
39 |
40 | ### Disclaimer
41 |
42 | All security reviews are conducted on a "best-effort" basis against a software
43 | component at a point in time. We make no guarantee as to the quality or completeness
44 | of any review. If you believe any content is inaccurate, we encourage you to open
45 | an issue or submit a pull request with a correction or improvement.
46 |
47 | ### License
48 |
49 | This text is released under at least the
50 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
51 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/npm/file-loader/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: None
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - Web-Search
13 | Package-URLs:
14 | - pkg:npm/file-loader@3.0.1
15 | Issues-Identified: None
16 | Review-Date: 2019-10-04
17 | Scope: Implementation/Full
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | No security issues identified.
25 |
26 | ### Details
27 |
28 | No security issues identified.
29 |
30 | ### Methodology
31 |
32 | This review was conducted by the Microsoft Open Source Security Team using of automated
33 | tools (including static analysis), custom tools, a targeted code review, and some
34 | effort to identify already-known security defects.
35 |
36 | ### External References
37 |
38 | No external references exist for this review.
39 |
40 | ### Disclaimer
41 |
42 | All security reviews are conducted on a "best-effort" basis against a software
43 | component at a point in time. We make no guarantee as to the quality or completeness
44 | of any review. If you believe any content is inaccurate, we encourage you to open
45 | an issue or submit a pull request with a correction or improvement.
46 |
47 | ### License
48 |
49 | This text is released under at least the
50 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
51 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/nuget/markdig/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: None
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - Web-Search
13 | Package-URLs:
14 | - pkg:github/lunet-io/markdig@0.11.0
15 | - pkg:nuget/markdig@0.11.0
16 | Issues-Identified: None
17 | Review-Date: 2019-10-03
18 | Scope: Implementation/Full
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | No security issues identified.
26 |
27 | ### Details
28 |
29 | No security issues identified.
30 |
31 | ### Methodology
32 |
33 | This review was conducted by the Microsoft Open Source Security Team using of automated
34 | tools (including static analysis), custom tools, a targeted code review, and some
35 | effort to identify already-known security defects.
36 |
37 | ### External References
38 |
39 | No external references exist for this review.
40 |
41 | ### Disclaimer
42 |
43 | All security reviews are conducted on a "best-effort" basis against a software
44 | component at a point in time. We make no guarantee as to the quality or completeness
45 | of any review. If you believe any content is inaccurate, we encourage you to open
46 | an issue or submit a pull request with a correction or improvement.
47 |
48 | ### License
49 |
50 | This text is released under at least the
51 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
52 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/.github/workflows/codeql-analysis.yml:
--------------------------------------------------------------------------------
1 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
2 | name: "CodeQL"
3 |
4 | on:
5 | push:
6 | branches: [ main ]
7 | pull_request:
8 | # The branches below must be a subset of the branches above
9 | branches: [ main ]
10 | schedule:
11 | - cron: '41 23 * * 3'
12 |
13 | jobs:
14 | analyze:
15 | name: Analyze
16 | runs-on: ubuntu-latest
17 |
18 | strategy:
19 | fail-fast: false
20 | matrix:
21 | language: [ 'python','javascript' ]
22 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', , 'python' ]
23 | # Learn more:
24 |
25 |
26 | steps:
27 | - name: Checkout repository
28 | uses: actions/checkout@v2
29 |
30 | # Initializes the CodeQL tools for scanning.
31 | - name: Initialize CodeQL
32 | uses: github/codeql-action/init@v1
33 | with:
34 | languages: ${{ matrix.language }}
35 | # If you wish to specify custom queries, you can do so here or in a config file.
36 | # By default, queries listed here will override any specified in a config file.
37 | # Prefix the list here with "+" to use these queries and those in the config file.
38 | # queries: ./path/to/local/query, your-org/your-repo/queries@main
39 |
40 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
41 | # If this step fails, then you should remove it and run the build manually (see below)
42 | - name: Autobuild
43 | uses: github/codeql-action/autobuild@v1
44 |
45 | - name: Perform CodeQL Analysis
46 | uses: github/codeql-action/analyze@v1
47 |
--------------------------------------------------------------------------------
/reviews/npm/cryo/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Dilan Bhalla
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Web-Search
12 | Issues-Identified: Severe
13 | Package-URLs:
14 | - pkg:npm/cryo@0.0.6
15 | Review-Date: 2021-02-13
16 | Scope: Implementation/Full
17 | Schema-Version: 1.0
18 | SPDX-License-Identifier: CC-BY-4.0
19 | ---
20 |
21 | ### Summary
22 |
23 | Known, high-severity code injection in latest version of cryo (0.0.6) allows arbitrary code to be executed by malicious actors.
24 |
25 | ### Details
26 |
27 | This package deserializes JSON into objects using an insecure method. As a result, an attacker can inject arbitrary code that may later be called by the user's application and run on the their system. This is a high severity vulnerability without a patch currently available, so it is advisable to avoid using this library.
28 |
29 | ### Methodology
30 |
31 | 1. Static analysis (CodeQL)
32 | 2. Multiple credible sources referenced, attached in external references below.
33 |
34 | ### External References
35 |
36 | 1. https://nvd.nist.gov/vuln/detail/CVE-2018-3784
37 | 2. https://hackerone.com/reports/350418
38 |
39 | ### Disclaimer
40 |
41 | All security reviews are conducted on a "best-effort" basis against a software
42 | component at a point in time. We make no guarantee as to the quality or completeness
43 | of any review. If you believe any content is inaccurate, we encourage you to open
44 | an issue or submit a pull request with a correction or improvement.
45 |
46 | ### License
47 |
48 | This text is released under at least the
49 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
50 | Externally-referenced content may be licensed differently.
51 |
--------------------------------------------------------------------------------
/reviews/npm/atom-node-module-installer/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Dilan Bhalla
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Web-Search
12 | Issues-Identified: Severe
13 | Package-URLs:
14 | - pkg:npm/atom-node-module-installer@0.9.0
15 | Review-Date: 2021-02-12
16 | Scope: Implementation/Full
17 | Schema-Version: 1.0
18 | SPDX-License-Identifier: CC-BY-4.0
19 | ---
20 |
21 | ### Summary
22 |
23 | Known critical vulnerability. Do not use this package if possible, as there is no existing patch. If necessary, ensure you are on a private, trusted network during installation.
24 |
25 | ### Details
26 |
27 | This package installs node modules over an insecure protocol (HTTP) and is thus susceptible to MITM attacks. Remote code can be executed by an attacker if they are on the same network, or if the user is using a public network.
28 |
29 | ### Methodology
30 |
31 | 1. Static Analysis - CodeQL
32 | - Converted CoffeScript to JavaScript using decaffeinate, an npm package
33 | - Ran all security queries on package
34 | 2. Additional Research
35 |
36 | ### External References
37 |
38 | 1. https://nvd.nist.gov/vuln/detail/CVE-2016-10620.
39 | 2. https://www.npmjs.com/advisories/216
40 |
41 | ### License
42 |
43 | This text is released under at least the
44 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
45 | External references are under their own licenses, which may be different.
46 |
47 | ### Disclaimer
48 |
49 | All security reviews are conducted on a "best-effort" basis against a software
50 | component at a point in time. We make no guarantees that any review will be accurate
51 | or complete. If you dispute any content within a review, feel free to open an issue
52 | or submit a pull request with a correction or improvement.
53 |
54 |
--------------------------------------------------------------------------------
/reviews/github/rook/rook.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | - Fuzzing
15 | Issues-Identified: Severe
16 | Package-URLs:
17 | - pkg:github.com/rook/rook/tree/release-1.1
18 | Review-Date: 2019-12-19
19 | Scope: Non-Implementation
20 | Schema-Version: 1.0
21 | SPDX-License-Identifier: CC-BY-4.0
22 | ---
23 |
24 | ### Summary
25 |
26 | From December 2 through December 19, 2019, Rook worked with Trail of Bits to review the security of the storage orchestration system for Kubernetes, also named Rook. Trail of Bits conducted this assessment over the course of two person-weeks with two engineers working from the release-1.1 branch of the rook/rook repository.
27 |
28 | ### Details
29 |
30 | The assessment resulted in 13 findings ranging from High to Low in severity.
31 |
32 | ### Methodology
33 |
34 | The week-long assessment consisted of manual review, static analysis, and operational analysis with a focus on common Go mistakes, security-critical configuration, and protocol use.
35 |
36 | ### External References
37 |
38 | Report: https://github.com/trailofbits/publications/blob/master/reviews/rook.pdf
39 |
40 | ### Disclaimer
41 |
42 | All security reviews are conducted on a "best-effort" basis against a software
43 | component at a point in time. We make no guarantee as to the quality or completeness
44 | of any review. If you believe any content is inaccurate, we encourage you to open
45 | an issue or submit a pull request with a correction or improvement.
46 |
47 | ### License
48 |
49 | This text is released under at least the
50 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
51 | Externally-referenced content may be licensed differently.
52 |
--------------------------------------------------------------------------------
/reviews/sigstore/sigstore.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Open Source Technology Improvement Fund
6 | Associated-With-Project: False
7 | Compensation-Source: Non-Project
8 | Domain: Security
9 | Methodology:
10 | - Dynamic-Analysis
11 | - Code-Review
12 | - External-Review
13 | - Fuzzing
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github/sigstore
17 | Review-Date: 2022-04-01
18 | Scope: Implementation/Full
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | Sigstore is a new standard for signing, verifying and protecting software; and has quickly grown into a premier tool for securing the software supply chain. The security review was facilitated by Open Source Technology Improvement Fund and carried out by Include Security.
26 |
27 | ### Details
28 |
29 | The results of the security audit are three findings (1 High Risk, 2 Low Risk), fuzzing improvements, and a documented threat model.
30 |
31 | The high-risk finding along with one of the low-risk findings identified through this security audit has been fixed and validated. See below for the full report.
32 |
33 | ### Methodology
34 |
35 | Manual review
36 |
37 | ### External References
38 |
39 | (https://ostif.org/our-audit-of-sigstore-is-complete-high-risk-vulnerability-found-and-fixed/)
40 |
41 | ### Disclaimer
42 |
43 | All security reviews are conducted on a "best-effort" basis against a software
44 | component at a point in time. We make no guarantee as to the quality or completeness
45 | of any review. If you believe any content is inaccurate, we encourage you to open
46 | an issue or submit a pull request with a correction or improvement.
