From 5d3fba7700767d866445a475f83af7163d5f2db8 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sun, 16 Apr 2023 18:04:32 +0200 Subject: [PATCH 01/25] feat: copied passing criterial Questions and Answers Ref: https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=2 --- tools/ossf_best_practices/gold_criteria.md | 152 +++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 tools/ossf_best_practices/gold_criteria.md diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md new file mode 100644 index 000000000..71fa3af38 --- /dev/null +++ b/tools/ossf_best_practices/gold_criteria.md @@ -0,0 +1,152 @@ +Check the official [report](https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=2) as some questions include additional information that might be relevant to understand the context around the question. + + +# Basics +> What is the human-readable name of the project? + +Node.js + +> What is a brief description of the project? + +Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine + +> What is the URL for the project (as a whole)? + +https://nodejs.org + +> What is the URL for the version control repository (it may be the same as the project URL)? + +https://github.com/nodejs/node + +## Prerequisites + +> The project MUST achieve a silver level badge. + +**Unmet** + + +## Project oversight + +> The project MUST have a "bus factor" of 2 or more. (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST have at least two unassociated significant contributors. + +_Possible answers: Met/Unmet_ + +## Other + +> The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). + +_Possible answers: Met/Unmet_ + +> The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) + +_Possible answers: Met/Unmet_ + +# Change Control + +## Public version-controlled source repository + +> The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). + +_Possible answers: Met/Unmet_ + +> The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. + +_Possible answers: Met/Unmet_ + +> The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. + +_Possible answers: Met/Unmet_ + +# Quality + +## Coding standards + +> The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) + +_Possible answers: Met/Unmet/NA_ + +> The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion + +_Possible answers: Met/Unmet_ + +## Working build system + +> The project MUST have a [reproducible build](https://reproducible-builds.org/). If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) + +_Possible answers: Met/Unmet/NA_ + + +## Automated test suite + + +> A test suite MUST be invocable in a standard way for that language. + +_Possible answers: Met/Unmet_ + +> The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. + +**Met** +https://ci.nodejs.org/ + +> The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. + +_Possible answers: Met/Unmet/NA_ + + +# Security + +## Use basic good cryptographic practices + +_Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of [Understanding Open Source Technology & US Export Controls](https://www.linuxfoundation.org/resources/publications/understanding-us-export-controls-with-os-projects/)._ + +> The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + + +> The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + + + +## Secured delivery against man-in-the-middle (MITM) attacks + +> The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) + +_Possible answers: Met/Unmet_ + +## Other security issues + +> The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. + +_Possible answers: Met/Unmet_ + +> Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) + +_Possible answers: Met/Unmet/NA_ + + +# Analysis + +> The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. + +**Unmet** +Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools + + +> The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. + +_Possible answers: Met/Unmet/NA_ From d9362388592b4ebc63ea353b96a46036739f9a75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:53:50 +0100 Subject: [PATCH 02/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 71fa3af38..7d3062f4b 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -22,7 +22,7 @@ https://github.com/nodejs/node > The project MUST achieve a silver level badge. -**Unmet** +**Met** ## Project oversight From 92588d06ede019ce14d8ec9f15edb05175efdd71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:53:58 +0100 Subject: [PATCH 03/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 7d3062f4b..aeaf29cac 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -29,7 +29,7 @@ https://github.com/nodejs/node > The project MUST have a "bus factor" of 2 or more. (URL required) -_Possible answers: Met/Unmet_ +**Met** > The project MUST have at least two unassociated significant contributors. From ba689e7fb29578c1fb2799cf85509e1d01cb5e9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:54:05 +0100 Subject: [PATCH 04/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index aeaf29cac..a13ac4f2a 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -33,7 +33,7 @@ https://github.com/nodejs/node > The project MUST have at least two unassociated significant contributors. -_Possible answers: Met/Unmet_ +**Met** ## Other From 871db48b1ef750ee42dc353b42b55627fde09dc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:57:06 +0100 Subject: [PATCH 05/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index a13ac4f2a..b2b2bb0e3 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -39,7 +39,7 @@ https://github.com/nodejs/node > The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). -_Possible answers: Met/Unmet_ +**Unmet** > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) From 58a041193af7adc9ea28645b91dfb4e225903579 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:57:35 +0100 Subject: [PATCH 06/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index b2b2bb0e3..39b10aa23 