nodejs / security-wg

Node.js Ecosystem Security Working Group
MIT License
499 stars 121 forks source link

Initiative for CII-Best-Practices for Nodejs Projects #953

Open UlisesGascon opened 1 year ago

UlisesGascon commented 1 year ago

As commented in #884 seems like there is an interest to explore this idea.

Context

I discovered that we already completed the process for Nodejs, last update at 2016-05-19.

I believe we can review the current status and check if we need to update some of the answers. Also it might be quite interesting to see if we can achieve Silver or Gold level.

More information in OpenSSF Best Practices Badge Program

Next steps

UlisesGascon commented 1 year ago

@rvagg can you add me to the https://bestpractices.coreinfrastructure.org/en/projects/29? We will need to make some changes soon in order to merge #954

rvagg commented 1 year ago

Sorry @UlisesGascon, this one fell off my notification list in my general cull of incoming notifications, only an email from @mhdawson pointed me to it.

Entry created on 2015-11-02

This is a lifetime ago, so it's something expunged from my memory, I clicked through to the page wondering why I was being pinged about it .. but my name's on it! Project #29 in CII Best Practices, I remember now when that thing started and thinking it was a good idea .. early adopters!

I actually can't find any place where I can "add" or even transfer the thing, it looks like it's just me. I guess we could email and ask them to transfer it to someone else? Or if you want to list items that you want to edit in this thread I could go and do them. Lots of stuff to fill out for Silver and Gold but if you want to tell me which ones to tick I could go and do that.

UlisesGascon commented 1 year ago

Thanks @rvagg for the update, seems like we are early adopters šŸ˜ƒ

I actually can't find any place where I can "add" or even transfer the thing, it looks like it's just me. I guess we could email and ask them to transfer it to someone else? Or if you want to list items that you want to edit in this thread I could go and do them. Lots of stuff to fill out for Silver and Gold but if you want to tell me which ones to tick I could go and do that.

I was not able to find it as well, so I guest this feature is not yet implement. Can you help us to update the records for the entry level form? In the PR #954 we discussed about what should be included. By comparing the first and the last commit https://github.com/nodejs/security-wg/compare/84945b0..1eeb152 it will be easier to visualize what has change from the current responses.

If you prefer me to do it, you can share your credentials with us (if you are using user/pass login) in the private repository šŸ‘

We are working now in the Silver questionary in #955

rvagg commented 1 year ago

if you are using user/pass login

GitHub login unfortunately!

Next problem is that their form doesn't work! I can edit "passing" and "gold" but not "silver", when I go to the edit link (https://bestpractices.coreinfrastructure.org/en/projects/29/edit?criteria_level=1) it redirects back to https://bestpractices.coreinfrastructure.org/en.

I'll email them and also see if I can convert the login to user/pass or add people to it, or something.

rvagg commented 1 year ago

Opened https://github.com/coreinfrastructure/best-practices-badge/issues/1983 about the edit problem, emailed them about the login setup.

rvagg commented 1 year ago

... and https://github.com/coreinfrastructure/best-practices-badge/issues/1984 about email problems

rvagg commented 1 year ago

Passing criteria all updated to match the diff now. Silver editing got fixed so I should be able to do that too when needed.

mhdawson commented 1 year ago

@rvagg thanks for opening those issues. Does it make sense to open an issue asking how we transfer ownership so that you don't need to be in the loop?

rvagg commented 1 year ago

I asked via email, no response yet.

mhdawson commented 1 year ago

k thanks.

UlisesGascon commented 1 year ago

Hi @rvagg! Good news! The silver responses are ready in https://github.com/nodejs/security-wg/commit/b93ef8e230ddb13d8e0b1e1428b6b0c1d890c419. Can you help us to add them in the website?

rvagg commented 1 year ago

I've done the updates, but as I noted in the commit all of the entries require justification - text and/or a URL, I stopped commenting in the commit because there's so many without. Even the N/A ones want justification. But I found I could submit without filling those out, even though they said "Required", but now on the page you should see lots of Warning: Requires lengthier justification.

UlisesGascon commented 1 year ago

Thanks @rvagg I will re-check all the responses and add the missing URLs/texts.

UlisesGascon commented 1 year ago

@rvagg I created this PR with some additional information and URLs: https://github.com/nodejs/security-wg/pull/1087. Let's me know if we are missing more details. :)

github-actions[bot] commented 11 months ago

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

ljharb commented 11 months ago

Silver and gold percentages still could use some improvements, so ā€œbumpā€

github-actions[bot] commented 8 months ago

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

UlisesGascon commented 7 months ago

Opened coreinfrastructure/best-practices-badge#1983 about the edit problem, emailed them about the login setup.

Did they confirm if is possible to transfer the ownership, @rvagg?

rvagg commented 7 months ago

No response to email I sent in June to cii-badges-questions@lists.coreinfrastructure.org; does someone here want to follow up and figure out how best to get in touch with these guys? Loop me in and I'm happy to confirm that I approve of transferring ownership. Opening a GitHub issue might be an alternative approach.

UlisesGascon commented 7 months ago

does someone here want to follow up and figure out how best to get in touch with these guys?

Let me see if I got a better luck, I am also in the OSSF Slack, so maybe I can make some progress :+1:

david-a-wheeler commented 6 months ago

Hi! I'm sorry, I didn't see your requests before!! Please let me try to fix things, now that you have my attention!!

