Repo File Sync: synced file(s) with microsoft/mu_devops (#10)

microsoft · Feb 2, 2023 · 8508237 · 8508237
1 parent 72f8f6f
commit 8508237
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 42 deletions.
diff --git a/.azurepipelines/Ubuntu-GCC5.yml b/.azurepipelines/Ubuntu-GCC5.yml
@@ -23,7 +23,7 @@ resources:
       ref: refs/tags/v1.4.2
   containers:
     - container: linux-gcc
-      image: ghcr.io/tianocore/containers/fedora-35-build:2113a0e
+      image: ghcr.io/tianocore/containers/fedora-35-build:5b8a008
 
 variables:
 - group: architectures-arm-64-x86-64

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -28,6 +28,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+      timezone: "America/Los_Angeles"
+      time: "06:00"
     commit-message:
       prefix: "GitHub Action"
     labels:
@@ -37,6 +39,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+      timezone: "America/Los_Angeles"
+      time: "01:00"
     commit-message:
       prefix: "pip"
     labels:

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -12,10 +12,26 @@ For each item, place an "x" in between `[` and `]` if true. Example: `[x]`.
 _(you can also check items in the GitHub UI)_
 
 - [ ] Impacts functionality?
+  - **Functionality** - Does the change ultimately impact how firmware functions?
+  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
 - [ ] Impacts security?
+  - **Security** - Does the change have a direct security impact on an application,
+    flow, or firmware?
+  - Examples: Crypto algorithm change, buffer overflow fix, parameter
+    validation improvement, ...
 - [ ] Breaking change?
+  - **Breaking change** - Will anyone consuming this change experience a break
+    in build or boot behavior?
+  - Examples: Add a new library class, move a module to a different repo, call
+    a function in a new library class in a pre-existing module, ...
 - [ ] Includes tests?
+  - **Tests** - Does the change include any explicit test code?
+  - Examples: Unit tests, integration tests, robot tests, ...
 - [ ] Includes documentation?
+  - **Documentation** - Does the change contain explicit documentation additions
+    outside direct code modifications (and comments)?
+  - Examples: Update readme file, add feature readme file, link to documentation
+    on an a separate Web page, ...
 
 ## How This Was Tested
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -18,6 +18,11 @@ section of the relevant Project Mu GitHub repo.
 Every Project Mu repo has an `Issues` section. Bug reports, feature requests, and documentation requests can all be
 submitted in the issues section.
 
+## Security Vulnerabilities
+
+Please review the repos `Security Policy` but in general every Project Mu repo has `Private vulnerability reporting`
+enabled.  Please use the security tab to report a potential issue.  
+
 ### Identify Where to Report
 
 Project Mu is distributed across multiple repositories. Use features such as issues and discussions in the repository

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,41 +1,41 @@
-<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
-
-## Security
-
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
-
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
-
-## Reporting Security Issues
-
-**Please do not report security vulnerabilities through public GitHub issues.**
-
-Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
-
-If you prefer to submit without logging in, send email to [[email protected]](mailto:[email protected]).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
-
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
-
-This information will help us triage your report more quickly.
-
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
-
-## Preferred Languages
-
-We prefer all communications to be in English.
-
-## Policy
-
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
-
-<!-- END MICROSOFT SECURITY.MD BLOCK -->
+# Project Mu Security Policy
+
+Project Mu is an open source firmware project that is leveraged by and combined into
+other projects to build the firmware for a given product.  We build and maintain this
+code with the intent that any consuming projects can use this code as-is.  If features
+or fixes are necessary we ask that they contribute them back to the project.  **But**, that
+said, in the firmware ecosystem there is a lot of variation and differentiation, and
+the license in this project allows flexibility for use without contribution back to
+Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.  
+
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the most recent release branch (or main).
+For a serious vulnerability we may patch older release branches.
+
+## Additional Notes
+
+Project Mu contains code that is available and/or originally authored in other
+repositories (see <https://github.com/tianocore/edk2> as one such example).  For any
+vulnerability found, we may be subject to their security policy and may need to work
+with those groups to resolve amicably and patch the "upstream".  This might involve 
+additional time to release and/or additional confidentiality requirements.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
+repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).