dev  

Messages by Thread

• • Re: [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
• [I] No Comprehensive Endpoint-to-Authorization Mapping (tooling-trusted-releases) via GitHub
  • Re: [I] No Comprehensive Endpoint-to-Authorization Mapping (tooling-trusted-releases) via GitHub
• [I] Database Connection URL Logged at Startup (tooling-trusted-releases) via GitHub
  • Re: [I] Database Connection URL Logged at Startup (tooling-trusted-releases) via GitHub
• [I] `nbf` Claim Not Enforced as Required in ATR JWT Verification (tooling-trusted-releases) via GitHub
• [I] Pre-Release (Release Candidate) Dependency Used in Production (tooling-trusted-releases) via GitHub
• [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
• [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
• [I] innerHTML Read Used Where textContent Is Appropriate (tooling-trusted-releases) via GitHub
  • Re: [I] innerHTML Read Used Where textContent Is Appropriate (tooling-trusted-releases) via GitHub
• [I] API Error Responses Leak Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] API Error Responses Leak Internal Error Details (tooling-trusted-releases) via GitHub
• [I] Web-Issued JWTs Lack PAT Binding and Cannot Be Individually Revoked (tooling-trusted-releases) via GitHub
• [I] Vote Casting POST Endpoint Relies on Indirect Phase Check (tooling-trusted-releases) via GitHub
• [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
• [I] JWT DOM Auto-Clear Lacks Page Lifecycle Event Handlers (tooling-trusted-releases) via GitHub
• [I] Project Deletion Missing Additional Authorization Checks (tooling-trusted-releases) via GitHub
• [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
• [I] API Models Lack Enum Validation for Phase Parameter (tooling-trusted-releases) via GitHub
• [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
  • Re: [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
  • Re: [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
• [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
• [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
  • Re: [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
  • Re: [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
• [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
• [I] JWT TTL Documentation Inconsistency (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Inconsistency (tooling-trusted-releases) via GitHub
• [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
  • Re: [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
  • Re: [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
• [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
  • Re: [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
• [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
• [I] JWT Claims Including User Identity Logged at DEBUG Level (tooling-trusted-releases) via GitHub
  • Re: [I] JWT Claims Including User Identity Logged at DEBUG Level (tooling-trusted-releases) via GitHub
• [I] ZIP Download Streaming Without Size or Time Guards (tooling-trusted-releases) via GitHub
  • Re: [I] ZIP Download Streaming Without Size or Time Guards (tooling-trusted-releases) via GitHub
• [I] No Documented Risk-Based Remediation Timeframes for Vulnerable Components (tooling-trusted-releases) via GitHub
• [I] Unbounded Distribution Status Check Loop (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Distribution Status Check Loop (tooling-trusted-releases) via GitHub
• [I] Syft Installed via Unverified Remote Script Execution (tooling-trusted-releases) via GitHub
• [I] Admin Debug Test Route /admin/raise-error Available in Production (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Debug Test Route /admin/raise-error Available in Production (tooling-trusted-releases) via GitHub
• [I] ZipResponse Does Not Enforce Content-Disposition: attachment (tooling-trusted-releases) via GitHub
  • Re: [I] ZipResponse Does Not Enforce Content-Disposition: attachment (tooling-trusted-releases) via GitHub
• [I] OSV Vulnerability Scanning Has No HTTP Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] OSV Vulnerability Scanning Has No HTTP Timeout (tooling-trusted-releases) via GitHub
• [I] Thread Message Fetching Without Timeout or Concurrency Limit (tooling-trusted-releases) via GitHub
  • Re: [I] Thread Message Fetching Without Timeout or Concurrency Limit (tooling-trusted-releases) via GitHub
• [I] No Documented Update Timeframe for npm/Frontend Dependencies (tooling-trusted-releases) via GitHub
• [I] ShellResponse Serves Executable Content Without Content-Disposition: attachment (tooling-trusted-releases) via GitHub
  • Re: [I] ShellResponse Serves Executable Content Without Content-Disposition: attachment (tooling-trusted-releases) via GitHub
• [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
• [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
• [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
• [I] API Models Accept Client-Submitted Identity Alongside JWT (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Accept Client-Submitted Identity Alongside JWT (tooling-trusted-releases) via GitHub
• [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
• [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
  • Re: [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
  • [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
• [I] WorkflowSSHKey Entries Not Purged After Expiration (tooling-trusted-releases) via GitHub
  • Re: [I] WorkflowSSHKey Entries Not Purged After Expiration (tooling-trusted-releases) via GitHub
• [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
• [I] Unvalidated Identity Parameter in Email and Vote Operations (tooling-trusted-releases) via GitHub
• [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
• [I] Unbounded PGP Key Block Processing in Bulk Operations (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded PGP Key Block Processing in Bulk Operations (tooling-trusted-releases) via GitHub
• [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
  • Re: [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