47 |
48 | ### License
49 |
50 | This text is released under at least the
51 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
52 | Externally-referenced content may be licensed differently.
53 |
--------------------------------------------------------------------------------
/reviews/kubeedge/kubeedge.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Open Source Technology Improvement Fund
6 | Associated-With-Project: false
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - External-Review
11 | - Code-Review
12 | Issues-Identified: Severe
13 | Package-URLs:
14 | - pkg:github/kubeedge/kubeedge
15 | Review-Date: 2022-05-01
16 | Scope: Implementation/Full
17 | Schema-Version: 1.0
18 | SPDX-License-Identifier: CC-BY-4.0
19 | ---
20 |
21 | ### Summary
22 |
23 | KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. An audit was facilitated by OSTIF and funded by CNCF.
24 |
25 | ### Details
26 |
27 | The result of this engagement is the finding and fixing of multiple medium severity issues, threat modeling, and integration to OSS Fuzz. 10 fuzzers in total were written, and these fuzzers were set up to run in the CI for pull requests. Several issues were found by the fuzzers, including 2 of the 8 CVEs.
28 |
29 | ### Methodology
30 |
31 | A combination of manual code auditing, dynamic analysis using a custom fuzzing harness, and static analysis was used to perform the audit.
32 |
33 |
34 | ### External References
35 |
36 | A link to the full report is available for free at:(https://ostif.org/our-audit-of-kubeedge-is-complete-multiple-security-issues-found-and-fixed/)
37 |
38 | ### Disclaimer
39 |
40 | All security reviews are conducted on a "best-effort" basis against a software
41 | component at a point in time. We make no guarantee as to the quality or completeness
42 | of any review. If you believe any content is inaccurate, we encourage you to open
43 | an issue or submit a pull request with a correction or improvement.
44 |
45 | ### License
46 |
47 | This text is released under at least the
48 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
49 | Externally-referenced content may be licensed differently.
50 |
--------------------------------------------------------------------------------
/reviews/npm/left-pad/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Web-Search
12 | - Code-Review
13 | Issues-Identified: None
14 | Package-URLs:
15 | - pkg:npm/left-pad@1.3.0
16 | Review-Date: 2019-04-08
17 | Scope: Implementation/Full
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | This is a relatively simple module for padding strings. A review did not identify any security defects.
25 |
26 | ### Details
27 |
28 | This is a relatively simple module for padding strings. A review did not identify any security defects, but the module itself has been deprecated; the module author suggests using `String.prototype.padStart()` instead. The associated GitHub [repository](https://github.com/left-pad/left-pad) has also been archived.
29 |
30 | ### Methodology
31 |
32 | This review was conducted by the Microsoft Open Source Security Team using of automated
33 | tools (including static analysis), custom tools, a targeted code review, and some
34 | effort to identify already-known security defects.
35 |
36 | ### External References
37 |
38 | * [npmjs.com/package/left-pad](https://www.npmjs.com/package/left-pad)
39 | * [github.com/left-pad/left-pad](https://github.com/left-pad/left-pad)
40 |
41 | ### Disclaimer
42 |
43 | All security reviews are conducted on a "best-effort" basis against a software
44 | component at a point in time. We make no guarantee as to the quality or completeness
45 | of any review. If you believe any content is inaccurate, we encourage you to open
46 | an issue or submit a pull request with a correction or improvement.
47 |
48 | ### License
49 |
50 | This text is released under at least the
51 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
52 | Externally-referenced content may be licensed differently.
53 |
--------------------------------------------------------------------------------
/reviews/github/helm/helm.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github.com/helm/helm/tree/v3.3.0-rc.1
17 | Review-Date: 2020-08-10
18 | Scope: Implementation/Full
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | From July 27 through August 5, 2020, Trail of Bits reviewed the security of Helm and conducted this assessment over the course of three person-weeks with two engineers working from v3.3.0-rc.1 (c2dfaa) from the Helm repository.
26 |
27 | ### Details
28 |
29 | The assessment revealed a total of 14 findings ranging from medium to informational severity. Overall, the Helm codebase maturity could be improved. In some areas, it does not perform the necessary data validation, and in others the implementation either does not match the expected functionality or is not fully documented. These gaps can affect the security posture of the system since Helm users may make incorrect assumptions.
30 |
31 | ### Methodology
32 |
33 | No methodology was provided.
34 |
35 | ### External References
36 |
37 | Report: https://github.com/trailofbits/publications/blob/master/reviews/Helm.pdf
38 |
39 | ### Disclaimer
40 |
41 | All security reviews are conducted on a "best-effort" basis against a software
42 | component at a point in time. We make no guarantee as to the quality or completeness
43 | of any review. If you believe any content is inaccurate, we encourage you to open
44 | an issue or submit a pull request with a correction or improvement.
45 |
46 | ### License
47 |
48 | This text is released under at least the
49 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
50 | Externally-referenced content may be licensed differently.
51 |
--------------------------------------------------------------------------------
/reviews/rustls/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Mario Heiderich
6 | Email: mario@cure53.de
7 | Organization: Cure53
8 | Associated-With-Project: False
9 | Compensation-Source: Non-Project
10 | Domain: Security
11 | Methodology:
12 | - Static-Analysis
13 | - Dynamic-Analysis
14 | - Code-Review
15 | - External-Review
16 | Issues-Identified: Non-Severe
17 | Package-URLs:
18 | - pkg:cargo/rustls@0.16.0
19 | - pkg:cargo/ring
20 | - pkg:cargo/webpki
21 | - pkg:cargo/sct.rs
22 | - pkg:cargo/rustls-native-certs
23 | Review-Date: 2020-06-15
24 | Scope: Implementation/Full
25 | Schema-Version: 1.0
26 | SPDX-License-Identifier: CC-BY-4.0
27 | ---
28 |
29 | ### Summary
30 |
31 | In May and June 2020, Cure53 completed a security audit of rustls (a TLS library written in Rust) along with some of its key dependencies such as ring and webpki.
32 |
33 | ### Details
34 |
35 | There were two informational and two minor-severity findings. See the report for the full details.
36 |
37 | This evaluation was funded by the Linux Foundation (LF) Cloud Native Computing Foundation (CNCF).
38 |
39 | ### Methodology
40 |
41 | Audit split into two parts: rustls and key dependencies. The authors ran static tools, tests, and code robustness analysis; the latter was via human review of the source code.
42 |
43 | ### External References
44 |
45 | https://github.com/rustls/rustls/blob/master/audit/TLS-01-report.pdf
46 |
47 | https://jbp.io/2020/06/14/rustls-audit.html
48 |
49 | ### Disclaimer
50 |
51 | All security reviews are conducted on a "best-effort" basis against a software
52 | component at a point in time. We make no guarantee as to the quality or completeness
53 | of any review. If you believe any content is inaccurate, we encourage you to open
54 | an issue or submit a pull request with a correction or improvement.
55 |
56 | ### License
57 |
58 | This text is released under at least the
59 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
60 | Externally-referenced content may be licensed differently.
61 |
--------------------------------------------------------------------------------
/reviews/github/etcd-io/etcd.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github.com/etcd-io/etcd
17 | Review-Date: 2020-02-07
18 | Scope: Non-Implementation
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | From January 21 through January 31, 2020, the Linux Foundation engaged Trail of Bits to review the security of etcd. Trail of Bits conducted this assessment over the course of four person-weeks with four engineers working from release 3.4.3 of the etcd-io/etcd repository.
26 |
27 | ### Details
28 |
29 | The assessment revealed a total of 17 findings ranging from high- to informational-severity. Overall, the etcd codebase represents a mature and heavily adopted product. However, there are many edge-cases not caught by the current test suite, and there are areas where the expected functionality of etcd does not match its implementation. These gaps can affect the security posture of the system since etcd gateway users may make inaccurate assumptions.
30 |
31 | ### Methodology
32 |
33 | No methodology was provided.
34 |
35 | ### External References
36 |
37 | Report: https://github.com/trailofbits/publications/blob/master/reviews/OPAGatekeeper.pdf
38 |
39 | ### Disclaimer
40 |
41 | All security reviews are conducted on a "best-effort" basis against a software
42 | component at a point in time. We make no guarantee as to the quality or completeness
43 | of any review. If you believe any content is inaccurate, we encourage you to open
44 | an issue or submit a pull request with a correction or improvement.
45 |
46 | ### License
47 |
48 | This text is released under at least the
49 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
50 | Externally-referenced content may be licensed differently.
51 |
--------------------------------------------------------------------------------
/reviews/github/standardnotes/snjs-sncrypto.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - External-Review
13 | Issues-Identified: Non-Severe
14 | Package-URLs:
15 | - pkg:github.com/standardnotes/snjs
16 | - pkg:github.com/standardnotes/SNCrypto
17 | Review-Date: 2020-09-08
18 | Scope: Implementation/Partial
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | From March 2 through March 6, 2020, Standard Notes engaged Trail of Bits to review the security of SNJS and SNCrypto. Trail of Bits conducted this assessment for one person-week with two engineers working from commit b9d7b79 on branch 004 from the standardnotes/snjs repository, along with commit 0059a66 on branch 004 of the standardnotes/sncrypto repository.
26 |
27 | ### Details
28 |
29 | The manual review of the codebase revealed four findings. Trail of Bits reported one medium-severity issue, TOB-SNOTES-001, related to insecure passwords. The remaining three, TOB-SNOTES-002–TOB-SNOTES-004, are informational findings related to values leaked to timing side-channels, and values not being cleared after they are no longer needed.
30 |
31 | ### Methodology
32 |
33 | No methodology was provided.
34 |
35 | ### External References
36 |
37 | Report: https://github.com/trailofbits/publications/blob/master/reviews/StandardNotes.pdf
38 |
39 | ### Disclaimer
40 |
41 | All security reviews are conducted on a "best-effort" basis against a software
42 | component at a point in time. We make no guarantee as to the quality or completeness
43 | of any review. If you believe any content is inaccurate, we encourage you to open
44 | an issue or submit a pull request with a correction or improvement.
45 |
46 | ### License
47 |
48 | This text is released under at least the
49 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
50 | Externally-referenced content may be licensed differently.
