v2.1.0

What's Changed

• SIEP-106 changes and related content updates by @eddie-knight in #117

Housekeeping

• chore: Add jmeridth as maintainer by @eddie-knight in #101
• chore: add CODEOWNERS by @jmeridth in #104
• Fix links by @thomasleplus in #107
• fix: security.champions heading h2 -> h3 by @eddie-knight in #105
• Make the SIEP template valid YAML syntax by @trumant in #108
• fix: siep issue template formatting by @jmeridth in #109
• labels is a list by @trumant in #110
• Further clarify/constrain the cue schema for Project by @trumant in #114
• Further clarify/constrain the cue schema for Repository by @trumant in #115
• Constrain the schema version in the header more clearly by @trumant in #113
• chore: linting by @eddie-knight in #116
• Only use reserved domain names by @funnelfiasco in #124
• Adding project.documentation.support-policy to schema by @trumant in #111
• fix: correct errors in file preventing schema validation by @trumant in #127
• fix: spelling fix for README.md by @trumant in #128
• docs: add adoption guidance docs and example files by @trumant in #130
• fix: add missing Attestation link by @trumant in #131
• feat: support cue exp gengotypes by @trumant in #125
• fix: move go package annotation in schema by @trumant in #132
• docs: improve docs on header.project-si-source by @trumant in #133
• fix: add cue definitions for embedded types by @trumant in #134

New Contributors

• @jmeridth made their first contribution in #104
• @thomasleplus made their first contribution in #107
• @trumant made their first contribution in #108
• @funnelfiasco made their first contribution in #124

Full Changelog: v2.0.0...v2.1.0

v2.0.0

This release completely overhauls the specification based on feedback gained throughout 2024.

The artifacts attached to the bottom of this release contain a PDF version of the specification, two example templates, a Cue schema that can be used to validate a file's contents, and the source code at the time of release.

A go library was added in the latest release of SI Tooling to support the programatic ingestion of security insights files published on GitHub. This tooling is expected to gain additional features soon.

Read more about the work leading up to this release here: #97

What's Changed

• Fix examples by @luigigubello in #66
• SECURITY INSIGHTS v1.1 Roadmap by @luigigubello in #69
• Documention Enhancement by @AOrps in #71
• fix: use status instead of stage by @mmorel-35 in #73
• Doc: Fix WG name by @scovetta in #78
• Replace core-maintainers with core-team by @luigigubello in #76
• Update README.md by @eddie-knight in #81
• Governance Docs by @eddie-knight in #89
• Segment specification in repo for maintainability by @eddie-knight in #82
• Fix typo in specification.md ("specificaion") by @david-a-wheeler in #92
• break: Revamped schema based on ecosystem feedback by @eddie-knight in #96
• fix: Improved clarity around required values by @eddie-knight in #98
• fix: broken links by @eddie-knight in #99
• chore: preparing for v2 release by @eddie-knight in #100
• chore: updated this repo's SI schema-version to v2.0.0 by @eddie-knight in #102
• chore: Updated this repo's SI: last reviewed date by @eddie-knight in #103

New Contributors

• @AOrps made their first contribution in #71
• @mmorel-35 made their first contribution in #73
• @david-a-wheeler made their first contribution in #92
• Feedback contributors are highlighted in the linked issues on #97

Full Changelog: v1.0.0...v2.0.0

v1.0.0

This release is the culmination of more than two years of discussion led by the Open Source Security Foundation within the Identifying Security Threats Working Group. In that time, there has been significant iteration, including limited adoption and feedback from security-minded developers.

As of this release, maintenance is focused on the specification.md file, where readers may find the reasoning behind the project, information about its development, and instructions for usage. The security-insights-schema.yaml schema file is fully compatible with JSON Schema Draft-7 and allows for validation of user's SECURITY_INSIGHTS.yml documents.

Below is an overview of the pull request history from the project's first commit until this release.

What's Changed

• Enforcing schema requirements by @luigigubello in #1
• Require maintainers contacts under certain conditions by @luigigubello in #2
• Improve schema by @luigigubello in #3
• Update readme by @luigigubello in #4
• Add comment property and expiration date property by @luigigubello in #5
• Adding STRIDE Threat Model by @luigigubello in #6
• Accept international URL by @luigigubello in #7
• Add in-scope and out-scope properties in vulnerability-reporting property by @luigigubello in #8
• Add code-of-conduct by @luigigubello in #9
• Add support to SBOM standards by @luigigubello in #10
• Fix errors and improve regex for security contacts by @luigigubello in #12
• Add title and enum version in schema by @luigigubello in #15
• Add command line tool to validate or create yaml by @luigigubello in #13
• Fix some copy-paste typos by @luigigubello in #16
• Boolean value for bot-generated pull requests by @luigigubello in #17
• Add support for PURLs by @luigigubello in #21
• Add bots-list to contribution-policy by @luigigubello in #19
• Versioning policy by @luigigubello in #35
• Add Dockerfile for Python script by @luigigubello in #38
• Basic SECURITY.md by @luigigubello in #39
• Changed 'sbom-name' value to 'sbom-format' by @eddie-knight in #34
• Security Artifacts Schema Change by @eddie-knight in #32
• removed .DS_Store by @eddie-knight in #43
• Removed requirements for some header values by @eddie-knight in #44
• Added sbom-creation value by @eddie-knight in #45
• Extend dependencies schema by @luigigubello in #46
• Add release-cycle and release-process by @luigigubello in #47
• Change type object to array by @luigigubello in #48
• Change from stage to status and add more status. by @luigigubello in #52
• Document the specification in markdown format by @eddie-knight in #37
• Adjusted comment handling for vulnerability reporting by @eddie-knight in #56
• Moved threat model docs by @eddie-knight in #55
• Create SECURITY-INSIGHTS.yml by @scovetta in #51
• Removed parent-security-insights from spec by @eddie-knight in #57
• Added LICENSE.md to cover spec and code by @eddie-knight in #50
• Changed security contact emails by @eddie-knight in #59
• Simplified README.md & moved content to intro by @eddie-knight in #60
• Removed tooling from spec repo by @eddie-knight in #61
• Added simple contribution policy by @eddie-knight in #63
• Rename schema to security-insights-schema.yaml by @eddie-knight in #65

New Contributors

• @luigigubello made their first contribution in #1
• @eddie-knight made their first contribution in #34
• @scovetta made their first contribution in #51

Full Changelog: https://github.com/ossf/security-insights-spec/commits/v1.0.0