  • Re: [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
• [I] Session Cache Persists Sensitive Data Indefinitely Without TTL (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cache Persists Sensitive Data Indefinitely Without TTL (tooling-trusted-releases) via GitHub
• [I] Swagger UI and OpenAPI Specification Publicly Accessible (tooling-trusted-releases) via GitHub
  • Re: [I] Swagger UI and OpenAPI Specification Publicly Accessible (tooling-trusted-releases) via GitHub
• [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
  • Re: [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
  • Re: [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
• [I] User Identity Data Sent to External GitHub API (tooling-trusted-releases) via GitHub
  • Re: [I] User Identity Data Sent to External GitHub API (tooling-trusted-releases) via GitHub
• [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
• [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
  • Re: [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
  • [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
• [I] Storage Layer Bypassed for Revision Tag Modification (tooling-trusted-releases) via GitHub
• [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
• [I] Text Response Classes Rely on Implicit Charset from Werkzeug (tooling-trusted-releases) via GitHub
  • Re: [I] Text Response Classes Rely on Implicit Charset from Werkzeug (tooling-trusted-releases) via GitHub
• [I] JWT Audience Values Contain 'test' Identifier (tooling-trusted-releases) via GitHub
  • Re: [I] JWT Audience Values Contain 'test' Identifier (tooling-trusted-releases) via GitHub
  • [I] JWT Audience Values Contain 'test' Identifier (tooling-trusted-releases) via GitHub
  • Re: [I] JWT Audience Values Contain 'test' Identifier (tooling-trusted-releases) via GitHub
• [I] No Formal SBOM for ATR's Own Third-Party Dependencies (tooling-trusted-releases) via GitHub
• [I] Unbounded Response Sizes on Multiple List Endpoints (tooling-trusted-releases) via GitHub
• [I] Admin Pages Using template.blank() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using template.blank() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using template.blank() May Lack Logout Button (tooling-trusted-releases) via GitHub
• [I] No Update Timeframe or Monitoring for Dockerfile-Installed External Tools (tooling-trusted-releases) via GitHub
• [I] Documentation-Code TTL Discrepancy (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation-Code TTL Discrepancy (tooling-trusted-releases) via GitHub
• [I] Session Cookies Signed But Not Encrypted — Documentation Claims Encryption (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cookies Signed But Not Encrypted — Documentation Claims Encryption (tooling-trusted-releases) via GitHub
• [I] Session Cookie Contains PII and Authorization Data in Readable (Signed-But-Not-Encrypted) Format (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cookie Contains PII and Authorization Data in Readable (Signed-But-Not-Encrypted) Format (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cookie Contains PII and Authorization Data in Readable (Signed-But-Not-Encrypted) Format (tooling-trusted-releases) via GitHub
• [I] Unverified JWT Subject Claim Used for Logging Before Signature Verification (tooling-trusted-releases) via GitHub
  • Re: [I] Unverified JWT Subject Claim Used for Logging Before Signature Verification (tooling-trusted-releases) via GitHub
  • [I] Unverified JWT Subject Claim Used for Logging Before Signature Verification (tooling-trusted-releases) via GitHub
  • Re: [I] Unverified JWT Subject Claim Used for Logging Before Signature Verification (tooling-trusted-releases) via GitHub
• [I] Asymmetric Authorization Enforcement Between Read and Write Paths (tooling-trusted-releases) via GitHub
  • Re: [I] Asymmetric Authorization Enforcement Between Read and Write Paths (tooling-trusted-releases) via GitHub
• [I] Defense-in-Depth — Missing AllowOverride None in Apache Downloads Directory (tooling-trusted-releases) via GitHub
  • Re: [I] Defense-in-Depth — Missing AllowOverride None in Apache Downloads Directory (tooling-trusted-releases) via GitHub
• [I] KEYS File Web Upload Lacks Extension Validation (tooling-trusted-releases) via GitHub
  • Re: [I] KEYS File Web Upload Lacks Extension Validation (tooling-trusted-releases) via GitHub
• [I] Expired Personal Access Tokens Not Automatically Purged (tooling-trusted-releases) via GitHub
  • Re: [I] Expired Personal Access Tokens Not Automatically Purged (tooling-trusted-releases) via GitHub
  • [I] Expired Personal Access Tokens Not Automatically Purged (tooling-trusted-releases) via GitHub
• [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
  • [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Discrepancy (30 Minutes Actual vs 90 Minutes Documented) (tooling-trusted-releases) via GitHub
• [I] HSTS Not Applied at Application Level (tooling-trusted-releases) via GitHub
  • Re: [I] HSTS Not Applied at Application Level (tooling-trusted-releases) via GitHub
• [I] OSV API Unbounded Pagination and Detail Fetching (tooling-trusted-releases) via GitHub
• [I] SBOM Conformance External HTTP Requests Without Explicit Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] SBOM Conformance External HTTP Requests Without Explicit Timeout (tooling-trusted-releases) via GitHub
• [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases) via GitHub
• [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
  • Re: [I] Debug print() Bypasses Structured Logging (tooling-trusted-releases) via GitHub
• [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
  • Re: [I] No Explicit Directory Listing Prevention on Docroot (tooling-trusted-releases) via GitHub
• [I] Binary Tool Downloaded Without Integrity Verification (CycloneDX CLI) (tooling-trusted-releases) via GitHub
• [I] OAuth Client Does Not Request Explicit Scopes (Principle of Least Privilege) (tooling-trusted-releases) via GitHub
• [I] Dynamic Field Assignment Without Explicit Allowlist in Policy Updates (tooling-trusted-releases) via GitHub

• Earlier messages
• Later messages