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -43,7 +43,7 @@ https://github.com/nodejs/node > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) -_Possible answers: Met/Unmet_ +**Unmet** # Change Control From 19aab9fee6d79d35b205157569e57cede11868de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:57:52 +0100 Subject: [PATCH 07/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 39b10aa23..9f78e4f34 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -51,7 +51,7 @@ https://github.com/nodejs/node > The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). -_Possible answers: Met/Unmet_ +**Met** > The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) From e0fd2db3e8ad193fbffad31ff1568e22fcb70b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:57:59 +0100 Subject: [PATCH 08/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 9f78e4f34..a4e0c735c 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -136,7 +136,7 @@ _Possible answers: Met/Unmet_ > Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) -_Possible answers: Met/Unmet/NA_ +**N/A** # Analysis From d36c6e00a69ad9020bb3cdb6ca8581e8606ccb5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:58:35 +0100 Subject: [PATCH 09/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index a4e0c735c..404571aeb 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -55,7 +55,7 @@ https://github.com/nodejs/node > The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) -_Possible answers: Met/Unmet_ +**Met** > The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. From 5a25aa4fefd46cd83c0dfc587090eedcd6ff818b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:59:01 +0100 Subject: [PATCH 10/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 404571aeb..6fa63d28b 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -132,7 +132,7 @@ _Possible answers: Met/Unmet_ > The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. -_Possible answers: Met/Unmet_ +**Unmet** > Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) From 702f6d31e917e353a7767fba8c33ebeef703ddf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:59:18 +0100 Subject: [PATCH 11/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 6fa63d28b..91bc4eaa7 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -113,7 +113,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**N/A** > The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). From af5c87c5047a5b0dabec8df7ab726838a78158c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:59:28 +0100 Subject: [PATCH 12/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 91bc4eaa7..966b72849 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -118,7 +118,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** From 58b436443657284d6e4ded17531751d2e303f7e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 18:59:41 +0100 Subject: [PATCH 13/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 966b72849..7ead1c0fb 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -126,7 +126,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) -_Possible answers: Met/Unmet_ +**Met** ## Other security issues From 5e75801eaa9875db4fa076cfac2f65826194ec29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:00:18 +0100 Subject: [PATCH 14/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 7ead1c0fb..bf33f2f8f 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -149,4 +149,4 @@ Infrastructure for running several different dynamic analysis tools is provided > The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. -_Possible answers: Met/Unmet/NA_ +**Unmet** From 0d60f6256a85f79dde268fcb4bb417feb704f790 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:00:34 +0100 Subject: [PATCH 15/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index bf33f2f8f..512acdb60 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -102,7 +102,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -_Possible answers: Met/Unmet/NA_ +**Met** # Security From 676d31ee2f05fe2d60ff705c016df198e9c97a0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:00:57 +0100 Subject: [PATCH 16/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 512acdb60..874e55e01 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -59,7 +59,7 @@ https://github.com/nodejs/node > The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. -_Possible answers: Met/Unmet_ +**Met** > The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. From 1feeaa858034f335e2a94a440b79f9c19c8786c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:01:09 +0100 Subject: [PATCH 17/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 874e55e01..4dc491f3e 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -63,7 +63,7 @@ https://github.com/nodejs/node > The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. -_Possible answers: Met/Unmet_ +**Met** # Quality From 4934f9863e3bb23c59cd8f304c615b58d4e4fe12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:01:27 +0100 Subject: [PATCH 18/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 4dc491f3e..40832e103 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -75,7 +75,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion -_Possible answers: Met/Unmet_ +**Met** ## Working build system From 66c2f34f367488756a003c17d3a6221efa49adeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:01:39 +0100 Subject: [PATCH 19/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 40832e103..4bb7f53b5 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -98,7 +98,7 @@ https://ci.nodejs.org/ > The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. From da57efe93528e5e593468fd6f28d46d40df3bbde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:01:52 +0100 Subject: [PATCH 20/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 4bb7f53b5..9b0055fc5 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -71,7 +71,7 @@ https://github.com/nodejs/node > The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion From 0cfdca9206c431edbf62567b4948f230edf55bcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 26 Nov 2023 19:02:01 +0100 Subject: [PATCH 21/25] Update tools/ossf_best_practices/gold_criteria.md --- tools/ossf_best_practices/gold_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 9b0055fc5..4655fec48 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -89,7 +89,7 @@ _Possible answers: Met/Unmet/NA_ > A test suite MUST be invocable in a standard way for that language. -_Possible answers: Met/Unmet_ +**Met** > The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. From f639ecbbd789989071ac53e46cee64601a337461 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sun, 26 Nov 2023 19:53:28 +0100 Subject: [PATCH 22/25] docs: added questions context and consolidate the current responses --- tools/ossf_best_practices/gold_criteria.md | 128 ++++++++++++++++++--- 1 file changed, 112 insertions(+), 16 deletions(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 4655fec48..a9e6c6a74 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -4,19 +4,19 @@ Check the official [report](https://bestpractices.coreinfrastructure.org/en/proj # Basics > What is the human-readable name of the project? -Node.js +_[Inherit from passing criteria](/tools/ossf_best_practices/passing_criteria.md)_ > What is a brief description of the project? -Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine +_[Inherit from passing criteria](/tools/ossf_best_practices/passing_criteria.md)_ > What is the URL for the project (as a whole)? -https://nodejs.org +_[Inherit from passing criteria](/tools/ossf_best_practices/passing_criteria.md)_ > What is the URL for the version control repository (it may be the same as the project URL)? -https://github.com/nodejs/node +_[Inherit from passing criteria](/tools/ossf_best_practices/passing_criteria.md)_ ## Prerequisites @@ -24,6 +24,10 @@ https://github.com/nodejs/node **Met** +Context: +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307380987) + ## Project oversight @@ -31,20 +35,39 @@ https://github.com/nodejs/node **Met** +Context: +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) + + > The project MUST have at least two unassociated significant contributors. **Met** +Context: +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Contributors Unassociated](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#contributors_unassociated) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307388569) + ## Other > The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). -**Unmet** +**Meet** + +Context: +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Copyright Per File](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#copyright_per_file) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307391551) > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) **Unmet** +Context: +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307392811) + # Change Control ## Public version-controlled source repository @@ -53,17 +76,34 @@ https://github.com/nodejs/node **Met** +Context: +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307393521) + > The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) -**Met** +**Met. For example https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22** + +Context: +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307394640) > The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. **Met** +Context: +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [CII Best Practices: Require 2FA](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#require_2FA) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307396475) + > The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. -**Met** +**Met. We Use Github, so we follow the recommendations. Documentation: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication** + +Context: +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307398661) # Quality @@ -71,17 +111,30 @@ https://github.com/nodejs/node > The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) -**Met** +**Met. The process is documented: https://github.com/nodejs/node/blob/main/doc/contributing/pull-requests.md#reviewing-pull-requests** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307403399) > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion -**Met** +**Met. Currently the repo is monitored against the OSSF Scorecard, where this is checked every 2 weeks in the Security Team regular meetings. See: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Two Person Review](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#two_person_review) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307402095) + ## Working build system > The project MUST have a [reproducible build](https://reproducible-builds.org/). If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) -_Possible answers: Met/Unmet/NA_ +**Unmet** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) ## Automated test suite @@ -91,18 +144,34 @@ _Possible answers: Met/Unmet/NA_ **Met** +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307404137) + > The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. -**Met** -https://ci.nodejs.org/ +**Met. https://ci.nodejs.org/** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) > The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -**Met** +**Met. This is part of the CI Checks in place** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_statement_coverage90) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405014) > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -**Met** +**Met. This is part of the CI Checks in place** + +Context: +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Test Branch Coverage 80%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_branch_coverage80) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405888) # Security @@ -115,11 +184,19 @@ _Note that some software does not need to use cryptographic mechanisms. If your **N/A** +Context: +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307415866) +- [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) > The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). **Met** +Context: +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307415066) +- [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) ## Secured delivery against man-in-the-middle (MITM) attacks @@ -128,25 +205,44 @@ _Note that some software does not need to use cryptographic mechanisms. If your **Met** +Context: +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307413951) + ## Other security issues > The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. **Unmet** +Context: +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307412553) + > Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) **N/A** +Context: +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307407833) +- [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) + # Analysis > The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. -**Unmet** -Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools +**Unmet. Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools** + +Context: +- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-analysis-1) > The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. **Unmet** + +Context: +- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-analysis-1) +- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307406630) From 3f496a89aa0d4a905f33d0bda0ef417f392e3070 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 4 Jan 2024 18:52:04 +0100 Subject: [PATCH 23/25] docs: add commit hash reference for the context links --- tools/ossf_best_practices/gold_criteria.md | 62 +++++++++++----------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index a9e6c6a74..2b0839406 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -25,7 +25,7 @@ _[Inherit from passing criteria](/tools/ossf_best_practices/passing_criteria.md) **Met** Context: -- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307380987) @@ -36,7 +36,7 @@ Context: **Met** Context: -- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) - [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) @@ -45,8 +45,8 @@ Context: **Met** Context: -- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) -- [CII Best Practices: Contributors Unassociated](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#contributors_unassociated) +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Contributors Unassociated](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#contributors_unassociated) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307388569) ## Other @@ -56,8 +56,8 @@ Context: **Meet** Context: -- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) -- [CII Best Practices: Copyright Per File](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#copyright_per_file) +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Copyright Per File](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#copyright_per_file) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307391551) > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) @@ -65,7 +65,7 @@ Context: **Unmet** Context: -- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-basics-1) +- [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307392811) # Change Control @@ -77,7 +77,7 @@ Context: **Met** Context: -- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307393521) > The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) @@ -85,7 +85,7 @@ Context: **Met. For example https://github.com/nodejs/node/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22** Context: -- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307394640) > The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. @@ -93,8 +93,8 @@ Context: **Met** Context: -- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) -- [CII Best Practices: Require 2FA](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#require_2FA) +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) +- [CII Best Practices: Require 2FA](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#require_2FA) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307396475) > The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. @@ -102,7 +102,7 @@ Context: **Met. We Use Github, so we follow the recommendations. Documentation: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication** Context: -- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-change-control-1) +- [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307398661) # Quality @@ -111,19 +111,19 @@ Context: > The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) -**Met. The process is documented: https://github.com/nodejs/node/blob/main/doc/contributing/pull-requests.md#reviewing-pull-requests** +**Met. The process is documented: https://github.com/nodejs/node/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/doc/contributing/pull-requests.md#reviewing-pull-requests** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307403399) > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion -**Met. Currently the repo is monitored against the OSSF Scorecard, where this is checked every 2 weeks in the Security Team regular meetings. See: https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md** +**Met. Currently the repo is monitored against the OSSF Scorecard, where this is checked every 2 weeks in the Security Team regular meetings. See: https://github.com/nodejs/security-wg/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/tools/ossf_scorecard/report.md** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) -- [CII Best Practices: Two Person