From 2c7a9e81ad46a08524ebac6d119ec2b2b4c7f030 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Sun, 16 Apr 2023 17:53:37 +0200 Subject: [PATCH 01/53] feat: copied passing criterial Questions and Answers --- tools/ossf_best_practices/silver_criteria.md | 321 +++++++++++++++++++ 1 file changed, 321 insertions(+) create mode 100644 tools/ossf_best_practices/silver_criteria.md diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md new file mode 100644 index 00000000..708a2517 --- /dev/null +++ b/tools/ossf_best_practices/silver_criteria.md @@ -0,0 +1,321 @@ +Check the official [report](https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=1) as some questions include additional information that might be relevant to understand the context around the question. + + +# Basics +> What is the human-readable name of the project? + +Node.js + +> What is a brief description of the project? + +Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine + +> What is the URL for the project (as a whole)? + +https://nodejs.org + +> What is the URL for the version control repository (it may be the same as the project URL)? + +https://github.com/nodejs/node + +## Prerequisites + +> The project MUST achieve a passing level badge. + +**Met** + + +## Basic project website content + +> The information on how to contribute MUST include the requirements for acceptable contributions (e.g., a reference to any required coding standard). (URL required) + +**Met** +https://github.com/nodejs/node/blob/master/CONTRIBUTING.md + +## Project oversight + +> The project SHOULD have a legal mechanism where all developers of non-trivial amounts of project software assert that they are legally authorized to make these contributions. The most common and easily-implemented approach for doing this is by using a [Developer Certificate of Origin (DCO)](https://developercertificate.org/), where users add "signed-off-by" in their commits and the project links to the DCO website. However, this MAY be implemented as a Contributor License Agreement (CLA), or other legal mechanism. (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST clearly define and document its project governance model (the way it makes decisions, including key roles). (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST adopt a code of conduct and post it in a standard location. + +_Possible answers: Met/Unmet_ + +> The project MUST clearly define and publicly document the key roles in the project and their responsibilities, including any tasks those roles must perform. It MUST be clear who has which role(s), though this might not be documented in the same way. (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). + +_Possible answers: Met/Unmet_ + +> The project SHOULD have a "bus factor" of 2 or more. (URL required) + +_Possible answers: Met/Unmet_ + +## Documentation + +> The project MUST have a documented roadmap that describes what the project intends to do and not do for at least the next year. (URL required) + +_Possible answers: Met/Unmet_ + +The project MUST include documentation of the architecture (aka high-level design) of the software produced by the project. If the project does not produce software, select "not applicable" (N/A). (URL required) + +_Possible answers: Met/Unmet/NA_ + +> The project MUST document what the user can and cannot expect in terms of security from the software produced by the project (its "security requirements"). (URL required) + +_Possible answers: Met/Unmet_ + +> The project MUST provide a "quick start" guide for new users to help them quickly do something with the software. (URL required) + +_Possible answers: Met/Unmet/NA_ + + +The project MUST make an effort to keep the documentation consistent with the current version of the project results (including software produced by the project). Any known documentation defects making it inconsistent MUST be fixed. If the documentation is generally current, but erroneously includes some older information that is no longer true, just treat that as a defect, then track and fix as usual. + +_Possible answers: Met/Unmet/NA_ + + +The project repository front page and/or website MUST identify and hyperlink to any achievements, including this best practices badge, within 48 hours of public recognition that the achievement has been attained. (URL required) + +_Possible answers: Met/Unmet_ + + +## Accessibility and internationalization + +> The project (both project sites and project results) SHOULD follow accessibility best practices so that persons with disabilities can still participate in the project and use the project results where it is reasonable to do so. + +_Possible answers: Met/Unmet/NA_ + +> The software produced by the project SHOULD be internationalized to enable easy localization for the target audience's culture, region, or language. If internationalization (i18n) does not apply (e.g., the software doesn't generate text intended for end-users and doesn't sort human-readable text), select "not applicable" (N/A) + +_Possible answers: Met/Unmet/NA_ + + +## Other + +> If the project sites (website, repository, and download URLs) store passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., Argon2id, Bcrypt, Scrypt, or PBKDF2). If the project sites do not store passwords for this purpose, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + + + +# Change Control + +## Previous versions + +> The project MUST maintain the most often used older versions of the product or provide an upgrade path to newer versions. If the upgrade path is difficult, the project MUST document how to perform the upgrade (e.g., the interfaces that have changed and detailed suggested steps to help upgrade). + +_Possible answers: Met/Unmet/NA_ + + +# Reporting + +## Bug-reporting process + +> The project MUST use an issue tracker for tracking individual issues. + +**Met** +https://github.com/nodejs/node/issues + +## Vulnerability report process + +> The project MUST give credit to the reporter(s) of all vulnerability reports resolved in the last 12 months, except for the reporter(s) who request anonymity. If there have been no vulnerabilities resolved in the last 12 months, select "not applicable" (N/A). (URL required) + +_Possible answers: Met/Unmet/NA_ + + +> The project MUST have a documented process for responding to vulnerability reports. (URL required) + +_Possible answers: Met/Unmet_ + +# Quality + +## Coding standards + +> The project MUST identify the specific coding style