51 |
--------------------------------------------------------------------------------
/reviews/npm/iter-server/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Dilan Bhalla
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Web-Search
11 | - Code-Review
12 | Issues-Identified: Severe
13 | Package-URLs:
14 | - pkg:npm/iter-server@1.0.0
15 | Review-Date: 2021-02-12
16 | Scope: Implementation/Full
17 | Schema-Version: 1.0
18 | SPDX-License-Identifier: CC-BY-4.0
19 | ---
20 |
21 | ### Summary
22 |
23 | Directory traversal vulnerability in package. No patches available, it is best to avoid using this package in a production environment.
24 |
25 | ### Details
26 |
27 | The latest version of this package (and only version, 1.0.0) accepts relative file paths, leaving it susceptible to a directory traversal exploit. This can allow others access to private files outside of the desired root directory.
28 |
29 | Potential exploit from https://www.npmjs.com/advisories/349:
30 |
31 | ```
32 | GET /../../../../../../../../../../etc/passwd HTTP/1.1
33 | host:foo
34 | ```
35 |
36 | ### Methodology
37 |
38 | In-depth research and analysis from multiple sources, listed in the external references section below.
39 |
40 | ### External References
41 |
42 | 1. https://nvd.nist.gov/vuln/detail/CVE-2017-16183
43 | 2. https://www.npmjs.com/advisories/454
44 | 3. https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/iter-server
45 | 4. https://www.npmjs.com/package/iter-server (npm website, to ensure no patches have been released)
46 |
47 | ### License
48 |
49 | This text is released under at least the
50 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
51 | External references are under their own licenses, which may be different.
52 |
53 | ### Disclaimer
54 |
55 | All security reviews are conducted on a "best-effort" basis against a software
56 | component at a point in time. We make no guarantees that any review will be accurate
57 | or complete. If you dispute any content within a review, feel free to open an issue
58 | or submit a pull request with a correction or improvement.
59 |
--------------------------------------------------------------------------------
/reviews/npm/cityhash/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: None
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - Web-Search
13 | Package-URLs:
14 | - pkg:npm/cityhash@0.0.5
15 | Issues-Identified: Non-Severe
16 | Review-Date: 2019-10-30
17 | Scope: Implementation/Full
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | CityHash is not a cryptographic hash function, and was designed for speed rather
25 | than collision resistence or other security properties.
26 |
27 | ### Details
28 |
29 | CityHash is not a cryptographic hash function, and was designed for speed rather
30 | than collision resistence or other security properties. If you use CityHash, you
31 | should assume an attacker is able to both "invert" (given a hash output, easily
32 | find input that would map to that hash output) and collide (quickly create many
33 | inputs that map to the same output value. This could lead to O(n) hash tables,
34 | caching issues, etc. Ensure that you do not rely on CityHash for security.
35 |
36 | ### Methodology
37 |
38 | This review was conducted by the Microsoft Open Source Security Team using of automated
39 | tools (including static analysis), custom tools, a targeted code review, and some
40 | effort to identify already-known security defects.
41 |
42 | ### External References
43 |
44 | No external references exist for this review.
45 |
46 | ### Disclaimer
47 |
48 | All security reviews are conducted on a "best-effort" basis against a software
49 | component at a point in time. We make no guarantee as to the quality or completeness
50 | of any review. If you believe any content is inaccurate, we encourage you to open
51 | an issue or submit a pull request with a correction or improvement.
52 |
53 | ### License
54 |
55 | This text is released under at least the
56 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
57 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/github/freedomofpress/securedrop-workstation/SecureDropWorkstation.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - External-Review
11 | Issues-Identified: Severe
12 | Package-URLs:
13 | - pkg:github.com/freedomofpress/securedrop-workstation
14 | Review-Date: 2020-12-18
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | ---
19 |
20 | ### Summary
21 |
22 | The Freedom of Press Foundation engaged Trail of Bits to review the security of the SecureDrop Workstation. Trail of Bits conducted this assessment over the course of 6 person-weeks with 2 engineers assessing SecureDrop Workstation 0.5.0. SecureDrop is an open-source whistleblower submission system maintained by Freedom of the Press Foundation, a non-profit organization based in the United States. Over 75 news outlets worldwide use the system to communicate with sources.
23 |
24 | ### Details
25 |
26 | Assessment of the SecureDrop Workstation codebase resulted in 26 findings ranging from informational to high severity. Notable, the high severity finding details case where a malicious SecureDrop server could create files in arbitrary paths in the sd-app VM, which may allow for code execution.
27 |
28 | ### Methodology
29 |
30 | No methodology was provided.
31 |
32 | ### External References
33 |
34 | Report: https://github.com/trailofbits/publications/blob/master/reviews/SecureDropWorkstation.pdf
35 |
36 | ### Disclaimer
37 |
38 | All security reviews are conducted on a "best-effort" basis against a software
39 | component at a point in time. We make no guarantee as to the quality or completeness
40 | of any review. If you believe any content is inaccurate, we encourage you to open
41 | an issue or submit a pull request with a correction or improvement.
42 |
43 | ### License
44 |
45 | This text is released under at least the
46 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
47 | Externally-referenced content may be licensed differently.
48 |
--------------------------------------------------------------------------------
/reviews/github/westerndigitalcorporation/sweet-b/sweet-b.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - External-Review
13 | Issues-Identified: Severe
14 | Package-URLs:
15 | - pkg:github.com/westerndigitalcorporation/sweet-b
16 | Review-Date: 2020-01-24
17 | Scope: Implementation/Partial
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | From January 13 through January 24, 2020, Trail of Bits reviewed the security of Sweet B, a library that provides elliptic curve operations over 256-bit prime fields and a set of supporting hash-based primitives. Trail of Bits conducted this assessment over the course of four person-weeks with three engineers working from commit 02d41f4d of sweet-b.
25 |
26 | ### Details
27 |
28 | Instruction trace analysis identified a potential misconfiguration that could produce functions that are not constant time (TOB-SB-001) and that undue trust was placed in the behavior of certain libc functions (TOB-SB-003). Finally, Trail of Bits completed manual review of the elliptic curve and prime-field implementations. Also, they identified potentially error-prone functions (TOB-SB-002) and issues related to the ECDSA API (TOB-SB-005).
29 |
30 | ### Methodology
31 |
32 | No methodology was provided.
33 |
34 | ### External References
35 |
36 | Report: https://github.com/trailofbits/publications/blob/master/reviews/SweetB.pdf
37 |
38 | ### Disclaimer
39 |
40 | All security reviews are conducted on a "best-effort" basis against a software
41 | component at a point in time. We make no guarantee as to the quality or completeness
42 | of any review. If you believe any content is inaccurate, we encourage you to open
43 | an issue or submit a pull request with a correction or improvement.
44 |
45 | ### License
46 |
47 | This text is released under at least the
48 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
49 | Externally-referenced content may be licensed differently.
50 |
--------------------------------------------------------------------------------
/reviews/slf4j/slf4j.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Open Source Technology Improvement Fund
6 | Associated-With-Project: false
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - External-Review
11 | - Code-Review
12 | Issues-Identified: Non-Severe
13 | Package-URLs:
14 | - pkg:github/qos-ch/slf4j
15 | Review-Date: 2022-03-20
16 | Scope: Implementation/Full
17 | Schema-Version: 1.0
18 | SPDX-License-Identifier: CC-BY-4.0
19 | ---
20 |
21 | ### Summary
22 |
23 | Simple Logging Facade for Java, slf4j, is identified in the Harvard Census II results as one of the most widely-deployed logging frameworks. The security and supply chain review was facilitated by Open Source Technology Improvement Fund and carried out by Include Security.
24 |
25 | ### Details
26 |
27 | The results of the security audit are three (1 Low Risk, 2 Informational) findings, a documented threat model, and a Supply Chain Security review against SLSA. As a result of this review, slf4j, logback, and reload4j (a new fork of log4j 1.x with security fixes) are now reproducible builds, which substantially increases the difficulty of a supply-chain attack.
28 |
29 | All findings identified through this security audit have been fixed and validated. See below for the full report.
30 |
31 | ### Methodology
32 |
33 | A combination of manual code auditing, dynamic analysis, and
34 | static analysis was used to perform the audit.
35 |
36 |
37 | ### External References
38 |
39 | A link to the full report is available for free at: https://ostif.org/our-audit-of-slf4j-is-complete/
40 |
41 | ### Disclaimer
42 |
43 | All security reviews are conducted on a "best-effort" basis against a software
44 | component at a point in time. We make no guarantee as to the quality or completeness
45 | of any review. If you believe any content is inaccurate, we encourage you to open
46 | an issue or submit a pull request with a correction or improvement.
47 |
48 | ### License
49 |
50 | This text is released under at least the
51 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
52 | Externally-referenced content may be licensed differently.
53 |
--------------------------------------------------------------------------------
/reviews/core-infrastructure-initiative/cii.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Linux Foundation
6 | Associated-With-Project: true
7 | Compensation-Source: External
8 | - Organization: Core Infrastructure Initiative
9 | Associated-With-Project: false
10 | Compensation-Source: External
11 | - Organization: Open Source Technology Improvement Fund
12 | Associated-With-Project: false
13 | Compensation-Source: External
14 | Domain: Security
15 | Methodology:
16 | - External-Review
17 | Issues-Identified: Non-Severe
18 | Package-URLs:
19 | - pkg:generic/coreinfrastructure.org?download_url=https://www.coreinfrastructure.org/programs/audit-program/
20 | Review-Date: 2019-01-15
21 | Scope: Non-Implementation
22 | Schema-Version: 1.0
23 | SPDX-License-Identifier: CC-BY-4.0
24 |
25 | ---
26 |
27 | ### Summary
28 |
29 | As part of its effort to investigate and improve both internal and external projects, the Linux Foundation funded multiple audits via the Core Infrastructure Iniative (CII) from 2017-2019. The projects include:
30 |
31 | - Chrony
32 | - Hyperledger Composer
33 | - containerd
34 | - CoreDNS
35 | - Envoy
36 | - Hyperledger Fabric
37 | - Hyperledger Indy
38 | - Hyperledger Iroha
39 | - Kubernetes
40 | - NATS
41 | - ntpd
42 | - NTPSec
43 | - Open Policy Agent
44 | - OpenSSL
45 | - Prometheus
46 | - Hyperledger Sawtooth
47 | - TUF/Notary
48 |
49 | ### Details
50 |
51 | See https://www.coreinfrastructure.org/programs/audit-program/ for more information on the security reviews.
