search

ccc-certifier-framework / certifier-framework-for-confidential-computing

The Confidential Computing Certifier Framework consists of a client API called the Certifier-API and server-based policy evaluation called the Certifier Service. It simplifies and unifies programming and operations support for multi-vendor Confidential Computing platforms by providing support for scalable, policy-driven trust management including
Apache License 2.0
56 stars 16 forks source link

OpenSSF Badge Updated #246

Closed Salkimmich closed 4 months ago

Salkimmich commented 6 months ago

Project OpenSSF Badge Score Added Project Documentation.

If you can provide a URL to your tooling, or a brief explanation of why NOT using analysis tools on this project, I will be able to update this score to 100%:

  1. At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language.

  2. It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release, but not mandatory.

gapisback commented 6 months ago

HI, @Salkimmich -- Thanks for moving this procedural work-item forward.

I have assigned this to myself as I have been doing some bit of codeline mgmt for this project. Am cc:'ing my colleagues @yelvmw and @jlmucb for their attention.

I'd like to better understand what the ask is with this comment in your note reg (1) 'At least one static code analysis tool ...' and (2) 'SUGGESTED that at least one dynamic analysis tool be applied...'

I'm not sure I understand if your PR justs needs a 'rubber-stamp' approval note from one of us, or if the ask is that in order for your change to go-in, we need to implement either one of, or both, (1) and (2) above.

I'm eager to make sure that our codeline is up-to-snuff w.r.t all these analysis tools, except we have not spent any time to have those running.

Questions for your advise & guidance:

  1. What are the recommended static code analysis tools one usually would apply to such a C++/C project?

  2. I found this Flare-floss repo on Github and this FLOSS v2.0 article from Mandiant. Are these the kinds of tools we need to implement?

  3. Is there any CCC-recommended FLOSS tool is the de facto standard to apply to projects like ours?

  4. What are CCC-recommended dynamic analysis tools? I'd like to do some investigation to evaluate what [effort] it would take to roll those in (at a future date).

  5. Finally, could you point me to some other companion projects under CCC which have implemented static and / or dynamic analysis tools? I could use those as a code-reference to figure-out what to do for our project.

Thanks for any pointers you can provide.

dcmiddle commented 6 months ago

You can accept the PR to add the badge tracking to your project independent of having completed the badge. Separately you should as maintainers walk through the badge questions together so that you are all on the same page for these security practices. As you complete them and update the tracking that will automatically be reflected through this widget.