Etusivu Tutki Apua
Kirjaudu sisään
svi
/
prolet
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: e159a1fb24
Haarat Tagit
prolet
/
vendor
/
go.opentelemetry.io
/
otel
/
SECURITY-INSIGHTS.yml

SECURITY-INSIGHTS.yml 9.6 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 
  1. header:
    2. 

  2.   schema-version: "1.0.0"
    3. 

  3.   expiration-date: "2026-08-04T00:00:00.000Z"
    4. 

  4.   last-updated: "2025-08-04"
    5. 

  5.   last-reviewed: "2025-08-04"
    6. 

  6.   commit-hash: 69e81088ad40f45a0764597326722dea8f3f00a8
    7. 

  7.   project-url: https://github.com/open-telemetry/opentelemetry-go
    8. 

  8.   project-release: "v1.37.0"
    9. 

  9.   changelog: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CHANGELOG.md
    10. 

  10.   license: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/LICENSE
    11. 

  11. 

  12. project-lifecycle:
    13. 

  13.   status: active
    14. 

  14.   bug-fixes-only: false
    15. 

  15.   core-maintainers:
    16. 

  16.     - https://github.com/dmathieu
    17. 

  17.     - https://github.com/dashpole
    18. 

  18.     - https://github.com/pellared
    19. 

  19.     - https://github.com/XSAM
    20. 

  20.     - https://github.com/MrAlias
    21. 

  21.   release-process: |
    22. 

  22.     See https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/RELEASING.md
    23. 

  23. 

  24. contribution-policy:
    25. 

  25.   accepts-pull-requests: true
    26. 

  26.   accepts-automated-pull-requests: true
    27. 

  27.   automated-tools-list:
    28. 

  28.     - automated-tool: dependabot
    29. 

  29.       action: allowed
    30. 

  30.       comment: Automated dependency updates are accepted.
    31. 

  31.     - automated-tool: renovatebot
    32. 

  32.       action: allowed
    33. 

  33.       comment: Automated dependency updates are accepted.
    34. 

  34.     - automated-tool: opentelemetrybot
    35. 

  35.       action: allowed
    36. 

  36.       comment: Automated OpenTelemetry actions are accepted.
    37. 

  37.   contributing-policy: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
    38. 

  38.   code-of-conduct: https://github.com/open-telemetry/.github/blob/ffa15f76b65ec7bcc41f6a0b277edbb74f832206/CODE_OF_CONDUCT.md
    39. 

  39. 

  40. documentation:
    41. 

  41.   - https://pkg.go.dev/go.opentelemetry.io/otel
    42. 

  42.   - https://opentelemetry.io/docs/instrumentation/go/
    43. 

  43. 

  44. distribution-points:
    45. 

  45.   - pkg:golang/go.opentelemetry.io/otel
    46. 

  46.   - pkg:golang/go.opentelemetry.io/otel/bridge/opencensus
    47. 

  47.   - pkg:golang/go.opentelemetry.io/otel/bridge/opencensus/test
    48. 

  48.   - pkg:golang/go.opentelemetry.io/otel/bridge/opentracing
    49. 

  49.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
    50. 

  50.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
    51. 

  51.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace
    52. 

  52.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
    53. 

  53.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
    54. 

  54.   - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdoutmetric
    55. 

  55.   - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdouttrace
    56. 

  56.   - pkg:golang/go.opentelemetry.io/otel/exporters/zipkin
    57. 

  57.   - pkg:golang/go.opentelemetry.io/otel/metric
    58. 

  58.   - pkg:golang/go.opentelemetry.io/otel/sdk
    59. 

  59.   - pkg:golang/go.opentelemetry.io/otel/sdk/metric
    60. 

  60.   - pkg:golang/go.opentelemetry.io/otel/trace
    61. 

  61.   - pkg:golang/go.opentelemetry.io/otel/exporters/prometheus
    62. 

  62.   - pkg:golang/go.opentelemetry.io/otel/log
    63. 

  63.   - pkg:golang/go.opentelemetry.io/otel/log/logtest
    64. 

  64.   - pkg:golang/go.opentelemetry.io/otel/sdk/log
    65. 

  65.   - pkg:golang/go.opentelemetry.io/otel/sdk/log/logtest
    66. 

  66.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc
    67. 

  67.   - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
    68. 

  68.   - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdoutlog
    69. 

  69.   - pkg:golang/go.opentelemetry.io/otel/schema
    70. 

  70. 

  71. security-artifacts:
    72. 

  72.   threat-model:
    73. 

  73.     threat-model-created: false
    74. 

  74.     comment: |
    75. 

  75.       No formal threat model created yet.
    76. 

  76.   self-assessment:
    77. 

  77.     self-assessment-created: false
    78. 

  78.     comment: |
    79. 

  79.       No formal self-assessment yet.
    80. 

  80. 

  81. security-testing:
    82. 

  82.   - tool-type: sca
    83. 

  83.     tool-name: Dependabot
    84. 

  84.     tool-version: latest
    85. 

  85.     tool-url: https://github.com/dependabot
    86. 

  86.     tool-rulesets:
    87. 

  87.       - built-in
    88. 

  88.     integration:
    89. 

  89.       ad-hoc: false
    90. 

  90.       ci: true
    91. 

  91.       before-release: true
    92. 

  92.     comment: |
    93. 

  93.       Automated dependency updates.
    94. 

  94.   - tool-type: sast
    95. 

  95.     tool-name: golangci-lint
    96. 

  96.     tool-version: latest
    97. 

  97.     tool-url: https://github.com/golangci/golangci-lint
    98. 

  98.     tool-rulesets:
    99. 

  99.       - built-in
    100. 

  100.     integration:
    101. 