52 |
53 | ### Methodology
54 |
55 | The Core Infrastructure Initiative funded audits through various firms. More information on the methodology of each audit is detailed in the link.
56 |
57 | ### External References
58 |
59 | https://www.coreinfrastructure.org/programs/audit-program/
60 |
61 | ### Disclaimer
62 |
63 | All security reviews are conducted on a "best-effort" basis against a software
64 | component at a point in time. We make no guarantee as to the quality or completeness
65 | of any review. If you believe any content is inaccurate, we encourage you to open
66 | an issue or submit a pull request with a correction or improvement.
67 |
68 | ### License
69 |
70 | This text is released under at least the
71 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
72 | Externally-referenced content may be licensed differently.
73 |
--------------------------------------------------------------------------------
/reviews/npm/mime/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Dilan Bhalla
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Web-Search
12 | Issues-Identified: Non-Severe
13 | Package-URLs:
14 | - pkg:npm/mime@1.0.0
15 | - pkg:npm/mime@1.1.0
16 | - pkg:npm/mime@1.2.1
17 | - pkg:npm/mime@1.2.10
18 | - pkg:npm/mime@1.2.11
19 | - pkg:npm/mime@1.2.2
20 | - pkg:npm/mime@1.2.3
21 | - pkg:npm/mime@1.2.4
22 | - pkg:npm/mime@1.2.5
23 | - pkg:npm/mime@1.2.6
24 | - pkg:npm/mime@1.2.7
25 | - pkg:npm/mime@1.2.8
26 | - pkg:npm/mime@1.2.9
27 | - pkg:npm/mime@1.3.0
28 | - pkg:npm/mime@1.3.1
29 | - pkg:npm/mime@1.3.2
30 | - pkg:npm/mime@1.3.3
31 | - pkg:npm/mime@1.3.4
32 | - pkg:npm/mime@1.3.5
33 | - pkg:npm/mime@1.3.6
34 | - pkg:npm/mime@1.4.0
35 | - pkg:npm/mime@2.0.1
36 | - pkg:npm/mime@2.0.2
37 | Review-Date: 2021-02-12
38 | Scope: Implementation/Full
39 | Schema-Version: 1.0
40 | SPDX-License-Identifier: CC-BY-4.0
41 | ---
42 |
43 | ### Summary
44 |
45 | Older versions of this package are susceptible to a low severity vulnerability.
46 |
47 | ### Details
48 |
49 | Versions before 1.4.1, as well as versions 2.0.1 and 2.0.2 of this package are susceptible to a Regular Expression Denial of Service attack that can allow an attacker to slow down the user's system. It is recommended to upgrade to a more recent version of this package where the vulnerability is patched.
50 |
51 | ### Methodology
52 |
53 | 1. Static Analysis (CodeQL)
54 | 2. Additional research
55 |
56 | ### External References
57 |
58 | 1. https://snyk.io/test/npm/mime/1.3.6
59 | 2. https://www.cvedetails.com/vulnerability-list/vendor\_id-20879/Mime-Project.html
60 | 3. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mime
61 | 4. https://www.npmjs.com/advisories/535
62 | 5. https://www.npmjs.com/advisories/535/versions
63 |
64 | ### License
65 |
66 | This text is released under at least the
67 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
68 | External references are under their own licenses, which may be different.
69 |
70 | ### Disclaimer
71 |
72 | All security reviews are conducted on a "best-effort" basis against a software
73 | component at a point in time. We make no guarantees that any review will be accurate
74 | or complete. If you dispute any content within a review, feel free to open an issue
75 | or submit a pull request with a correction or improvement.
76 |
--------------------------------------------------------------------------------
/reviews/C-ares/C-ares.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: OSTIF - X41 D-Sec
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | - Fuzzing
15 | Issues-Identified: Non-Severe
16 | Package-URLs:
17 | - pkg:github/c-ares/c-ares
18 | Review-Date: 2023-05-30
19 | Scope: Implementation/Full
20 | Schema-Version: 1.0
21 | SPDX-License-Identifier: CC-BY-4.0
22 | ---
23 |
24 | ### Summary
25 |
26 | Open Source Technology Improvement Fund organized a security audit of c-ares, funded by Amazon Web Services and carried out by X41 D-Sec.
27 |
28 | ### Details
29 |
30 | C-ares is a library written in C for asynchronous DNS requests, which runs on such applications as Microsoft Windows, Netware, and Android. It was developed at MIT, when a group expanded upon the capabilities of the ares library and licensed c-ares in 1998.
31 |
32 | Overall, X41 found the c-ares library to be well designed and implemented. The audit found six inconsistencies during the process. Three vulnerabilities were rated as medium, three others as informational. Alongside performing static manual code review, the X41 team implemented and customized AFL++ fuzzers during this audit. Recently, AFL++ fuzzers have been made to support command-line interface (CLI) fuzzing, which was important to this audit as c-ares is made up of multiple CLI tooling components in its code base. While the audit particularly focused on memory corruption vulnerabilities which are common in C libraries, two of the medium vulnerabilities were categorized as CWE 330 – Use of Insufficiently Random Values.
33 |
34 | ### Methodology
35 |
36 | See full audit report found at the link below for methodology followed.
37 |
38 | ### External References
39 |
40 | https://ostif.org/our-audit-of-c-ares-is-complete/
41 |
42 | ### Disclaimer
43 |
44 | All security reviews are conducted on a "best-effort" basis against a software
45 | component at a point in time. We make no guarantee as to the quality or completeness
46 | of any review. If you believe any content is inaccurate, we encourage you to open
47 | an issue or submit a pull request with a correction or improvement.
48 |
49 | ### License
50 |
51 | This text is released under at least the
52 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
53 | Externally-referenced content may be licensed differently.
54 |
--------------------------------------------------------------------------------
/reviews/github/open-policy-agent/OPAGatekeeper.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github.com/open-policy-agent/gatekeeper
17 | - pkg:github.com/open-policy-agent/opa
18 | - pkg:github.com/open-policy-agent/frameworks/tree/master/constraint
19 | Review-Date: 2020-03-10
20 | Scope: Implementation/Full
21 | Schema-Version: 1.0
22 | SPDX-License-Identifier: CC-BY-4.0
23 | ---
24 |
25 | ### Summary
26 |
27 | From February 18 through February 21, 2020, Cloud Native Computing Foundation (CNCF) engaged Trail of Bits to review the security of Gatekeeper. Trail of Bits conducted this assessment over the course of two person-weeks with two engineers working from commit hash 98edc61 of the Gatekeeper repository.
28 |
29 | Gatekeeper allows enforcement of CRD-based policies over Kubernetes objects through a Kubernetes validation hook. It uses Open Policy Agent (“OPA”), a policy engine for Cloud Native environments where policies are written in the Rego policy language. It also periodically audits the existing Kubernetes objects against the specified constraints to ensure all objects continue to hold under the specified policies.
30 |
31 | ### Details
32 |
33 | The assessment of Gatekeeper revealed a total of 10 findings ranging from High to Undetermined severity. Most notably, finding TOB-OPAGK-005 details an insecure configuration that allows Gatekeeper validation checks to be bypassed (e.g., by performing a denial of service attack).
34 |
35 | ### Methodology
36 |
37 | No methodology was provided.
38 |
39 | ### External References
40 |
41 | Report: https://github.com/trailofbits/publications/blob/master/reviews/OPAGatekeeper.pdf
42 |
43 | ### Disclaimer
44 |
45 | All security reviews are conducted on a "best-effort" basis against a software
46 | component at a point in time. We make no guarantee as to the quality or completeness
47 | of any review. If you believe any content is inaccurate, we encourage you to open
48 | an issue or submit a pull request with a correction or improvement.
49 |
50 | ### License
51 |
52 | This text is released under at least the
53 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
54 | Externally-referenced content may be licensed differently.
55 |
--------------------------------------------------------------------------------
/reviews/github/fail2ban/fail2ban/2021-07-01-GitHub-Security-Lab.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Kevin Backhouse
6 | Email: kevinbackhouse@github.com
7 | Organization: GitHub
8 | Associated-With-Project: False
9 | Compensation-Source: Non-Project
10 | Domain: Security
11 | Methodology:
12 | - Code-Review
13 | - External-Review
14 | Issues-Identified: Non-Severe
15 | Package-URLs:
16 | - pkg:github/fail2ban/fail2ban@0.11.2
17 | Review-Date: 2021-07-01
18 | Scope: Implementation/Full
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | I audited Fail2Ban for vulnerabilities that could be triggered by either a remote or local attacker. I did not find any exploitable issues.
26 |
27 | ### Details
28 |
29 | Fail2ban protects against brute force password-guessing attacks. In its default configuration, it protects OpenSSH, but it includes configurations for other applications such as asterisk, dropbear, and mysql, that are very easy to enable. I have tested and audited the source code of Fail2ban for security vulnerabilities and did not find any serious issues. Fail2ban has a [known problem](https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Possibility_of_DOS_attack_by_a_local_user) that an unprivileged local user can lock other users out of the system, which may make Fail2ban unsuitable for use on some shared servers. I also found that Fail2ban’s defenses against command injection attacks from a local attacker are not as good as they could be, because they rely on regexes in config files rather than validation in the source code, but I did not find anything that is exploitable in practice.
30 |
31 | ### Methodology
32 |
33 | * Attack surface analysis
34 | * Manual testing of attack surface
35 | * Manual audit of security-sensitive areas of the source code
36 |
37 | ### External References
38 |
39 | https://securitylab.github.com/research/Fail2exploit/
40 |
41 | ### Disclaimer
42 |
43 | All security reviews are conducted on a "best-effort" basis against a software
44 | component at a point in time. We make no guarantee as to the quality or completeness
45 | of any review. If you believe any content is inaccurate, we encourage you to open
46 | an issue or submit a pull request with a correction or improvement.
47 |
48 | ### License
49 |
50 | This text is released under at least the
51 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
52 | Externally-referenced content may be licensed differently.