guides for the primary languages it uses, and require that contributions generally comply with it. (URL required) + +_Possible answers: Met/Unmet/NA_ + +> The project MUST automatically enforce its selected coding style(s) if there is at least one FLOSS tool that can do so in the selected language(s). + +_Possible answers: Met/Unmet/NA_ + + +## Working build system + +> Build systems for native binaries MUST honor the relevant compiler and linker (environment) variables passed in to them (e.g., CC, CFLAGS, CXX, CXXFLAGS, and LDFLAGS) and pass them to compiler and linker invocations. A build system MAY extend them with additional flags; it MUST NOT simply replace provided values with its own. If no native binaries are being generated, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The build and installation system SHOULD preserve debugging information if they are requested in the relevant flags (e.g., "install -s" is not used). If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The build system for the software produced by the project MUST NOT recursively build subdirectories if there are cross-dependencies in the subdirectories. If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + + +## Installation system + +> The project MUST provide a way to easily install and uninstall the software produced by the project using a commonly-used convention. + +_Possible answers: Met/Unmet/NA_ + +> The installation system for end-users MUST honor standard conventions for selecting the location where built artifacts are written to at installation time. For example, if it installs files on a POSIX system it MUST honor the DESTDIR environment variable. If there is no installation system or no standard convention, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The project MUST provide a way for potential developers to quickly install all the project results and support environment necessary to make changes, including the tests and test environment. This MUST be performed with a commonly-used convention. + +_Possible answers: Met/Unmet/NA_ + + + +## Externally-maintained components + +> The project MUST list external dependencies in a computer-processable way. (URL required) + +_Possible answers: Met/Unmet/NA_ + +> Projects MUST monitor or periodically check their external dependencies (including convenience copies) to detect known vulnerabilities, and fix exploitable vulnerabilities or verify them as unexploitable. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST either: +> 1. make it easy to identify and update reused externally-maintained components; or +> 2. use the standard components provided by the system or programming language. +> +> Then, if a vulnerability is found in a reused component, it will be easy to update that component. + +_Possible answers: Met/Unmet/NA_ + + +> The project SHOULD avoid using deprecated or obsolete functions and APIs where FLOSS alternatives are available in the set of technology it uses (its "technology stack") and to a supermajority of the users the project supports (so that users have ready access to the alternative). + +_Possible answers: Met/Unmet/NA_ + + +## Automated test suite + +> An automated test suite MUST be applied on each check-in to a shared repository for at least one branch. This test suite MUST produce a report on test success or failure. + +_Possible answers: Met/Unmet_ + +> The project MUST add regression tests to an automated test suite for at least 50% of the bugs fixed within the last six months. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST have FLOSS automated test suite(s) that provide at least 80% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. + +_Possible answers: Met/Unmet/NA_ + + +## New functionality testing + +> The project MUST have a formal written policy that as major new functionality is added, tests for the new functionality MUST be added to an automated test suite. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST include, in its documented instructions for change proposals, the policy that tests are to be added for major new functionality. + +_Possible answers: Met/Unmet/NA_ + +## Warning flags + +> Projects MUST be maximally strict with warnings in the software produced by the project, where practical. + +_Possible answers: Met/Unmet/NA_ + + +# Security + +## Secure development knowledge + +> The project MUST implement secure design principles (from "know_secure_design"), where applicable. If the project is not producing software, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + + +## Use basic good cryptographic practices + +_Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of [Understanding Open Source Technology & US Export Controls](https://www.linuxfoundation.org/resources/publications/understanding-us-export-controls-with-os-projects/)._ + +> The default security mechanisms within the software produced by the project MUST NOT depend on cryptographic algorithms or modes with known serious weaknesses (e.g., the SHA-1 cryptographic hash algorithm or the CBC mode in SSH). + +_Possible answers: Met/Unmet/NA_ + +> The project SHOULD support multiple cryptographic algorithms, so users can quickly switch if one is broken. Common symmetric key algorithms include AES, Twofish, and Serpent. Common cryptographic hash algorithm alternatives include SHA-2 (including SHA-224, SHA-256, SHA-384 AND SHA-512) and SHA-3. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replace them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The software produced by the project SHOULD, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +## Secure release + +> The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public. If releases are not intended for widespread use, select "not applicable" (N/A). + +_Possible answers: Met/Unmet/NA_ + +> It is SUGGESTED that in the version control system, each important version tag (a tag that is part of a major release, minor release, or fixes publicly noted vulnerabilities) be cryptographically signed and verifiable as described in [signed_releases](https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=1#signed_releases). + +_Possible answers: Met/Unmet_ + +## Other security issues + +> The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (an *allowlist*), and reject invalid inputs, if there are any restrictions on the data at all. + +_Possible answers: Met/Unmet/NA_ + +> Hardening mechanisms SHOULD be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. + +_Possible