Open degenaro opened 1 week ago
degenaro
commented
1 week ago OpenSSF issue: The information on how to contribute SHOULD include the requirements for acceptable contributions (e.g., a reference to any required coding standard). (URL required)
Pending: https://github.com/oscal-compass/compliance-trestle/pull/1686
degenaro
commented
1 week ago OpenSSF issue: The project website MUST provide information on how to: obtain, provide feedback (as bug reports or enhancements), and contribute to the software.
Response:
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project website MUST succinctly describe what the software does (what problem does it solve?).
Response:
PR: None
Done: Select Metchoice
degenaro
commented
1 week ago OpenSSF issue: The project MUST provide reference documentation that describes the external interface (both input and output) of the software produced by the project.
Response:
https://oscal-compass.github.io/compliance-trestle/cli/ https://oscal-compass.github.io/compliance-trestle/trestle_author/ https://oscal-compass.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring/
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases.
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project SHOULD provide documentation in English and be able to accept bug reports and comments about code in English.
Response:
documentation - https://oscal-compass.github.io/compliance-trestle/ bug reports - https://github.com/oscal-compass/compliance-trestle/issues/new/choose
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project results MUST have a unique version identifier for each release intended to be used by users.
Response: Releases are published to pypi https://pypi.org/project/compliance-trestle/#history with unique version numbers.
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases.
Response: trestle employs git, branches & forks, and releases using semantic versioning. https://github.com/oscal-compass/compliance-trestle/blob/develop/CONTRIBUTING.md#trestle-merging-and-release-workflow
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: It is SUGGESTED that the Semantic Versioning (SemVer) or Calendar Versioning (CalVer) version numbering format be used for releases. It is SUGGESTED that those who use CalVer include a micro level value
Response: None (no space provided)
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags.
Response:
trestle employs semantic versioning to create tagged releases. https://github.com/oscal-compass/compliance-trestle/tags
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The release notes MUST identify every publicly known run-time vulnerability fixed in this release that already had a CVE assignment or similar when the release was created. This criterion may be marked as not applicable (N/A) if users typically cannot practically update the software themselves (e.g., as is often true for kernel updates). This criterion applies only to the project results, not to its dependencies. If there are no release notes or there have been no publicly known vulnerabilities, choose N/A.
Response: No CVE's reported.
PR: None
Done: Select N/A
degenaro
commented
1 week ago Current status:
degenaro
commented
1 week ago OpenSSF issue: The project MUST provide a process for users to submit bug reports (e.g., using an issue tracker or a mailing list). (URL required)
Response:
Bugs are reported under GIT by creating report using new issue button.
https://github.com/oscal-compass/compliance-trestle/issues
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project SHOULD use an issue tracker for tracking individual issues.
Response:
Reports are tracked under GIT issues. https://github.com/oscal-compass/compliance-trestle/issues
New issues are reviewed at least bi-weekly by the maintainers.
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix.
Response: The maintainers meet at least bi-weekly to triage issues. https://hackmd.io/sOTSVVS2SqS_knn5-c4STA?both
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).
Response: The maintainers meet at least bi-weekly to triage issues. The maintainers intent is to respond to 100% of issues. Some may be closed as wont fix. Same may be put on backlog. Some may be added to an upcoming milestone.
https://github.com/oscal-compass/compliance-trestle/issues https://hackmd.io/sOTSVVS2SqS_knn5-c4STA?both
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project MUST have a publicly available archive for reports and responses for later searching.
Response: Issues are tracked in GIT.
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project MUST publish the process for reporting vulnerabilities on the project site.
Response: Vulnerability reporting is covered here: https://github.com/oscal-compass/compliance-trestle/security/policy
PR: None
Done: Select Met choice
degenaro
commented
1 week ago OpenSSF issue: The project MUST publish the process for reporting vulnerabilities on the project site.
Response: Vulnerability reporting is covered here: https://github.com/oscal-compass/compliance-trestle/security/policy
PR: None
Done: Select Met choice
degenaro
commented
4 days ago OpenSSF issue: The project's initial response time for any vulnerability report received in the last 6 months MUST be less than or equal to 14 days.
Response: no vulnerabilities reported in the last 6 months
PR: None
Done: Select N/A
degenaro
commented
4 days ago OpenSSF issue: The project SHOULD be buildable using only FLOSS tools.
Response: All of the tooled used are FLOSS. See https://github.com/oscal-compass/compliance-trestle/blob/develop/setup.cfg
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be maintained as a separate FLOSS project). The project MUST clearly show or document how to run the test suite(s) (e.g., via a continuous integration (CI) script or via documentation in files such as BUILD.md, README.md, or CONTRIBUTING.md).
Response:
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: A test suite SHOULD be invocable in a standard way for that language.
Response: The contributing guide has instructions on how to run the tests, see ?https://github.com/oscal-compass/compliance-trestle/blob/develop/CONTRIBUTING.md#setup---developing-trestle
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: It is SUGGESTED that the test suite cover most (or ideally all) the code branches, input fields, and functionality.
Response: The CI/CD pipeline for PRs comprises Sonar Cloud with a test coverage requirement > 90%, see https://sonarcloud.io/summary/overall?id=compliance-trestle
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: Use basic good cryptographic practices
Response: software produced by the project does not need to use cryptographic mechanisms
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: The project MUST have a general policy (formal or not) that as major new functionality is added to the software produced by the project, tests of that functionality should be added to an automated test suite.
Response:
PR: None
Done: Select Met
degenaro
commented
4 days ago OpenSSF issue: It is SUGGESTED that the project implement continuous integration (where new or changed code is frequently integrated into a central code repository and automated tests are run on the result).
Response: The code delivery process including CI is covered here https://github.com/oscal-compass/compliance-trestle/blob/develop/CONTRIBUTING.md#trestle-merging-and-release-workflow
PR: None
Done: Select Met
degenaro
commented
4 days ago current status
degenaro
commented
4 days ago OpenSSF issue: The project MUST have evidence that the test_policy for adding tests has been adhered to in the most recent major changes to the software produced by the project.
Response: Evidence for assuring that the most recent release comprises test for >= 80% of new code is by means of sonar passing, see https://github.com/oscal-compass/compliance-trestle/actions/runs/9910267487
PR: None
Done: Select Met
As part of the CNCF on-boarding process, the oscal-compass project needed to begin the OpenSSF Best Practices Badge. The initial badge assessment is 21% completed for basics.
This epic issue is in place to track the progress towards 100% completion.