53 |
--------------------------------------------------------------------------------
/reviews/argo/argo.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Open Source Technology Improvement Fund, Ada Logics
6 | Associated-With-Project: false
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Code-Review
11 | Issues-Identified: Severe
12 | Package-URLs:
13 | - pkg:github/argoproj/argoproj
14 | Review-Date: 2022-04-19
15 | Scope: Implementation/Partial
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 |
19 | ---
20 |
21 | ### Summary
22 |
23 | The audit was facilitated by OSTIF and sponsored by CNCF and carried out by Ada Logics’ team of researchers. We found several high-severity CVEs which the Argo teams have worked hard to fix since mid May. With the release of the report, all CVEs have been fixed.
24 |
25 | ### Details
26 |
27 | The research findings resulted in 26 security issues including 1 critical and 4 high severity bugs that were fixed. The most significant finding is an XSS injection in ArgoCD https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6×78-8vrj that allows an attacker to execute javascript code in the UI, which could allow an attacker to take admin control of the kubernetes cluster.
28 |
29 | Additionally, the Ada Logics team built 7 new fuzzers to integrate into the ossfuzz testing suite for Argo that focus on security relevant functions. The Argo team and community demonstrated a strong commitment to improving the project’s security posture. See the full report and Argo team’s synopsis below for detailed information.
30 |
31 | ### Conclusion
32 |
33 | 26 security issues including 1 critical and 4 high severity bugs that were fixed.
34 |
35 |
36 | ### Methodology
37 |
38 | Ada Logics found 26 issues across ArgoCD, Argo Workflows and Argo Events
39 |
40 | ### External References
41 |
42 | • [Full Report](https://ostif.org/our-audit-of-argo-is-complete-critical-and-high-severity-security-issues-found-and-fixed/)
43 |
44 |
45 | ### Disclaimer
46 |
47 | All security reviews are conducted on a "best-effort" basis against a software
48 | component at a point in time. We make no guarantee as to the quality or completeness
49 | of any review. If you believe any content is inaccurate, we encourage you to open
50 | an issue or submit a pull request with a correction or improvement.
51 |
52 | ### License
53 |
54 | This text is released under at least the
55 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
56 | Externally-referenced content may be licensed differently.
57 |
--------------------------------------------------------------------------------
/Review_Template.md:
--------------------------------------------------------------------------------
1 | ## Review Template
2 |
3 | Below is a template of what is expected in a security review. All of the below content can easily be generated using the form on the [QuickStart](https://ossf.github.io/security-reviews/quickstart.html) page.
4 |
5 | ### Metadata
6 |
7 | This content must appear at the top of the review file. The name, email, and organization fields are optional, but all other fields are required.
8 |
9 | ```
10 | ---
11 | Publication-State: [ "Active" | "Removed" ]
12 | Reviewers:
13 | - Name:
14 | Email:
15 | Organization:
16 | Associated-With-Project: [ true | false ]
17 | Compensation-Source: [ "Project" | "Non-Project" | "External" | "Undisclosed" | "None" ]
18 | Domain: Security
19 | Methodology:
20 | - Static-Analysis
21 | - Code-Review
22 | - Web-Search
23 | - Fuzzing
24 | - External
25 | Issues-Identified: [ "Severe" | "Non-Severe" | "Not-Examined" | "None" ]
26 | Package-URLs:
27 | -
28 | Review-Date 'YYYY-MM-DD'
29 | Scope: [ "Implementation/Full" | "Implementation/Partial" | "Non-Implementation" ]
30 | Schema-Version: '1.0'
31 | SPDX-License-Identifier: CC-BY-4.0
32 | ---
33 | ```
34 |
35 | ### Summary
36 |
37 | ***Required***: Include a summary of the review here. It can be as simple as, "There were no notable findings." This section should be no more than one short paragraph.
38 |
39 | ### Details
40 |
41 | ***Optional***: Use this section to describe any findings and to provide additional information. It can be as long as you'd like. If a threat model or assumed context is relevant, feel free to include it here.
42 |
43 | ### Methodology
44 |
45 | ***Optional***: This section describes what was actually done when performing the review.
46 |
47 | ### External References
48 |
49 | ***Optional***: If the security review was conducted by a third-party or published at an external location, include a reference to that assessment. You can also reference external URLs for any other purpose.
50 |
51 | ### Disclaimer
52 |
53 | ***Required***: All security reviews are conducted on a "best-effort" basis against a software
54 | component at a point in time. We make no guarantee as to the quality or completeness
55 | of any review. If you believe any content is inaccurate, we encourage you to open
56 | an issue or submit a pull request with a correction or improvement.
57 |
58 | ### License
59 |
60 | ***Required***: This text is released under at least the
61 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
62 | Externally-referenced content may be licensed differently.
63 |
--------------------------------------------------------------------------------
/reviews/_general_/attacks/dependency-confusion-poc-2.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | Issues-Identified: Severe
13 | Package-URLs:
14 | - pkg:npm/msft-wam@0.0.7
15 | - pkg:npm/msft-wam@0.0.8
16 | - pkg:npm/msft-wam@0.4.7
17 | Review-Date: 2021-02-12
18 | Scope: Implementation/Partial
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | This package contains what appears to be a proof-of-concept for the "[dependency confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)"
26 | vulnerability. It exfiltrates basic information (hostname, username, local path) to a remote server using a "postinstall" script.
27 |
28 | Affected packages were removed from the NPM registry on February 12, 2021.
29 |
30 | ### Details
31 |
32 | This package contains what appears to be a proof-of-concept for the "[dependency confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)"
33 | vulnerability. It exfiltrates basic information (hostname, username, local path) to a remote server using a "postinstall" script. While there was no text within
34 | the package that explicitly stated it to be a proof of concept, the username suggested it was created by a security researcher.
35 |
36 | ### Methodology
37 |
38 | We built custom tooling to discover these packages and after manual triage, we reported them to the NPM security team.
39 |
40 | ### External References
41 |
42 | * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
43 | * [Avoiding npm substitution attacks](https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/)
44 | * [3 Way to Mitigate Risk When Using Private Package Feeds](https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
45 |
46 | ### Disclaimer
47 |
48 | All security reviews are conducted on a "best-effort" basis against a software
49 | component at a point in time. We make no guarantee as to the quality or completeness
50 | of any review. If you believe any content is inaccurate, we encourage you to open
51 | an issue or submit a pull request with a correction or improvement.
52 |
53 | ### License
54 |
55 | This text is released under at least the
56 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
57 | Externally-referenced content may be licensed differently.
58 |
--------------------------------------------------------------------------------
/reviews/cri-o/crio.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: OSTIF
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Dynamic-Analysis
11 | - Code-Review
12 | - External-Review
13 | Issues-Identified: Severe
14 | Package-URLs:
15 | - pkg:github/cri-o/cri-o
16 | Review-Date: 2022-06-13
17 | Scope: Implementation/Full
18 | Schema-Version: 1.0
19 | SPDX-License-Identifier: CC-BY-4.0
20 | ---
21 |
22 | ### Summary
23 |
24 | Open Source Technology Improvement Fund is thrilled to report the results of a security audit of CRI-O. CRI-O is an open source software (OSS) project that is an implementation of the Kubernetes Container Runtime Interface. It can run any OCI-compatible container, providing an enormous number of applications and environments.
25 |
26 | ### Details
27 |
28 | The high severity finding is a denial of service attack on a given cluster by way of resource exhaustion of nodes. The attack is performed by way of pod creation, which means any user that can create a pod can cause denial of service on the given node that is used for pod creation. The CVE for the this vulnerability is CVE-2022-1708 and Github advisory can be found here: https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
29 |
30 | Interestingly, the denial of service attack also occurred in other container runtime interface implementations, most notably Containerd. Specifically, the exact same attack that exhausts memory in CRI-O can be used to exhaust memory of Containerd. The CVE for this issue in containerd is CVE-2022-31030 and the Github security advisory can be found here: https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf
31 |
32 | Furthermore, an extensive fuzzing suite targeting the CRI-O infrastructure was integrated as a result of this engagement, providing long-lasting improvements to the security posture of the project.
33 |
34 | ### Methodology
35 |
36 | No methodology was provided.
37 |
38 | ### External References
39 |
40 | https://ostif.org/our-audit-of-cri-o-is-complete-high-severity-issues-found-and-fixed/
41 |
42 | ### Disclaimer
43 |
44 | All security reviews are conducted on a "best-effort" basis against a software
45 | component at a point in time. We make no guarantee as to the quality or completeness
46 | of any review. If you believe any content is inaccurate, we encourage you to open
47 | an issue or submit a pull request with a correction or improvement.
48 |
49 | ### License
50 |
51 | This text is released under at least the
52 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
53 | Externally-referenced content may be licensed differently.
54 |
--------------------------------------------------------------------------------
/reviews/github/madler/zlib/trail-of-bits-2016.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: false
7 | Compensation-Source: non-project
8 | - Organization: TrustInSoft
9 | Associated-With-Project: false
10 | Compensation-Source: non-project
11 | Domain: Security
12 | Methodology:
13 | - External-Review
14 | Issues-Identified: Non-Severe
15 | Package-URLs:
16 | - pkg:github/madler/zlib@1.2.8
17 | Review-Date: 2016-09-30
18 | Scope: Implementation/Partial
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | Five security issues were identified (one medium-risk, four low-risk), all related to undefined behavior. All but one (low risk) issue was fixed before the report was published in September 2016. Users are encouraged to update to the latest stable version (1.2.11 at the time of this writing).
26 |
27 | ### Details
28 |
29 | This assessment resulted in five findings, four of which have been fixed and are described in detail within the [report](https://github.com/trailofbits/publications/blob/master/reviews/zlib.pdf).
30 |
31 | The remaining issue, which was not identified as fixed in the report, has to do with accessing a character buffer using a pointer to an unsigned int. This violated strict aliasing rules and could cause undefined behavior; however, when tested in 2016, compilers produced correct code for the construction. There are further recommendations on potential fixes for this remaining issue in the report.
32 |
33 | ### Methodology
34 |
35 | Trail of Bits states that they used an automated vulnerability tool ("CRS") developed for the DARPA Cyber Grand Challenge, augmented by a verification toolkit created by TrustInSoft (TIS-Interpreter) and human review. The testing focused on typical usage scenarios (compression, decompression, Gzip) with emphasis on memory safety and undefined behavior.
