-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CII-Best-Practices for Nodejs: Gold level #956
base: main
Are you sure you want to change the base?
Conversation
@UlisesGascon overall a great pass though. One general suggestion is that we should probably include your comments on why met/unmet into what is landed as part of the PR versus just additional comments in the PR review? |
So the PR is back! Ready for review and feedback @nodejs/security . I added links to the documentation and the previous discussions. |
Context: | ||
- [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) | ||
|
||
> The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check if we met the 90% percentage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've no idea if https://app.codecov.io/gh/nodejs/node is able to show statement coverage (it's showing line coverage).
https://github.com/nodejs/node/actions/workflows/coverage-linux.yml?query=branch%3Amain is reporting 95.5% statement coverage in the most recent run for JS code (via c8, see the "Report JS" twisty) but unfortunately no summary/easily readable numbers for the C++ code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created this issue to follow up with the discussion. #1188
- [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_statement_coverage90) | ||
- [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405014) | ||
|
||
> The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to check it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created this issue to follow up with the discussion. #1188
|
||
## Secured delivery against man-in-the-middle (MITM) attacks | ||
|
||
> The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to understand it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created this issue to follow up with the discussion. #1190
@UlisesGascon could you summarize to us what's missing to conclude this initiative/pr? Just #1190? |
This seems like something that shouldn't ever go stale? |
Initiative: #953
Related: #955 and #1087
This pull request contains a dump of the current questions and answers for the Node.js project in OpenSSF Best Practices for Gold Level. The purpose is to review the current answers, update and comment on them until we have a final version, and then update the OpenSSF Best Practices site.