search

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Other
179 stars 24 forks source link

Annotate maturity graphic with requirement ID's #46

Closed joshuagl closed 2 months ago

joshuagl commented 5 months ago

The maturity graphic is an excellent overview of the practices recomemnded at each maturity level. It could be even more useful for helping folks navigate and orient to the specififcation if the requirment ID's of the practices were indicated for each practice.

Further, I would recommend a stronger correlation to between the text in the diagram and the requirement titles. I recognise why the diagram can't easily use the full text title, but perhaps the sentence used in the diagram could be the start of the title and bolded in the title in the requirements table? i.e., the diagram lists "Use public package managers" and the requirements title becomes "Use public package managers trusted by your organization (i.e. NuGet.org, npmjs.com, PyPi.org, etc.)".

Alternatively, the requirements table could be broken down into title + description + benefit, or the description moved into the benefit column, so that the title text matches the diagram exactly.

Finally, the graphic is missing the most recently added AUD-5.

joshuagl commented 5 months ago

I'd make the change myself and submit a PR, but I can't find the "source" from which the maturity diagram is generated.

joshuagl commented 5 months ago

Here's a (garishly) annotated copy of the diagram I used to help orient my own reading of the s2c2f spec:

maturity-level-white-bkg
adriandiglio commented 5 months ago

Hi @joshuagl , thanks for this feedback! Here is the proposed updated graphic. Does this work for you? image

joshuagl commented 5 months ago

Thanks @adriandiglio ! AUD-5 is still missing from level 3, but otherwise this LGTM!

joshuagl commented 5 months ago

I just realised that AUD-5 was removed in #51, so this graphic looks complete. Thanks.

adriandiglio commented 5 months ago

Thanks Josh. We'll open a PR to add this graphic, and then close this Issue.

AUD-5 was actually added by accident, so we reversed that change. The community had decided that there were better ways to address that threat as captured at the conclusion of this Issue: https://github.com/ossf/s2c2f/issues/17#issuecomment-1736170808.

joshuagl commented 4 months ago

This graphic is great, please submit a PR to include it in the repo 😄

adriandiglio commented 2 months ago

Closed with PR