36 |
37 | ### External References
38 |
39 | * [Zlib Automated Security Assessment](https://github.com/trailofbits/publications/blob/master/reviews/zlib.pdf)
40 | * [Zlib Repository](https://github.com/madler/zlib)
41 |
42 | ### Disclaimer
43 |
44 | All security reviews are conducted on a "best-effort" basis against a software
45 | component at a point in time. We make no guarantee as to the quality or completeness
46 | of any review. If you believe any content is inaccurate, we encourage you to open
47 | an issue or submit a pull request with a correction or improvement.
48 |
49 | ### License
50 |
51 | This text is released under at least the
52 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
53 | Externally-referenced content may be licensed differently.
54 |
--------------------------------------------------------------------------------
/reviews/nuget/redis-64/review-1.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Microsoft (OSS Security Team)
6 | Associated-With-Project: false
7 | Compensation-Source: None
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Code-Review
12 | - Web-Search
13 | Package-URLs:
14 | - pkg:nuget/redis-64@2.6.8.2
15 | - pkg:nuget/redis-64@2.6.12.1
16 | - pkg:nuget/redis-64@2.6.14
17 | - pkg:nuget/redis-64@2.8.4
18 | - pkg:nuget/redis-64@2.8.9
19 | - pkg:nuget/redis-64@2.8.12
20 | - pkg:nuget/redis-64@2.8.17
21 | - pkg:nuget/redis-64@2.8.19
22 | - pkg:nuget/redis-64@2.8.21
23 | - pkg:nuget/redis-64@2.8.2101
24 | - pkg:nuget/redis-64@2.8.2104
25 | - pkg:nuget/redis-64@2.8.2400
26 | - pkg:nuget/redis-64@2.8.2402
27 | - pkg:nuget/redis-64@3.0.500
28 | - pkg:nuget/redis-64@3.0.501
29 | - pkg:nuget/redis-64@3.0.503
30 | Issues-Identified: Severe
31 | Review-Date: 2019-06-15
32 | Scope: Implementation/Partial
33 | Schema-Version: 1.0
34 | SPDX-License-Identifier: CC-BY-4.0
35 | ---
36 |
37 | ### Summary
38 |
39 | This package is based on a fork from the Redis 3.x branch, which contains
40 | multiple vulnerabilities. It is also abandoned, and should not be used in
41 | any capacity.
42 |
43 | ### Details
44 |
45 | This package is based on a fork from the Redis 3.x branch, which contains
46 | multiple vulnerabilities. It is also abandoned, and should not be used in
47 | any capacity.
48 |
49 | Specifically, the latest version of Redis-64 appears to be based on Redis 3.0.5,
50 | released in October 2015, and has
51 | [eight known CVEs](https://www.cvedetails.com/vulnerability-list/vendor_id-18560/product_id-47087/version_id-250998/Redislabs-Redis-3.0.5.html).
52 |
53 | ### Methodology
54 |
55 | This review was conducted by the Microsoft Open Source Security Team using of automated
56 | tools (including static analysis), custom tools, a targeted code review, and some
57 | effort to identify already-known security defects.
58 |
59 | ### External References
60 |
61 | * [nuget.org/packages/redis-64](https://www.nuget.org/packages/redis-64/)
62 | * [CVE Listing for Redis](https://www.cvedetails.com/version-list/18560/47087/1/Redislabs-Redis.html)
63 |
64 | ### Disclaimer
65 |
66 | All security reviews are conducted on a "best-effort" basis against a software
67 | component at a point in time. We make no guarantee as to the quality or completeness
68 | of any review. If you believe any content is inaccurate, we encourage you to open
69 | an issue or submit a pull request with a correction or improvement.
70 |
71 | ### License
72 |
73 | This text is released under at least the
74 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
75 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/linux-distributions/red-hat-enterprise-linux-8.2.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Name: Acumen Security
6 | Associated-With-Project: False
7 | Compensation-Source: Project
8 | Domain: Security
9 | Methodology:
10 | - External-Review
11 | Package-URLs:
12 | - pkg:generic/red-hat-enterprise-linux@8.2?download_url=https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux
13 | Issues-Identified: None
14 | Review-Date: 2022-03-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | ---
19 |
20 | ### Summary
21 |
22 | Red Hat Enterprise Linux 8.2 evaluation under the Common Criteria for Information Technology Security Evaluation ("Common Criteria ") for Protection Profile for General Purpose Operating Systems Version 4.2.1 with Extended Package for Secure Shell (SSH) Version 1.0.
23 |
24 | ### Details
25 |
26 | "The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Red Hat Enterprise Linux was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the Red Hat Enterprise Linux 8.2 CC Guidance, satisfies all of the security functional requirements stated in the Red Hat Enterprise Linux 8.2 Security Target. The project underwent CCEVS Validator review. The evaluation was completed in March 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS."
27 |
28 | The target of evaluation (TOE) includes the OpenSSL cryptographic library, SSH client, and SSH server.
29 |
30 | ### Methodology
31 |
32 | This used the Common Criteria processes as described in the reports.
33 |
34 | ### External References
35 |
36 | For details see: https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11202
37 |
38 | ### Disclaimer
39 |
40 | All security reviews are conducted on a "best-effort" basis against a software
41 | component at a point in time. We make no guarantee as to the quality or completeness
42 | of any review. If you believe any content is inaccurate, we encourage you to open
43 | an issue or submit a pull request with a correction or improvement.
44 |
45 | ### License
46 |
47 | This text is released under at least the
48 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
49 | Externally-referenced content may be licensed differently.
50 |
--------------------------------------------------------------------------------
/reviews/fluxcd/flux2.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: AdaLogics, Open Source Technology Improvement Fund
6 | Associated-With-Project: False
7 | Compensation-Source: Non-Project
8 | Domain: Security
9 | Methodology:
10 | - Dynamic-Analysis
11 | - Code-Review
12 | - External-Review
13 | - Fuzzing
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github/fluxcd/flux2
17 | Review-Date: 2021-09-01
18 | Scope: Implementation/Full
19 | Schema-Version: 1.0
20 | SPDX-License-Identifier: CC-BY-4.0
21 | ---
22 |
23 | ### Summary
24 |
25 | The primary aim was to assess Flux’s fundamental security posture and to identify next steps in its security story. The audit was commissioned by the CNCF, and facilitated by OSTIF (the Open Source Technology Improvement Fund). ADA Logics was quickly brought into the picture, and spent a month on the audit.
26 |
27 | ### Details
28 |
29 | First CVE in Flux
30 |
31 | Let’s start with what will likely interest you as a Flux user. The engagement uncovered a privilege escalation vulnerability in Flux that could enable users to gain cluster admin privileges. The issue has been fixed and is assigned CVE 2021-41254, and the full disclosure advisory is available at the following link::
32 |
33 | CVE-2021-41254: Privilege escalation to cluster admin on multi-tenant Flux.
34 |
35 | Description:
36 |
37 |
38 | Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.
39 |
40 | Impact:
41 |
42 | Multi-tenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.
43 |
44 | Fix:
45 |
46 | This vulnerability was fixed in kustomize-controller v0.15.0 (included in Flux v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image.
47 |
48 | ### Methodology
49 |
50 | Manual review, fuzzing integration
51 |
52 | ### External References
53 |
54 | https://ostif.org/our-audit-of-flux2-is-complete/
55 |
56 | ### Disclaimer
57 |
58 | All security reviews are conducted on a "best-effort" basis against a software
59 | component at a point in time. We make no guarantee as to the quality or completeness
60 | of any review. If you believe any content is inaccurate, we encourage you to open
61 | an issue or submit a pull request with a correction or improvement.
62 |
63 | ### License
64 |
65 | This text is released under at least the
66 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
67 | Externally-referenced content may be licensed differently.
68 |
--------------------------------------------------------------------------------
/reviews/github/zerotier/zerotier-protocol.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - External-Review
11 | Issues-Identified: Not-Examined
12 | Package-URLs:
13 | - pkg:github.com/zerotier
14 | Review-Date: 2020-03-23
15 | Scope: Non-Implementation
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | ---
19 |
20 | ### Summary
21 |
22 | Trail of Bits performed an assessment of the cryptographic components of the ZeroTier protocol. ZeroTier provided some documentation of the protocol and communicated further details about the protocol to Trail of Bits.
23 |
24 | ### Details
25 |
26 | Overall, the assessment resulted in a series of constructive conversations about various components of ZeroTier’s protocol. Trail of Bits has concluded the AES-GMAC-SIV construction satisfies its desired goals: It is a secure, nonce–misuse-resistant authenticated encryption scheme; it is FIPS compliant; and its security bounds fit within the system’s constraints. The public-key infrastructure is also FIPS compliant.
27 |
28 | As the protocol continues to evolve, recommendations and concerns should be addressed. These concerns comprise theoretical attacks in which the attacker has some amount of control over the network infrastructure or sections of the code that could introduce serious vulnerabilities without careful consideration, but do not in themselves make ZeroTier an insecure protocol.
29 |
30 | ZeroTier should also consider the effect of nodes and network infrastructure controlled by a powerful attacker, and assume nation-states have the resources to mount these attacks. Further, Trail of Bits recommends stating explicitly the protocol’s security guarantees and assumptions. Code implementations should be checked for compliance against the specification; writing these guarantees and assumptions clearly will help ensure compliance. Overall, Trail of Bits find the protocol to be well designed, and ZeroTier will be protected against wide classes of network attacks if it is implemented in line with the protocol described to Trail of Bits.
31 |
32 | ### Methodology
33 |
34 | No methodology was provided.
35 |
36 | ### External References
37 |
38 | Report: https://github.com/trailofbits/publications/raw/master/reviews/ZeroTierProtocol.pdf
39 |
40 | ### Disclaimer
41 |
42 | All security reviews are conducted on a "best-effort" basis against a software
43 | component at a point in time. We make no guarantee as to the quality or completeness
44 | of any review. If you believe any content is inaccurate, we encourage you to open
45 | an issue or submit a pull request with a correction or improvement.
46 |
47 | ### License
48 |
49 | This text is released under at least the
50 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
51 | Externally-referenced content may be licensed differently.