answers: Met/Unmet/NA_ + +> The project MUST provide an assurance case that justifies why its security requirements are met. The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, an argument that secure design principles have been applied, and an argument that common implementation security weaknesses have been countered. (URL required) + +_Possible answers: Met/Unmet_ + + +# Analysis + +## Static code analysis + +> The project MUST use at least one static analysis tool with rules or approaches to look for common vulnerabilities in the analyzed language or environment, if there is at least one FLOSS tool that can implement this criterion in the selected language. + +_Possible answers: Met/Unmet/NA_ + +## Dynamic code analysis + +> If the software produced by the project includes software written using a memory-unsafe language (e.g., C or C++), then at least one dynamic tool (e.g., a fuzzer or web application scanner) MUST be routinely used in combination with a mechanism to detect memory safety problems such as buffer overwrites. If the project does not produce software written in a memory-unsafe language, choose "not applicable" (N/A). + +**Met** +valgrind for c++ From 3316d069ecfe0a730f8cf75f9b5a0b5e6dfedb84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:45:15 +0200 Subject: [PATCH 02/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 708a2517..0fbe0913 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -36,7 +36,8 @@ https://github.com/nodejs/node/blob/master/CONTRIBUTING.md > The project SHOULD have a legal mechanism where all developers of non-trivial amounts of project software assert that they are legally authorized to make these contributions. The most common and easily-implemented approach for doing this is by using a [Developer Certificate of Origin (DCO)](https://developercertificate.org/), where users add "signed-off-by" in their commits and the project links to the DCO website. However, this MAY be implemented as a Contributor License Agreement (CLA), or other legal mechanism. (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/CONTRIBUTING.md#developers-certificate-of-origin > The project MUST clearly define and document its project governance model (the way it makes decisions, including key roles). (URL required) From 1e8b9026b5f8f46488338cf470fe7afa5d4cf894 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:45:34 +0200 Subject: [PATCH 03/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 0fbe0913..27440e8d 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -289,7 +289,8 @@ _Possible answers: Met/Unmet/NA_ > It is SUGGESTED that in the version control system, each important version tag (a tag that is part of a major release, minor release, or fixes publicly noted vulnerabilities) be cryptographically signed and verifiable as described in [signed_releases](https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=1#signed_releases). -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#11-tag-and-sign-the-release-commit ## Other security issues From 10453f267f783aa44c4a1f222e8d82dd9ca1e8b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:45:52 +0200 Subject: [PATCH 04/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 27440e8d..0db6f2ea 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -271,7 +271,7 @@ _Possible answers: Met/Unmet/NA_ > The software produced by the project SHOULD, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select "not applicable" (N/A). From 3592a669c88ffb5101090d48dd70f87ee57bb55e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:46:17 +0200 Subject: [PATCH 05/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 0db6f2ea..8f0933b8 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -263,7 +263,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replace them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**N/A** > The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). From e491b9ed365e6e8156dc082af6ef78263ca69ecc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:49:17 +0200 Subject: [PATCH 06/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 8f0933b8..3639875b 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -259,7 +259,7 @@ _Possible answers: Met/Unmet/NA_ > The project SHOULD support multiple cryptographic algorithms, so users can quickly switch if one is broken. Common symmetric key algorithms include AES, Twofish, and Serpent. Common cryptographic hash algorithm alternatives include SHA-2 (including SHA-224, SHA-256, SHA-384 AND SHA-512) and SHA-3. -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replace them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select "not applicable" (N/A). From 9befaf6fcfb83662debcebf090013a90b29a2c43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:49:35 +0200 Subject: [PATCH 07/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 3639875b..bdeaf1f0 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -192,7 +192,7 @@ _Possible answers: Met/Unmet/NA_ > Projects MUST monitor or periodically check their external dependencies (including convenience copies) to detect known vulnerabilities, and fix exploitable vulnerabilities or verify them as unexploitable. -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST either: > 1. make it easy to identify and update reused externally-maintained components; or From 66667b0326ddff28fe65ccd29d4ebe4e71f94991 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:49:57 +0200 Subject: [PATCH 08/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index bdeaf1f0..79f74ab5 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -188,7 +188,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST list external dependencies in a computer-processable way. (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** +https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md > Projects MUST monitor or periodically check their external dependencies (including convenience copies) to detect known vulnerabilities, and fix exploitable vulnerabilities or verify them as unexploitable. From 5f0444af1d9b48eec3185ae6fcb258b78ae2c955 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:50:23 +0200 Subject: [PATCH 09/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 79f74ab5..20288bd0 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -146,7 +146,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST automatically enforce its selected coding style(s) if there is at least one FLOSS tool that can do so in the