Review](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#two_person_review) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Two Person Review](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#two_person_review) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307402095) @@ -134,7 +134,7 @@ Context: **Unmet** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) ## Automated test suite @@ -145,7 +145,7 @@ Context: **Met** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307404137) > The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. @@ -153,15 +153,15 @@ Context: **Met. https://ci.nodejs.org/** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) > The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. **Met. This is part of the CI Checks in place** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) -- [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_statement_coverage90) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#test_statement_coverage90) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405014) > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. @@ -169,8 +169,8 @@ Context: **Met. This is part of the CI Checks in place** Context: -- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) -- [CII Best Practices: Test Branch Coverage 80%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_branch_coverage80) +- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) +- [CII Best Practices: Test Branch Coverage 80%](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#test_branch_coverage80) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405888) @@ -185,7 +185,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your **N/A** Context: -- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307415866) - [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) @@ -194,7 +194,7 @@ Context: **Met** Context: -- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307415066) - [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) @@ -206,7 +206,7 @@ Context: **Met** Context: -- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307413951) ## Other security issues @@ -216,7 +216,7 @@ Context: **Unmet** Context: -- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307412553) > Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) @@ -224,7 +224,7 @@ Context: **N/A** Context: -- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-security-1) +- [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307407833) - [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) @@ -236,7 +236,7 @@ Context: **Unmet. Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools** Context: -- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-analysis-1) +- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-analysis-1) > The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. @@ -244,5 +244,5 @@ Context: **Unmet** Context: -- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-analysis-1) +- [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-analysis-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307406630) From 91f35e74f87b95f1ce0f36f21bd660154a64831c Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 4 Jan 2024 19:52:12 +0100 Subject: [PATCH 24/25] docs: update responses and references --- tools/ossf_best_practices/gold_criteria.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index 2b0839406..b76907ff5 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -33,7 +33,7 @@ Context: > The project MUST have a "bus factor" of 2 or more. (URL required) -**Met** +**Met. https://github.com/nodejs/node/blob/main/GOVERNANCE.md** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) @@ -42,7 +42,7 @@ Context: > The project MUST have at least two unassociated significant contributors. -**Met** +**Met. https://github.com/nodejs/node/blob/main/GOVERNANCE.md** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) @@ -53,12 +53,13 @@ Context: > The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). -**Meet** +**Unmet** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) - [CII Best Practices: Copyright Per File](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#copyright_per_file) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307391551) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1187) > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) @@ -67,6 +68,7 @@ Context: Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307392811) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1187) # Change Control @@ -90,7 +92,7 @@ Context: > The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. -**Met** +**Met. Node.js org has enabled 2FA for all the members, see: https://github.com/openjs-foundation/security-collab-space/issues/94#issuecomment-1874627417** Context: - [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) @@ -119,7 +121,7 @@ Context: > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion -**Met. Currently the repo is monitored against the OSSF Scorecard, where this is checked every 2 weeks in the Security Team regular meetings. See: https://github.com/nodejs/security-wg/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/tools/ossf_scorecard/report.md** +**Met. The process is documented: https://github.com/nodejs/node/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/doc/contributing/pull-requests.md#reviewing-pull-requests and we use additional tools like the OSSF Scorecard to monitor it** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) @@ -157,21 +159,24 @@ Context: > The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -**Met. This is part of the CI Checks in place** +**Met. Report available in https://app.codecov.io/gh/nodejs/node** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) - [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#test_statement_coverage90) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405014) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1187) + > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -**Met. This