52 |
--------------------------------------------------------------------------------
/reviews/github/argoproj/argo.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Active
3 | Access: Public
4 | Reviewers:
5 | - Organization: Trail of Bits
6 | Associated-With-Project: False
7 | Compensation-Source: External
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | - Dynamic-Analysis
12 | - Code-Review
13 | - External-Review
14 | Issues-Identified: Severe
15 | Package-URLs:
16 | - pkg:github.com/argoproj/argo-cd
17 | - pkg:github.com/argoproj/argo-events
18 | - pkg:github.com/argoproj/argo-rollouts
19 | - pkg:github.com/argoproj/argo-workflows
20 | - pkg:github.com/argoproj/gitops-engine
21 | - pkg:github.com/argoproj/pkg
22 | Review-Date: 2021-03-12
23 | Scope: Implementation/Full
24 | Schema-Version: 1.0
25 | SPDX-License-Identifier: CC-BY-4.0
26 | ---
27 |
28 | ### Summary
29 |
30 | From March 1 to March 9, 2021, Trail of Bits conducted a code review of the Argo product suite, which includes Argo CD, Argo Workflows, Argo Rollouts, and Argo Events.
31 |
32 | ### Details
33 |
34 | Manual review efforts included investigations into insufficient use of cryptography and data validation, improper handling or assignment of access controls, weak configurations, potential information disclosures, incorrect or dangerous use of auditing and logging, and resource exhaustion attacks. The primary targets of these manual review efforts included Argo CD and Argo Workflows. This review resulted in 23 findings ranging from undetermined to medium severity, as well as several untriaged concerns.
35 | In addition to conducting a deeper review into the above mentioned classes of issues, Trail of Bits triaged remaining suspicions identified in the previous week. During the remainder of the audit, Trail of Bits placed increased emphasis on Argo Events and Argo Rollouts while generally reviewing concerns regarding insufficient use of authentication, file permissions, Kubernetes best practices, undefined behavior stemming from a lack of documentation or insufficient error handling, race conditions, and general data validation concerns. This resulted in 12 additional findings ranging from medium to informational severity.
36 |
37 | ### Methodology
38 |
39 | No methodology was provided.
40 |
41 | ### External References
42 |
43 | Report - Security Review: https://github.com/trailofbits/publications/blob/master/reviews/argo-securityreview.pdf
44 | Report - Threat Model: https://github.com/trailofbits/publications/blob/master/reviews/argo-threatmodel.pdf
45 |
46 | ### Disclaimer
47 |
48 | All security reviews are conducted on a "best-effort" basis against a software
49 | component at a point in time. We make no guarantee as to the quality or completeness
50 | of any review. If you believe any content is inaccurate, we encourage you to open
51 | an issue or submit a pull request with a correction or improvement.
52 |
53 | ### License
54 |
55 | This text is released under at least the
56 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
57 | Externally-referenced content may be licensed differently.
58 |
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ms/omega-review-2.0.0-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ms@2.0.0
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/zeit/ms#readme)
72 | * [Project Issue Tracker](https://github.com/zeit/ms/issues)
73 | * [Project Repository](https://github.com/zeit/ms)
74 | * [Package on deps.dev](https://deps.dev/npm/ms/2.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ms/omega-review-2.1.1-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ms@2.1.1
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/zeit/ms#readme)
72 | * [Project Issue Tracker](https://github.com/zeit/ms/issues)
73 | * [Project Repository](https://github.com/zeit/ms)
74 | * [Package on deps.dev](https://deps.dev/npm/ms/2.1.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ms/omega-review-2.1.2-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ms@2.1.2
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/zeit/ms#readme)
72 | * [Project Issue Tracker](https://github.com/zeit/ms/issues)
73 | * [Project Repository](https://github.com/zeit/ms)
74 | * [Package on deps.dev](https://deps.dev/npm/ms/2.1.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ms/omega-review-2.1.3-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ms@2.1.3
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/vercel/ms#readme)
72 | * [Project Issue Tracker](https://github.com/vercel/ms/issues)
73 | * [Project Repository](https://github.com/vercel/ms)
74 | * [Package on deps.dev](https://deps.dev/npm/ms/2.1.3)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/has/omega-review-1.0.3-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/has@1.0.3
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/tarruda/has)
72 | * [Project Issue Tracker](https://github.com/tarruda/has/issues)
73 | * [Project Repository](https://github.com/tarruda/has)
74 | * [Package on deps.dev](https://deps.dev/npm/has/1.0.3)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/methods/omega-review-1.1.2-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/methods@1.1.2
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jshttp/methods)
72 | * [Project Issue Tracker](https://github.com/jshttp/methods/issues)
73 | * [Project Repository](https://github.com/jshttp/methods)
74 | * [Package on deps.dev](https://deps.dev/npm/methods/1.1.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/through2/omega-review-0.6.5-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/through2@0.6.5
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/rvagg/through2)
72 | * [Project Issue Tracker](https://github.com/rvagg/through2/issues)
73 | * [Project Repository](https://github.com/rvagg/through2)
74 | * [Package on deps.dev](https://deps.dev/npm/through2/0.6.5)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/inherits/omega-review-2.0.3-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/inherits@2.0.3
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/isaacs/inherits#readme)
72 | * [Project Issue Tracker](https://github.com/isaacs/inherits/issues)
73 | * [Project Repository](https://github.com/isaacs/inherits)
74 | * [Package on deps.dev](https://deps.dev/npm/inherits/2.0.3)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/inherits/omega-review-2.0.4-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/inherits@2.0.4
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/isaacs/inherits#readme)
72 | * [Project Issue Tracker](https://github.com/isaacs/inherits/issues)
73 | * [Project Repository](https://github.com/isaacs/inherits)
74 | * [Package on deps.dev](https://deps.dev/npm/inherits/2.0.4)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/p-try/omega-review-2.2.0-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/p-try@2.2.0
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/p-try#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/p-try/issues)
73 | * [Project Repository](https://github.com/sindresorhus/p-try)
74 | * [Package on deps.dev](https://deps.dev/npm/p-try/2.2.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/p-try/omega-review-3.0.0-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/p-try@3.0.0
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/p-try#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/p-try/issues)
73 | * [Project Repository](https://github.com/sindresorhus/p-try)
74 | * [Package on deps.dev](https://deps.dev/npm/p-try/3.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/strip-ansi/omega-review-3.0.1-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/strip-ansi@3.0.1
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/chalk/strip-ansi)
72 | * [Project Issue Tracker](https://github.com/chalk/strip-ansi/issues)
73 | * [Project Repository](https://github.com/chalk/strip-ansi)
74 | * [Package on deps.dev](https://deps.dev/npm/strip-ansi/3.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ansi-regex/omega-review-2.1.1-2022-05-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ansi-regex@2.1.1
14 | Review-Date: 2022-05-05
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-05, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-05, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-05. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/chalk/ansi-regex#readme)
72 | * [Project Issue Tracker](https://github.com/chalk/ansi-regex/issues)
73 | * [Project Repository](https://github.com/chalk/ansi-regex)
74 | * [Package on deps.dev](https://deps.dev/npm/ansi-regex/2.1.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/color-name/omega-review-1.1.4-2022-05-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/color-name@1.1.4
14 | Review-Date: 2022-05-05
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-05, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-05, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-05. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/colorjs/color-name)
72 | * [Project Issue Tracker](https://github.com/colorjs/color-name/issues)
73 | * [Project Repository](https://github.com/colorjs/color-name)
74 | * [Package on deps.dev](https://deps.dev/npm/color-name/1.1.4)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/destroy/omega-review-1.0.4-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/destroy@1.0.4
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/stream-utils/destroy)
72 | * [Project Issue Tracker](https://github.com/stream-utils/destroy/issues)
73 | * [Project Repository](https://github.com/stream-utils/destroy)
74 | * [Package on deps.dev](https://deps.dev/npm/destroy/1.0.4)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/is-buffer/omega-review-1.1.6-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/is-buffer@1.1.6
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/feross/is-buffer#readme)
72 | * [Project Issue Tracker](https://github.com/feross/is-buffer/issues)
73 | * [Project Repository](https://github.com/feross/is-buffer)
74 | * [Package on deps.dev](https://deps.dev/npm/is-buffer/1.1.6)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/isarray/omega-review-2.0.5-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/isarray@2.0.5
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/juliangruber/isarray)
72 | * [Project Issue Tracker](https://github.com/juliangruber/isarray/issues)
73 | * [Project Repository](https://github.com/juliangruber/isarray)
74 | * [Package on deps.dev](https://deps.dev/npm/isarray/2.0.5)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/strip-ansi/omega-review-4.0.0-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/strip-ansi@4.0.0
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/chalk/strip-ansi#readme)
72 | * [Project Issue Tracker](https://github.com/chalk/strip-ansi/issues)
73 | * [Project Repository](https://github.com/chalk/strip-ansi)
74 | * [Package on deps.dev](https://deps.dev/npm/strip-ansi/4.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/strip-ansi/omega-review-7.0.1-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/strip-ansi@7.0.1
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/chalk/strip-ansi#readme)
72 | * [Project Issue Tracker](https://github.com/chalk/strip-ansi/issues)
73 | * [Project Repository](https://github.com/chalk/strip-ansi)
74 | * [Package on deps.dev](https://deps.dev/npm/strip-ansi/7.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/encodeurl/omega-review-1.0.2-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/encodeurl@1.0.2
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/pillarjs/encodeurl#readme)
72 | * [Project Issue Tracker](https://github.com/pillarjs/encodeurl/issues)
73 | * [Project Repository](https://github.com/pillarjs/encodeurl)
74 | * [Package on deps.dev](https://deps.dev/npm/encodeurl/1.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/find-up/omega-review-6.3.0-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/find-up@6.3.0
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/find-up#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/find-up/issues)
73 | * [Project Repository](https://github.com/sindresorhus/find-up)
74 | * [Package on deps.dev](https://deps.dev/npm/find-up/6.3.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/isobject/omega-review-3.0.1-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/isobject@3.0.1
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jonschlinkert/isobject)
72 | * [Project Issue Tracker](https://github.com/jonschlinkert/isobject/issues)
73 | * [Project Repository](https://github.com/jonschlinkert/isobject)
74 | * [Package on deps.dev](https://deps.dev/npm/isobject/3.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/onetime/omega-review-6.0.0-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/onetime@6.0.0
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/onetime#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/onetime/issues)
73 | * [Project Repository](https://github.com/sindresorhus/onetime)
74 | * [Package on deps.dev](https://deps.dev/npm/onetime/6.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/p-limit/omega-review-4.0.0-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/p-limit@4.0.0