selected language(s). -_Possible answers: Met/Unmet/NA_ +**Met** ## Working build system From 382b9895c90a932ce9ec5ab4b10e1cc75dd19b37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:50:45 +0200 Subject: [PATCH 10/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 20288bd0..ca08fc80 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -142,7 +142,9 @@ _Possible answers: Met/Unmet_ > The project MUST identify the specific coding style guides for the primary languages it uses, and require that contributions generally comply with it. (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** +### **Met** +https://github.com/nodejs/node/blob/main/doc/contributing/cpp-style-guide.md > The project MUST automatically enforce its selected coding style(s) if there is at least one FLOSS tool that can do so in the selected language(s). From 9ff9008711e30c16e1131f97b076f7b029c038db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:51:01 +0200 Subject: [PATCH 11/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ca08fc80..1e770a63 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -103,7 +103,7 @@ _Possible answers: Met/Unmet/NA_ > If the project sites (website, repository, and download URLs) store passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., Argon2id, Bcrypt, Scrypt, or PBKDF2). If the project sites do not store passwords for this purpose, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**N/A** From 3c5be93997838c747c33deac4a3af09fd67d9d95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:51:21 +0200 Subject: [PATCH 12/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 1e770a63..fb7f2836 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -71,7 +71,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST document what the user can and cannot expect in terms of security from the software produced by the project (its "security requirements"). (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/SECURITY.md > The project MUST provide a "quick start" guide for new users to help them quickly do something with the software. (URL required) From 4359f2d9b3b957d2e4ab9d63777b73d1677911f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 14:54:03 +0200 Subject: [PATCH 13/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index fb7f2836..07721f0a 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -57,7 +57,8 @@ _Possible answers: Met/Unmet_ > The project SHOULD have a "bus factor" of 2 or more. (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/README.md#current-project-team-members ## Documentation From 722db252eec77ede3f113d7e9bc63259030e5cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 17 May 2023 15:02:53 +0200 Subject: [PATCH 14/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 07721f0a..0328a85a 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -45,7 +45,8 @@ _Possible answers: Met/Unmet_ > The project MUST adopt a code of conduct and post it in a standard location. -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/CODE_OF_CONDUCT.md > The project MUST clearly define and publicly document the key roles in the project and their responsibilities, including any tasks those roles must perform. It MUST be clear who has which role(s), though this might not be documented in the same way. (URL required) From f52a2ed0d8edf5109bcff326a05a07c43da14e01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 10:48:39 +0200 Subject: [PATCH 15/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 0328a85a..72bbe7e1 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -177,7 +177,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST provide a way to easily install and uninstall the software produced by the project using a commonly-used convention. -_Possible answers: Met/Unmet/NA_ +**Met** > The installation system for end-users MUST honor standard conventions for selecting the location where built artifacts are written to at installation time. For example, if it installs files on a POSIX system it MUST honor the DESTDIR environment variable. If there is no installation system or no standard convention, select "not applicable" (N/A). From fd3c0faa26e6900edb8c0891d5e463e4c540391b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 10:48:58 +0200 Subject: [PATCH 16/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 72bbe7e1..64902031 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -181,7 +181,7 @@ _Possible answers: Met/Unmet/NA_ > The installation system for end-users MUST honor standard conventions for selecting the location where built artifacts are written to at installation time. For example, if it installs files on a POSIX system it MUST honor the DESTDIR environment variable. If there is no installation system or no standard convention, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST provide a way for potential developers to quickly install all the project results and support environment necessary to make changes, including the tests and test environment. This MUST be performed with a commonly-used convention. From 8937bb8fede3fc43538e3d4dddd61c48f5314d5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 11:04:39 +0200 Subject: [PATCH 17/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 64902031..ef89e46a 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -158,7 +158,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/cpp-style-guide.md > Build systems for native binaries MUST honor the relevant compiler and linker (environment) variables passed in to them (e.g., CC, CFLAGS, CXX, CXXFLAGS, and LDFLAGS) and pass them to compiler and linker invocations. A build system MAY extend them with additional flags; it MUST NOT simply replace provided values with its own. If no native binaries are being generated, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The build and installation system SHOULD preserve debugging information if they are requested in the relevant flags (e.g., "install -s" is not used). If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). From 5990d8ca2fe13b23f2dbfbc387bdca04f454ad5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 11:04:54 +0200 Subject: [PATCH 18/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ef89e46a..b22be0d9 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -185,7 +185,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST provide a way for potential developers to quickly install all the project results and support environment necessary to make changes, including the tests