Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update baseline.yaml - NEW - OSPS-DO-15 #118

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update baseline.yaml - NEW - OSPS-DO-15 #118

wants to merge 2 commits into from

Conversation

SecurityCRob
Copy link
Contributor

added new criteria proposal OSPS-DO-15 - around dependency selection process for projects

@SecurityCRob
Update baseline.yaml - NEW - OSPS-DO-15
f22667a 
added new criteria proposal OSPS-DO-15 - around dependency selection process for projects

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
evankanderson
evankanderson reviewed Dec 18, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml
Comment on lines +656 to +658
The project documentation MUST include a
descriptive statement about how the project
selects, obtains, and tracks its dependencies.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we pivot this from "project documentation describes" to something with more teeth? e.g.

- id: OSPS-QA-08
  category: Quality
  criteria: |
    The project has implemented automated review of
    changes to enforce a project-selected dependency
    policy.

It's not clear from this criteria whether something that says "if you add a package, remember to update package.json, we don't check in package-lock.json" could meet the maturity_level: 2 standard. (I'd hope not, but it is a descriptive statement about how the projects obtains and tracks its dependencies...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These might be two separate things. You can't check against a policy that you don't have, so maybe having any policy is level 1 and your suggestion is level 2?

@evankanderson
Copy link

Additionally, having a dependency-quality-check as automation would tie in well with OSPS-QA-04 around requiring status checks to pass.

@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 18, 2024
@SecurityCRob
Update baseline.yaml
4c00ec7 
fixed indent?

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evankanderson evankanderson evankanderson left review comments

@funnelfiasco funnelfiasco Awaiting requested review from funnelfiasco

@eddie-knight eddie-knight Awaiting requested review from eddie-knight

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SecurityCRob @evankanderson @funnelfiasco