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/p-limit#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/p-limit/issues)
73 | * [Project Repository](https://github.com/sindresorhus/p-limit)
74 | * [Package on deps.dev](https://deps.dev/npm/p-limit/4.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/pkg-dir/omega-review-6.0.1-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/pkg-dir@6.0.1
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/pkg-dir#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/pkg-dir/issues)
73 | * [Project Repository](https://github.com/sindresorhus/pkg-dir)
74 | * [Package on deps.dev](https://deps.dev/npm/pkg-dir/6.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/buffer-from/omega-review-1.1.1-2022-05-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/buffer-from@1.1.1
14 | Review-Date: 2022-05-05
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-05, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-05, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-05. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/LinusU/buffer-from#readme)
72 | * [Project Issue Tracker](https://github.com/LinusU/buffer-from/issues)
73 | * [Project Repository](https://github.com/LinusU/buffer-from)
74 | * [Package on deps.dev](https://deps.dev/npm/buffer-from/1.1.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/core-util-is/omega-review-1.0.1-2022-05-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/core-util-is@1.0.1
14 | Review-Date: 2022-05-05
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-05, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-05, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-05. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/isaacs/core-util-is)
72 | * [Project Issue Tracker](https://github.com/isaacs/core-util-is/issues)
73 | * [Project Repository](https://github.com/isaacs/core-util-is)
74 | * [Package on deps.dev](https://deps.dev/npm/core-util-is/1.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/globals/omega-review-13.14.0-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/globals@13.14.0
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/globals#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/globals/issues)
73 | * [Project Repository](https://github.com/sindresorhus/globals)
74 | * [Package on deps.dev](https://deps.dev/npm/globals/13.14.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/has-flag/omega-review-3.0.0-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/has-flag@3.0.0
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/has-flag#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/has-flag/issues)
73 | * [Project Repository](https://github.com/sindresorhus/has-flag)
74 | * [Package on deps.dev](https://deps.dev/npm/has-flag/3.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/has-flag/omega-review-5.0.1-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/has-flag@5.0.1
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/has-flag#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/has-flag/issues)
73 | * [Project Repository](https://github.com/sindresorhus/has-flag)
74 | * [Package on deps.dev](https://deps.dev/npm/has-flag/5.0.1)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/mimic-fn/omega-review-4.0.0-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/mimic-fn@4.0.0
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/mimic-fn#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/mimic-fn/issues)
73 | * [Project Repository](https://github.com/sindresorhus/mimic-fn)
74 | * [Package on deps.dev](https://deps.dev/npm/mimic-fn/4.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/p-locate/omega-review-6.0.0-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/p-locate@6.0.0
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/p-locate#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/p-locate/issues)
73 | * [Project Repository](https://github.com/sindresorhus/p-locate)
74 | * [Package on deps.dev](https://deps.dev/npm/p-locate/6.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/path-key/omega-review-4.0.0-2022-05-09.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/path-key@4.0.0
14 | Review-Date: 2022-05-09
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-09, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-09, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-09. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/path-key#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/path-key/issues)
73 | * [Project Repository](https://github.com/sindresorhus/path-key)
74 | * [Package on deps.dev](https://deps.dev/npm/path-key/4.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/ansi-regex/omega-review-2.0.0-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/ansi-regex@2.0.0
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/ansi-regex)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/ansi-regex/issues)
73 | * [Project Repository](https://github.com/sindresorhus/ansi-regex)
74 | * [Package on deps.dev](https://deps.dev/npm/ansi-regex/2.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/callsites/omega-review-4.0.0-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/callsites@4.0.0
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/callsites#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/callsites/issues)
73 | * [Project Repository](https://github.com/sindresorhus/callsites)
74 | * [Package on deps.dev](https://deps.dev/npm/callsites/4.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/core-util-is/omega-review-1.0.2-2022-05-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/core-util-is@1.0.2
14 | Review-Date: 2022-05-05
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-05, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-05, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-05. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/isaacs/core-util-is#readme)
72 | * [Project Issue Tracker](https://github.com/isaacs/core-util-is/issues)
73 | * [Project Repository](https://github.com/isaacs/core-util-is)
74 | * [Package on deps.dev](https://deps.dev/npm/core-util-is/1.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/has-value/omega-review-2.0.2-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/has-value@2.0.2
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jonschlinkert/has-value)
72 | * [Project Issue Tracker](https://github.com/jonschlinkert/has-value/issues)
73 | * [Project Repository](https://github.com/jonschlinkert/has-value)
74 | * [Package on deps.dev](https://deps.dev/npm/has-value/2.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/imurmurhash/omega-review-0.1.4-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/imurmurhash@0.1.4
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jensyt/imurmurhash-js)
72 | * [Project Issue Tracker](https://github.com/jensyt/imurmurhash-js/issues)
73 | * [Project Repository](https://github.com/jensyt/imurmurhash-js)
74 | * [Package on deps.dev](https://deps.dev/npm/imurmurhash/0.1.4)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/is-stream/omega-review-1.1.0-2022-05-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/is-stream@1.1.0
14 | Review-Date: 2022-05-06
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-06, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-06, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-06. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/is-stream#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/is-stream/issues)
73 | * [Project Repository](https://github.com/sindresorhus/is-stream)
74 | * [Package on deps.dev](https://deps.dev/npm/is-stream/1.1.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/is-stream/omega-review-3.0.0-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/is-stream@3.0.0
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/is-stream#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/is-stream/issues)
73 | * [Project Repository](https://github.com/sindresorhus/is-stream)
74 | * [Package on deps.dev](https://deps.dev/npm/is-stream/3.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/os-tmpdir/omega-review-1.0.2-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/os-tmpdir@1.0.2
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/sindresorhus/os-tmpdir#readme)
72 | * [Project Issue Tracker](https://github.com/sindresorhus/os-tmpdir/issues)
73 | * [Project Repository](https://github.com/sindresorhus/os-tmpdir)
74 | * [Package on deps.dev](https://deps.dev/npm/os-tmpdir/1.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/set-blocking/omega-review-2.0.0-2022-05-07.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/set-blocking@2.0.0
14 | Review-Date: 2022-05-07
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-07, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-07, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-07. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/yargs/set-blocking#readme)
72 | * [Project Issue Tracker](https://github.com/yargs/set-blocking/issues)
73 | * [Project Repository](https://github.com/yargs/set-blocking)
74 | * [Package on deps.dev](https://deps.dev/npm/set-blocking/2.0.0)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/is-windows/omega-review-1.0.2-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/is-windows@1.0.2
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jonschlinkert/is-windows)
72 | * [Project Issue Tracker](https://github.com/jonschlinkert/is-windows/issues)
73 | * [Project Repository](https://github.com/jonschlinkert/is-windows)
74 | * [Package on deps.dev](https://deps.dev/npm/is-windows/1.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------
/reviews/_omega_/npm/lazy-cache/omega-review-2.0.2-2022-05-08.md:
--------------------------------------------------------------------------------
1 | ---
2 | Publication-State: Draft
3 | Access: Public
4 | Reviewers:
5 | - Organization: OpenSSF / Omega
6 | Associated-With-Project: false
7 | Compensation-Source: none
8 | Domain: Security
9 | Methodology:
10 | - Static-Analysis
11 | Issues-Identified: None
12 | Package-URLs:
13 | - pkg:npm/lazy-cache@2.0.2
14 | Review-Date: 2022-05-08
15 | Scope: Implementation/Full
16 | Schema-Version: 1.0
17 | SPDX-License-Identifier: CC-BY-4.0
18 | Private/OpenSSF:
19 | - Omega-Analyzer-Version: 0.7.1
20 | - Omega-Tag: POC;2022-05-05;HC2-ACEG-T100
21 | ---
22 |
23 | ### Summary
24 |
25 | This package was analyzed using the Omega analysis toolchain. No significant issues were
26 | discovered, and as of 2022-05-08, no publicly-known security
27 | vulnerabilities are known to affect this version of the package.
28 |
29 | **IMPORTANT:** This review is 'draft' and experimental at this stage. Do not rely on its
30 | correctness for anything.
31 |
32 | ### Details
33 |
34 | This package was analyzed using the Omega analysis toolchain. No significant issues were
35 | discovered, and as of 2022-05-08, no publicly-known security
36 | vulnerabilities are known to affect this version of the package.
37 |
38 | Analyses may be reproduced using the Omega
39 | [analysis toolchain](https://github.com/alpha-omega/blob/main/omega/analysis/), version
40 | 0.7.1).
41 |
42 | Summarized Results:
43 |
44 | ✔ CodeQL Analysis - PASS
45 |
46 | ✔ Detect-Secrets - PASS
47 |
48 | ✔ NodeJSScan - PASS
49 |
50 | ✔ Semgrep - PASS
51 |
52 | ✔ Rebuildable - PASS
53 |
54 | ✔ No Public Vulnerabilities - PASS
55 |
56 | ### Methodology
57 |
58 | This automated review was executed by the Omega Analysis toolchain, version '0.7.1'
59 | on 2022-05-08. Only a subset of results were taken into account
60 | when creating this review. For more information, view the toolchain referenced in the
61 | `External References` section below.
62 |
63 | The [Open Source Insights](https://deps.dev) website was used to identify publicly-known
64 | vulnerabilities.
65 |
66 | The [OSS Gadget](https://github.com/Microsoft/OSSGadget) reproducibility checker was used to
67 | ensure the deployed package could be recreated from source code.
68 |
69 | ### External References
70 |
71 | * [Home Page](https://github.com/jonschlinkert/lazy-cache)
72 | * [Project Issue Tracker](https://github.com/jonschlinkert/lazy-cache/issues)
73 | * [Project Repository](https://github.com/jonschlinkert/lazy-cache)
74 | * [Package on deps.dev](https://deps.dev/npm/lazy-cache/2.0.2)
75 | * [Omega Analysis Toolchain](https://github.com/alpha-omega/blob/main/omega/analysis)
76 |
77 | ### Disclaimer
78 |
79 | This security review was conducted against the specific version included in the
80 | `Package-URLs` section of this review, at a point in time, using a set of imperfect tools.
81 | This review does not in any way guarantee the quality, completeness of analysis, or lack of
82 | vulnerability.
83 |
84 | ### License
85 |
86 | This text is released under at least the
87 | [Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt).
88 | Externally-referenced content may be licensed differently.
--------------------------------------------------------------------------------