and test environment. This MUST be performed with a commonly-used convention. -_Possible answers: Met/Unmet/NA_ +**Met** +https://github.com/nodejs/node/blob/main/doc/contributing/pull-requests.md#setting-up-your-local-environment From 21d0a781c004edf4c5eadcb8775514fc7dab8bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 11:06:26 +0200 Subject: [PATCH 19/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index b22be0d9..f8a14734 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -162,7 +162,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/cpp-style-guide.md > The build and installation system SHOULD preserve debugging information if they are requested in the relevant flags (e.g., "install -s" is not used). If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The build system for the software produced by the project MUST NOT recursively build subdirectories if there are cross-dependencies in the subdirectories. If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). From 2a3b1d08cd38d4ad8842b5a7e9a7fd8e5fc95017 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 18 May 2023 11:06:42 +0200 Subject: [PATCH 20/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index f8a14734..67eb273b 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -207,7 +207,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintainin > > Then, if a vulnerability is found in a reused component, it will be easy to update that component. -_Possible answers: Met/Unmet/NA_ +**Met** > The project SHOULD avoid using deprecated or obsolete functions and APIs where FLOSS alternatives are available in the set of technology it uses (its "technology stack") and to a supermajority of the users the project supports (so that users have ready access to the alternative). From 0a0896effb3c630942d1f7efe6c4a00efe721f46 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:13:23 +0200 Subject: [PATCH 21/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 67eb273b..fdeff10c 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -41,7 +41,8 @@ https://github.com/nodejs/node/blob/main/CONTRIBUTING.md#developers-certificate- > The project MUST clearly define and document its project governance model (the way it makes decisions, including key roles). (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/GOVERNANCE.md > The project MUST adopt a code of conduct and post it in a standard location. From 7494abd570598a9e13838a371b71be973824e4ac Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:13:38 +0200 Subject: [PATCH 22/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index fdeff10c..ffe3f7bf 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -51,7 +51,8 @@ https://github.com/nodejs/node/blob/main/CODE_OF_CONDUCT.md > The project MUST clearly define and publicly document the key roles in the project and their responsibilities, including any tasks those roles must perform. It MUST be clear who has which role(s), though this might not be documented in the same way. (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/GOVERNANCE.md > The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). From 0cfe72957f0a16f15ba9795198b5a016be4eb4d5 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:14:06 +0200 Subject: [PATCH 23/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ffe3f7bf..8a61a4b7 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -56,7 +56,7 @@ https://github.com/nodejs/node/blob/main/GOVERNANCE.md > The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). -_Possible answers: Met/Unmet_ +**Met** > The project SHOULD have a "bus factor" of 2 or more. (URL required) From 2916c7942759d19caa3a8053f724e6b7f3b3083f Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:14:37 +0200 Subject: [PATCH 24/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 8a61a4b7..bb49ec9a 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -80,7 +80,8 @@ https://github.com/nodejs/node/blob/main/SECURITY.md > The project MUST provide a "quick start" guide for new users to help them quickly do something with the software. (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** +https://nodejs.dev/en/learn/ The project MUST make an effort to keep the documentation consistent with the current version of the project results (including software produced by the project). Any known documentation defects making it inconsistent MUST be fixed. If the documentation is generally current, but erroneously includes some older information that is no longer true, just treat that as a defect, then track and fix as usual. From 01dd8a358764dc205e4e4ddbcb9fc2363988a1d6 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:17:34 +0200 Subject: [PATCH 25/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index bb49ec9a..0e2aea3c 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -140,7 +140,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST have a documented process for responding to vulnerability reports. (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/SECURITY.md # Quality From 819cee113cfabe341e2fc690f242e7bc43d2de14 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 18 May 2023 11:17:55 +0200 Subject: [PATCH 26/53] Update tools/ossf_best_practices/silver_criteria.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 0e2aea3c..d3c230d1 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -257,7 +257,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST implement secure design principles (from "know_secure_design"), where applicable. If the project is not producing software, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +** Met** ## Use basic good cryptographic practices From d5518f3a2c5d8dc75cfa18655ee90ee1e820a9b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 22 May 2023 13:50:02 +0200 Subject: [PATCH 27/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index d3c230d1..3e9017e4 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -315,7 +315,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST provide an assurance case that justifies why its security requirements are met. The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, an argument that secure design principles have been applied, and an argument that common implementation security weaknesses have been countered. (URL required) -_Possible answers: Met/Unmet_ +**Met** +https://github.com/nodejs/node/blob/main/SECURITY.md # Analysis From 9393eef7cbe6a8e6daf35b4a4674413f43426cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 22 May 2023 13:50:30 +0200 Subject: [PATCH 28/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 3e9017e4..b61b9c9e 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -307,7 +307,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#11-tag-and > The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (an *allowlist*), and reject invalid inputs, if there are any restrictions on the data at all. -_Possible answers: Met/Unmet/NA_ +**Met** > Hardening mechanisms SHOULD be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. From 7bafef4fe6a55ce023836cc674657632626d6e68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 22 May 2023 13:51:22 +0200 Subject: [PATCH 29/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index b61b9c9e..2affe54f 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -119,7 +119,8 @@ _Possible answers: Met/Unmet/NA_ > The project MUST maintain the most often used older versions of the product or provide an upgrade path to newer versions. If the upgrade path is difficult, the project MUST document how to perform the upgrade (e.g., the interfaces that have changed and detailed suggested steps to help upgrade). -_Possible answers: Met/Unmet/NA_ +**Met** +https://github.com/nodejs/release#release-schedule # Reporting From ae58c2b1c44425941cfd257de15291884b4fb256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 22 May 2023 13:51:39 +0200 Subject: [PATCH 30/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 2affe54f..96ecc175 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -136,7 +136,8 @@ https://github.com/nodejs/node/issues > The project MUST give credit to the reporter(s) of all vulnerability reports resolved in the last 12 months, except for the reporter(s) who request anonymity. If there have been no vulnerabilities resolved in the last 12 months, select "not applicable" (N/A). (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** +https://hackerone.com/nodejs/hacktivity > The project MUST have a documented process for responding to vulnerability reports. (URL required) From d9bf4fd3e95ecf7e1ed9347cbe9c52ea1ce51fd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 21 Jun 2023 22:59:19 +0200 Subject: [PATCH 31/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 96ecc175..9c416dd8 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -91,7 +91,7 @@ _Possible answers: Met/Unmet/NA_ The project repository front page and/or website MUST identify and hyperlink to any achievements, including this best practices badge, within 48 hours of public recognition that the achievement has been attained. (URL required) -_Possible answers: Met/Unmet_ +**Met** ## Accessibility and internationalization From 9091bc1751194762009b876a0a67175c0418753d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 21 Jun 2023 22:59:38 +0200 Subject: [PATCH 32/53] Update tools/ossf_best_practices/silver_criteria.md Co-authored-by: Marco Ippolito --- tools/ossf_best_practices/silver_criteria.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 9c416dd8..0f60108d 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -327,7 +327,8 @@ https://github.com/nodejs/node/blob/main/SECURITY.md > The project MUST use at least one static analysis tool with rules or approaches to look for common vulnerabilities in the analyzed language or environment, if there is at least one FLOSS tool that can implement this criterion in the selected language. -_Possible answers: Met/Unmet/NA_ +**Met** +https://github.com/nodejs/node/blob/main/doc/contributing/static-analysis.md ## Dynamic code analysis From 72337c0aea9317487a155de9b5cf4603ab0ffdce Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:35:50 +0200 Subject: [PATCH 33/53] feat: update responses Ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1167972353 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 0f60108d..a72e86ce 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -76,7 +76,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST document what the user can and cannot expect in terms of security from the software produced by the project (its "security requirements"). (URL required) **Met** -https://github.com/nodejs/node/blob/main/SECURITY.md +https://github.com/nodejs/node/blob/main/SECURITY.md and https://github.com/nodejs/node/blob/main/SECURITY.md#the-nodejs-threat-model > The project MUST provide a "quick start" guide for new users to help them quickly do something with the software. (URL required) From 245dd9656bf16b3378a1af3816ef7aeb58b2ac69 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:36:55 +0200 Subject: [PATCH 34/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1167972774 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index a72e86ce..b23973f5 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -102,7 +102,7 @@ _Possible answers: Met/Unmet/NA_ > The software produced by the project SHOULD be internationalized to enable easy localization for the target audience's culture, region, or language. If internationalization (i18n) does not apply (e.g., the software doesn't generate text intended for end-users and doesn't sort human-readable text), select "not applicable" (N/A) -_Possible answers: Met/Unmet/NA_ +**NA** ## Other From 0c09b4d8c031febe0d156ba910bc0a8d470d678e Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:40:28 +0200 Subject: [PATCH 35/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1167973646 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index b23973f5..c2d1bbea 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -225,7 +225,7 @@ _Possible answers: Met/Unmet/NA_ > An automated test suite MUST be applied on each check-in to a shared repository for at least one branch. This test suite MUST produce a report on test success or failure. -_Possible answers: Met/Unmet_ +**Met** > The project MUST add regression tests to an automated test suite for at least 50% of the bugs fixed within the last six months. From 4c286d63e1bfb1a1d3688f2514b37042a3d1d082 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:41:29 +0200 Subject: [PATCH 36/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1167973732 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index c2d1bbea..f57633e1 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -240,7 +240,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST have a formal written policy that as major new functionality is added, tests for the new functionality MUST be added to an automated test suite. -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST include, in its