No response to email I sent in June to cii-badges-questions@lists.coreinfrastructure.org; does someone here want to follow up and figure out how best to get in touch with these guys? Loop me in and I'm happy to confirm that I approve of transferring ownership. Opening a GitHub issue might be an alternative approach.

Oh no! I'm sorry. We never saw those messages. We stopped supporting the email address cii-badges-questions@lists.coreinfrastructure.org a while ago, and it's not listed on the bestpractices.dev website. There was too much spam, it doesn't track things, it doesn't allow comments by others, and so on. I guess since you were early adopters you had that old email address and kept using it. The current requested approach is to open a GitHub issue (that's the process we recommend at the bottom of every page of the website). If we don't respond, you can also email me directly (I'm technical lead). That is dwheeler AT linuxfoundation DOT org and tell me to get going :-).

We'd be happy to transfer ownership! We just need the project numeric id, which is 29 for Nodejs, and the user id of the new owner (currently 24 for Rod Vagg). Normally the original owner and new owner have to approve, which we verify manually. GitHub verifies people's identities, so if Rod states the request in this issue (including who it goes to), or a new issue on our GitHub site, that'll work. If the new owner doesn't have an account on the best practices site, please create it. Ownership transfers have been rare, so we don't have an automated process for it yet.

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

I've done the updates, but as I noted in the commit all of the entries require justification - text and/or a URL, I stopped commenting in the commit because there's so many without. Even the N/A ones want justification. But I found I could submit without filling those out, even though they said "Required", but now on the page you should see lots of Warning: Requires lengthier justification.

Yes, that's as intended. Especially at the silver & gold level, we don't just want assertions that something is true - we want evidence that it's true. In many cases we require a URL to point to the evidence (so you can update your documents using your usual processes, instead of mucking with the badge entry every thing). So you can say it's true, but it won't count until you point to the evidence. We don't need a PhD dissertation, just a pointer to evidence.

Anyway, sorry your emails got unintentionally blackholed. Now that we're talking with each other, we want to make it successful! A lot of people depend on Nodejs; we want you to be successful and show others your awesome results.

rvagg commented 6 months ago

@david-a-wheeler

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

Can you explain this a bit more? I haven't been able to find such an option, and I just went back and poked around and the only thing I seem to be able to do is edit my personal account info or the criteria for the project. Is this something I have to ask you or someone else with access to add?

I'd be fine transferring it entirely to someone from the TSC (https://github.com/nodejs/node#tsc-technical-steering-committee) or a proxy they're happy to own this. Or, if I can just add people, I'd add be happy to add any of the active people in this security working group (https://github.com/nodejs/security-wg?tab=readme-ov-file#current-project-team-members).

david-a-wheeler commented 6 months ago

You do not need to own the badge entry to be able to edit it. The owner can add anyone else as an authorized editor of the badge entry.

Can you explain this a bit more? I haven't been able to find such an option, and I just went back and poked around and the only thing I seem to be able to do is edit my personal account info or the criteria for the project. Is this something I have to ask you or someone else with access to add?

Gladly! Every badge entry has an "owner" but possibly many "editors". The owner or editors can add new editors. This is only visible when you edit the passing badge (most people don't care about who the editors are). After logging in, you can go here: https://www.bestpractices.dev/en/projects/29/edit?criteria_level=0

And drop to: (Advanced) What other users have additional rights to edit this badge entry? Currently: []

One thing we haven't implemented automatically is ownership changes. We can do that for you, but that's something we have to do manually (it's really rare, which is why we don't have an online mechanism for it yet).

I'd be fine transferring it entirely to someone from the TSC (https://github.com/nodejs/node#tsc-technical-steering-committee) or a proxy they're happy to own this. Or, if I can just add people, I'd add be happy to add any of the active people in this security working group (https://github.com/nodejs/security-wg?tab=readme-ov-file#current-project-team-members).

That's entirely up to you! Let us know what you want, we'll make it happen. Basically, tell us who the "owner" should be. You can then add whoever should be editor (though we can set up a starter set to make your life easy).

rvagg commented 6 months ago

great, got it! @UlisesGascon do you want editorship? Can you make an account on https://www.bestpractices.dev/ and give me your "user id" (I think that's the integer representing your account).

UlisesGascon commented 6 months ago

do you want editorship?

Yeah! I think is 26967 based on this profile details.

rvagg commented 6 months ago

cool, give that a go now @UlisesGascon, do you get the "Edit" on https://www.bestpractices.dev/en/projects/29 ?

UlisesGascon commented 6 months ago

Yes! It is working, I can edit now :partying_face:

david-a-wheeler commented 6 months ago

Excellent! If there's something you need us to do, have questions, etc., just let us know.

mhdawson commented 6 months ago

@david-a-wheeler can we create a nodejs-tsc account on https://www.bestpractices.dev and then have @rvagg transfer ownership over to that user? That would allow us to best manage this going forward. We can have editors like @UlisesGascon who manage our updates, and the nodejs-tsc acount would allow us to recover, add new editors if/when that is needed.

github-actions[bot] commented 3 months ago

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] commented 1 week ago

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

ljharb commented 1 week ago

i guess the ā€œnever staleā€ label isnā€™t respected

RafaelGSS commented 1 week ago

I think it was because the label was named with a dash (-) -- never-stale instead of never stale. I have just fixed it.