For the full incident response process, severity classification, response timelines, and disclosure policy, see oss.mevtc.com/security.
Do not open a public GitHub issue. Email info.security@mevtc.com.
| Version | Supported |
|---|---|
| 0.4.x | Yes |
| 0.3.x | No |
This project uses Hypothesis for property-based fuzz testing. Fuzz tests run in CI on every push and merge request, with higher iteration counts on nightly schedules.
Fuzz test coverage includes CN parsers (CAC dot-format, PIV flexible, ECA human-readable) with arbitrary unicode input, federal provider OID matching with random OID sets, heuristic matching with arbitrary strings, and identity extraction postconditions for all credential types.
The following static analysis checks are suppressed project-wide. Each suppression is documented here with its justification.
Configured in pyproject.toml under [tool.bandit].
| Rule | Description | Justification |
|---|---|---|
| B101 | assert used outside tests |
Asserts are used only in test code. Bandit scans src/ only (exclude_dirs = ["tests"]), but the suppression avoids false positives from shared fixtures. |
| B110 | try/except/pass (bare exception handling) |
Inherited from pki-core defaults. Not currently triggered in pki-federal source. |
Configured in pyproject.toml under [tool.ruff.lint].
| Rule | Description | Justification |
|---|---|---|
| E501 | Line too long | Line length is enforced by ruff format, not the linter. Suppressing the lint rule avoids conflicts between the formatter and linter. |