  101.       ad-hoc: false
    102. 

  102.       ci: true
    103. 

  103.       before-release: true
    104. 

  104.     comment: |
    105. 

  105.       Static analysis in CI.
    106. 

  106.   - tool-type: fuzzing
    107. 

  107.     tool-name: OSS-Fuzz
    108. 

  108.     tool-version: latest
    109. 

  109.     tool-url: https://github.com/google/oss-fuzz
    110. 

  110.     tool-rulesets:
    111. 

  111.       - default
    112. 

  112.     integration:
    113. 

  113.       ad-hoc: false
    114. 

  114.       ci: false
    115. 

  115.       before-release: false
    116. 

  116.     comment: |
    117. 

  117.       OpenTelemetry Go is integrated with OSS-Fuzz for continuous fuzz testing. See https://github.com/google/oss-fuzz/tree/f0f9b221190c6063a773bea606d192ebfc3d00cf/projects/opentelemetry-go for more details.
    118. 

  118.   - tool-type: sast
    119. 

  119.     tool-name: CodeQL
    120. 

  120.     tool-version: latest
    121. 

  121.     tool-url: https://github.com/github/codeql
    122. 

  122.     tool-rulesets:
    123. 

  123.       - default
    124. 

  124.     integration:
    125. 

  125.       ad-hoc: false
    126. 

  126.       ci: true
    127. 

  127.       before-release: true
    128. 

  128.     comment: |
    129. 

  129.       CodeQL static analysis is run in CI for all commits and pull requests to detect security vulnerabilities in the Go source code. See https://github.com/open-telemetry/opentelemetry-go/blob/d5b5b059849720144a03ca5c87561bfbdb940119/.github/workflows/codeql-analysis.yml for workflow details.
    130. 

  130.   - tool-type: sca
    131. 

  131.     tool-name: govulncheck
    132. 

  132.     tool-version: latest
    133. 

  133.     tool-url: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
    134. 

  134.     tool-rulesets:
    135. 

  135.       - default
    136. 

  136.     integration:
    137. 

  137.       ad-hoc: false
    138. 

  138.       ci: true
    139. 

  139.       before-release: true
    140. 

  140.     comment: |
    141. 

  141.       govulncheck is run in CI to detect known vulnerabilities in Go modules and code paths. See https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/.github/workflows/ci.yml for workflow configuration.
    142. 

  142. 

  143. security-assessments:
    144. 

  144.   - auditor-name: 7ASecurity
    145. 

  145.     auditor-url: https://7asecurity.com
    146. 

  146.     auditor-report: https://7asecurity.com/reports/pentest-report-opentelemetry.pdf
    147. 

  147.     report-year: 2023
    148. 

  148.     comment: |
    149. 

  149.       This independent penetration test by 7ASecurity covered OpenTelemetry repositories including opentelemetry-go. The assessment focused on codebase review, threat modeling, and vulnerability identification. See the report for details of findings and recommendations applicable to opentelemetry-go. No critical vulnerabilities were found for this repository.
    150. 

  150. 

  151. security-contacts:
    152. 

  152.   - type: email
    153. 

  153.     value: cncf-opentelemetry-security@lists.cncf.io
    154. 

  154.     primary: true
    155. 

  155.   - type: website
    156. 

  156.     value: https://github.com/open-telemetry/opentelemetry-go/security/policy
    157. 

  157.     primary: false
    158. 

  158. 

  159. vulnerability-reporting:
    160. 

  160.   accepts-vulnerability-reports: true
    161. 

  161.   email-contact: cncf-opentelemetry-security@lists.cncf.io
    162. 

  162.   security-policy: https://github.com/open-telemetry/opentelemetry-go/security/policy
    163. 

  163.   comment: |
    164. 

  164.     Security issues should be reported via email or GitHub security policy page.
    165. 

  165. 

  166. dependencies:
    167. 

  167.   third-party-packages: true
    168. 

  168.   dependencies-lists:
    169. 

  169.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/go.mod
    170. 

  170.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opencensus/go.mod
    171. 

  171.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opencensus/test/go.mod
    172. 

  172.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opentracing/go.mod
    173. 

  173.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlplog/otlploggrpc/go.mod
    174. 

  174.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlplog/otlploghttp/go.mod
    175. 

  175.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlpmetric/otlpmetricgrpc/go.mod
    176. 

  176.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlpmetric/otlpmetrichttp/go.mod
    177. 

  177.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/go.mod
    178. 

  178.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/otlptracegrpc/go.mod
    179. 

  179.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/otlptracehttp/go.mod
    180. 

  180.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/prometheus/go.mod
    181. 

  181.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdoutlog/go.mod
    182. 

  182.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdoutmetric/go.mod
    183. 

  183.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdouttrace/go.mod
    184. 

  184.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/zipkin/go.mod
    185. 

  185.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/internal/tools/go.mod
    186. 

  186.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/log/go.mod
    187. 

  187.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/log/logtest/go.mod
    188. 

  188.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/metric/go.mod
    189. 

  189.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/schema/go.mod
    190. 

  190.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/go.mod
    191. 

  191.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/log/go.mod
    192. 

  192.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/log/logtest/go.mod
    193. 

  193.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/metric/go.mod
    194. 

  194.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/trace/go.mod
    195. 

  195.     - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/trace/internal/telemetry/test/go.mod
    196. 

  196.   dependencies-lifecycle:
    197. 

  197.     policy-url: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
    198. 

  198.     comment: |
    199. 

  199.       Dependency lifecycle managed via go.mod and renovatebot.
    200. 

  200.   env-dependencies-policy:
    201. 

  201.     policy-url: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
    202. 

  202.     comment: |
    203. 

  203.       See contributing policy for environment usage.
    204.