Create SECURITY.md

[joelit]

Reasons for creating this PR

Skosmos repository was missing a security policy file from its community guidelines.

Link to relevant issue(s), if any

• Closes Create a SECURITY.md file #1292

Description of the changes in this PR

Known problems or uncertainties in this PR

We need to discuss which versions we are supporting with security patches. Release documentation needs to include updating the security policy file.

Checklist

• phpUnit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if not, explain why below)
• The PR doesn't introduce unintended code changes (e.g. empty lines or useless reindentation)

[codecov]

Codecov Report

Merging #1318 (69c2aa1) into master (a54f285) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master    #1318   +/-   ##
=========================================
  Coverage     70.36%   70.36%           
  Complexity     1649     1649           
=========================================
  Files            32       32           
  Lines          3790     3790           
=========================================
  Hits           2667     2667           
  Misses         1123     1123           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a54f285...69c2aa1. Read the comment docs.

[kinow]

🎉

Probably good to update the release checklist with a note to check the versions in this doc.

Thanks!!!

[osma]

I wonder if we could make use of the newly published RFC 9116 which defines a machine- and human-readable security.txt file format: https://www.rfc-editor.org/rfc/rfc9116 Or is that perhaps overkill?

Ping @kinow , what do you think as the original proposer of this?

[kinow]

I wonder if we could make use of the newly published RFC 9116 which defines a machine- and human-readable security.txt file format: https://www.rfc-editor.org/rfc/rfc9116 Or is that perhaps overkill?

Ping @kinow , what do you think as the original proposer of this?

I didn't know about this RFC @osma, thanks!

Had a look at the specification, and looks like it'd something to have deployed to Finto, for instance, similar to the robots.txt file.

I think SECURITY.md is intended for developers and end-users to learn how to report. And while security.txt can also be used for that, it was created to contain a format with specific fields so that it can be parsed by machines too. From the spec:

This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

p.s interesting that I can see a security.txt for Google, GitHub, Snyk but OWASP is 404'ing 😅

[kinow]

Easier! No need to add one more item to the release process, good idea!

[joelit]

So, this is how the latest iteration would look - less upkeep with no version numbers.

[osma]

"currently being supported with security updates" - this doesn't say who is responsible. Could we say:

currently being supported with security updates by the Skosmos development team at the National Library of Finland.

Minor grammar correction: "corresponds with" -> "corresponds to"

To be a bit more explicit about branches, could we express it like this:

whereas the "maintenance branch" is a branch called vX.X-maintenance, where the version number X.X corresponds to the latest release of Skosmos.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[osma]

LGTM!