documented instructions for change proposals, the policy that tests are to be added for major new functionality. From 7b1b8ef1fe3c95d885b9713bd3b7fafa3fdd6f7e Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:42:46 +0200 Subject: [PATCH 37/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1167973798 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index f57633e1..adc3f826 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -244,7 +244,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST include, in its documented instructions for change proposals, the policy that tests are to be added for major new functionality. -_Possible answers: Met/Unmet/NA_ +**Met** ## Warning flags From a31b29567b4a5eca39e4621557640ed848a8417a Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:44:40 +0200 Subject: [PATCH 38/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1196296306 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index adc3f826..ccda3585 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -98,7 +98,7 @@ The project repository front page and/or website MUST identify and hyperlink to > The project (both project sites and project results) SHOULD follow accessibility best practices so that persons with disabilities can still participate in the project and use the project results where it is reasonable to do so. -_Possible answers: Met/Unmet/NA_ +**Met** Tested with automatic tools, but there is no dedicated team for accessibility. > The software produced by the project SHOULD be internationalized to enable easy localization for the target audience's culture, region, or language. If internationalization (i18n) does not apply (e.g., the software doesn't generate text intended for end-users and doesn't sort human-readable text), select "not applicable" (N/A) From 31a69d5b5c4e7b3061bfd2ba292c006f793cf69c Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 23 Jun 2023 09:45:59 +0200 Subject: [PATCH 39/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1196321651 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ccda3585..2f389204 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -298,7 +298,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public. If releases are not intended for widespread use, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#3-a-publicly-listed-gpg-key > It is SUGGESTED that in the version control system, each important version tag (a tag that is part of a major release, minor release, or fixes publicly noted vulnerabilities) be cryptographically signed and verifiable as described in [signed_releases](https://bestpractices.coreinfrastructure.org/en/projects/29?criteria_level=1#signed_releases). From c492e730fdc1c5eda3c292bf527b50620c058c33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 29 Jun 2023 08:25:20 +0200 Subject: [PATCH 40/53] Update tools/ossf_best_practices/silver_criteria.md --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 2f389204..e2bc28da 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -218,7 +218,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintainin > The project SHOULD avoid using deprecated or obsolete functions and APIs where FLOSS alternatives are available in the set of technology it uses (its "technology stack") and to a supermajority of the users the project supports (so that users have ready access to the alternative). -_Possible answers: Met/Unmet/NA_ +**Met** ## Automated test suite From 6d842e1564674439e804fd4ffc636c353e0bba6e Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 29 Jun 2023 08:27:47 +0200 Subject: [PATCH 41/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1239555893 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index e2bc28da..485d7dd7 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -229,7 +229,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintainin > The project MUST add regression tests to an automated test suite for at least 50% of the bugs fixed within the last six months. -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST have FLOSS automated test suite(s) that provide at least 80% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. From 8ba7500633c76fc7cd9ad7642a80a50ca1c15212 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 29 Jun 2023 08:30:03 +0200 Subject: [PATCH 42/53] feat: update responses Ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1239766525 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 485d7dd7..083a65a1 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -233,7 +233,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintainin > The project MUST have FLOSS automated test suite(s) that provide at least 80% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. -_Possible answers: Met/Unmet/NA_ +**Met** https://app.codecov.io/gh/nodejs/node ## New functionality testing From a83a6e980b4c21104f41f8edaccd360f4b26fda9 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 29 Jun 2023 08:32:21 +0200 Subject: [PATCH 43/53] feat: update responses Ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1244101360 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 083a65a1..8e7d10f8 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -67,7 +67,7 @@ https://github.com/nodejs/node/blob/main/README.md#current-project-team-members > The project MUST have a documented roadmap that describes what the project intends to do and not do for at least the next year. (URL required) -_Possible answers: Met/Unmet_ +**Met** https://github.com/nodejs/node/blob/HEAD/doc/contributing/strategic-initiatives.md The project MUST include documentation of the architecture (aka high-level design) of the software produced by the project. If the project does not produce software, select "not applicable" (N/A). (URL required) From 582d364544f29f6cc1bfa775ce9f76e9b85e6e21 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 29 Jun 2023 08:34:02 +0200 Subject: [PATCH 44/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1245714384 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 8e7d10f8..ba5b9255 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -71,7 +71,7 @@ https://github.com/nodejs/node/blob/main/README.md#current-project-team-members The project MUST include documentation of the architecture (aka high-level design) of the software produced by the project. If the project does not produce software, select "not applicable" (N/A). (URL required) -_Possible answers: Met/Unmet/NA_ +**Met** https://github.com/nodejs/node/tree/main/doc/contributing > The project MUST document what the user can and cannot expect in terms of security from the software produced by the project (its "security requirements"). (URL required) From 20c4287e5fa9083a7da988bd667a3f1340f0d86b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 29 Jun 2023 08:35:02 +0200 Subject: [PATCH 45/53] Update tools/ossf_best_practices/silver_criteria.md --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ba5b9255..55faf05e 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -86,7 +86,7 @@ https://nodejs.dev/en/learn/ The project MUST make an effort to keep the documentation consistent with the current version of the project results (including software produced by the project). Any known documentation defects making it inconsistent MUST be fixed. If the documentation is generally current, but erroneously includes some older information that is no longer true, just treat that as a defect, then track and fix as usual. -_Possible answers: Met/Unmet/NA_ +**Met** The project repository front page and/or website MUST identify and hyperlink to any achievements, including this best practices badge, within 48 hours of public recognition that the achievement has been attained. (URL required) From 93bbe44016bd36c3d4273de1f097e8093c5d304f Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 29 Jun 2023 08:38:19 +0200 Subject: [PATCH 46/53] feat: update responses Ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1245718788 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ba5b9255..587e84c5 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -280,7 +280,7 @@ _Possible answers: Met/Unmet/NA_ > The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**N/A** > The software produced by the project SHOULD, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). From f6dbb3f5d6c65c5803a21ce428bae358b4c07598 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 7 Jul 2023 09:49:37 +0200 Subject: [PATCH 47/53] feat: update responses --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 230c305e..99f34927 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -176,7 +176,7 @@ _Possible answers: Met/Unmet/NA_ > The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Unmet** ## Installation system From 80520539e11cc910ef838962808e7023f514f7f6 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 7 Jul 2023 09:51:24 +0200 Subject: [PATCH 48/53] feat: update responses --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 99f34927..43dad149 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -268,7 +268,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The default security mechanisms within the software produced by the project MUST NOT depend on cryptographic algorithms or modes with known serious weaknesses (e.g., the SHA-1 cryptographic hash algorithm or the CBC mode in SSH). -_Possible answers: Met/Unmet/NA_ +**Met** > The project SHOULD support multiple cryptographic algorithms, so users can quickly switch if one is broken. Common symmetric key algorithms include AES, Twofish, and Serpent. Common cryptographic hash algorithm alternatives include SHA-2 (including SHA-224, SHA-256, SHA-384 AND SHA-512) and SHA-3. From c5b47414a0e87f0bd10c004fb1cc8d694296564d Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Fri, 7 Jul 2023 09:54:59 +0200 Subject: [PATCH 49/53] feat: update responses --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 43dad149..129606c6 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -250,7 +250,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintainin > Projects MUST be maximally strict with warnings in the software produced by the project, where practical. -_Possible answers: Met/Unmet/NA_ +**Met** # Security From af5da072174f4867e16679a905c5f6f477f3507a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 20 Jul 2023 16:17:01 +0200 Subject: [PATCH 50/53] Update tools/ossf_best_practices/silver_criteria.md --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 129606c6..7973b2ec 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -288,7 +288,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select "not applicable" (N/A). From 46c58121ff4d30664a5165ac1843379b5dedf2f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 20 Jul 2023 16:17:37 +0200 Subject: [PATCH 51/53] Update tools/ossf_best_practices/silver_criteria.md --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index 7973b2ec..fa56711f 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -292,7 +292,7 @@ _Note that some software does not need to use cryptographic mechanisms. If your > The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** ## Secure release From 98fcafb6dcde9b13f31583ec5aa93b7e604056ff Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Mon, 31 Jul 2023 14:51:48 +0200 Subject: [PATCH 52/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1279249698 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index fa56711f..ce08724e 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -172,7 +172,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/cpp-style-guide.md > The build system for the software produced by the project MUST NOT recursively build subdirectories if there are cross-dependencies in the subdirectories. If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). -_Possible answers: Met/Unmet/NA_ +**Met** > The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). From 9c683bd6902560569f5bb019feda5c65335f21ba Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Mon, 31 Jul 2023 14:57:48 +0200 Subject: [PATCH 53/53] feat: update responses ref: https://github.com/nodejs/security-wg/pull/955#discussion_r1279257647 --- tools/ossf_best_practices/silver_criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ossf_best_practices/silver_criteria.md b/tools/ossf_best_practices/silver_criteria.md index ce08724e..1f5a7fb2 100644 --- a/tools/ossf_best_practices/silver_criteria.md +++ b/tools/ossf_best_practices/silver_criteria.md @@ -313,7 +313,7 @@ https://github.com/nodejs/node/blob/main/doc/contributing/releases.md#11-tag-and > Hardening mechanisms SHOULD be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. -_Possible answers: Met/Unmet/NA_ +**NA** > The project MUST provide an assurance case that justifies why its security requirements are met. The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, an argument that secure design principles have been applied, and an argument that common implementation security weaknesses have been countered. (URL required)