> * Security of the build pipeline
Is this about a specific CI setup, or about the scripts assuming they
are run by end users?
That entire list was suggestions made by the Eclipse Security team, nothing more. Building up release pipelines is something that I'm working on slowly in the background, but there's nothing on the project side that would merit an audit at the moment.
> * Search for use-after-free and/or buffer overflow
> * Usage of OpenSSL/cJSON/c-ares
I agree that OpenSSL usage is a reasonable thing to look at.
I would think that an organization that does audits would be able to run
their automated tools more or less en masse and then present results,
which are perhaps overly verbose and too false-positivy, and then spend
labor hours on figuring out what matters.
The methodology for the OSTIF audits is to focus on a specific area of interest to look at in depth, rather than apply a broad brush approach as you describe. That's why I'm interested in opinions on what the community think is important in scope.
Regards,
Roger