is part of the CI Checks in place** +**Met. Report available in https://app.codecov.io/gh/nodejs/node** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) - [CII Best Practices: Test Branch Coverage 80%](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#test_branch_coverage80) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405888) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1188) # Security @@ -188,6 +193,8 @@ Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307415866) - [See related question in Silver Criteria](/tools/ossf_best_practices/silver_criteria.md) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1189) + > The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). @@ -208,6 +215,7 @@ Context: Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307413951) +- [Issue to follow up](https://github.com/nodejs/security-wg/issues/1190) ## Other security issues From 10f62191aa335e026a612bd8d869bbb88d12a912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 7 May 2024 11:53:30 +0200 Subject: [PATCH 25/25] docs: update OpenSSF Best practices Gold criteria Ref: https://www.bestpractices.dev/en/projects/29?criteria_level=2 --- tools/ossf_best_practices/gold_criteria.md | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/tools/ossf_best_practices/gold_criteria.md b/tools/ossf_best_practices/gold_criteria.md index b76907ff5..ec386fe85 100644 --- a/tools/ossf_best_practices/gold_criteria.md +++ b/tools/ossf_best_practices/gold_criteria.md @@ -33,7 +33,7 @@ Context: > The project MUST have a "bus factor" of 2 or more. (URL required) -**Met. https://github.com/nodejs/node/blob/main/GOVERNANCE.md** +**Met. https://github.com/nodejs/node/blob/main/README.md#current-project-team-members** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) @@ -53,7 +53,7 @@ Context: > The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). -**Unmet** +**Unmet. see https://github.com/nodejs/security-wg/issues/1187** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) @@ -63,7 +63,7 @@ Context: > The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project](https://spdx.dev/ids/#how) -**Unmet** +**Unmet. see see: https://github.com/nodejs/security-wg/issues/1187** Context: - [CII Best Practices: Basics](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-basics-1) @@ -76,7 +76,7 @@ Context: > The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). -**Met** +**Met. Repository on GitHub, which uses git. git is distributed** Context: - [CII Best Practices: Change Control](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-change-control-1) @@ -113,7 +113,7 @@ Context: > The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) -**Met. The process is documented: https://github.com/nodejs/node/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/doc/contributing/pull-requests.md#reviewing-pull-requests** +**Met. The process is documented: https://github.com/nodejs/node/blob/main/doc/contributing/pull-requests.md#reviewing-pull-requests** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) @@ -121,7 +121,7 @@ Context: > The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion -**Met. The process is documented: https://github.com/nodejs/node/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/doc/contributing/pull-requests.md#reviewing-pull-requests and we use additional tools like the OSSF Scorecard to monitor it** +**Met. The process is documented: https://github.com/nodejs/node/blob/main/doc/contributing/pull-requests.md#reviewing-pull-requests and we use additional tools like the OSSF Scorecard to monitor it** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) @@ -144,7 +144,7 @@ Context: > A test suite MUST be invocable in a standard way for that language. -**Met** +**Met. make or batch file, executed using python. Warning: URL required, but no URL found.** Context: - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-quality-1) @@ -187,7 +187,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). -**N/A** +**N/A. The project does not produce software that supports network communications, the final user is responsible for that when using Node.js.** Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) @@ -198,7 +198,7 @@ Context: > The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). -**Met** +**Met. Warning: Requires lengthier justification.** Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) @@ -210,7 +210,7 @@ Context: > The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) -**Met** +**Unmet. One or more of the required security hardening headers is missing.** Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) @@ -229,7 +229,7 @@ Context: > Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) -**N/A** +**N/A. The the final user has the power to decide, see: Node.js thread model (https://github.com/nodejs/node/blob/main/SECURITY.md#the-nodejs-threat-model)** Context: - [CII Best Practices: Security](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-security-1) @@ -241,7 +241,7 @@ Context: > The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. -**Unmet. Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools** +**Met. Infrastructure for running several different dynamic analysis tools is provided by the project. See: https://github.com/nodejs/node/tree/master/tools** Context: - [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-analysis-1) @@ -249,7 +249,7 @@ Context: > The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. -**Unmet** +**Unmet. Warning: Requires lengthier justification.** Context: - [CII Best Practices: Analysis](https://github.com/coreinfrastructure/best-practices-badge/blob/a51ed45fdcd8e2959781a86929f561521ac2e0e0/docs/other.md#upgrade-analysis-1)