search

zowe / zowe-explorer-vscode

Visual Studio Code Extension for Zowe, which lets users interact with z/OS Data Sets, Unix System Services, and Jobs on a remote mainframe instance. Powered by Zowe SDKs.
Eclipse Public License 2.0
173 stars 92 forks source link

Zowe CII Badge items for Zowe Explorer #1705

Open JillieBeanSim opened 2 years ago

JillieBeanSim commented 2 years ago

https://ibm.box.com/s/kp8020daf4fdd1lvwkpx9j1v4n2pucma

### Tasks
- [ ] #265
- [ ] #931 
- [ ] #1946 
- [ ] #1964
- [ ] #1965
- [ ] #1966
- [ ] #2400
zFernand0 commented 2 years ago

As part of the CII efforts, we should also standardize on the way we call tree actions. From https://github.com/zowe/vscode-extension-for-zowe/pull/1821#discussion_r882602133

zFernand0 commented 2 years ago

This document may help us go through the OpenSSF Best Practices https://ent.box.com/s/3uvtm4ooyovev1m2c8dichmsute1o1rt

Note: Edit it in Google Docs in order to view the checkboxes.

zFernand0 commented 1 year ago

Here are some updates from today's TSC call (Dec 01, 2022)

Note

There is no hard deadline on when the OMP and LFX require us to meet these requirements. "As long as we can demonstrate that we are making progress" they are ok with this.

Requirements Discussed

The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix. The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).

  • The TSC has a general feeling that every squad is working towards this.
  • We should continue to address new issues in every extended call whenever possible The project MUST have at least one primary developer who knows how to design secure software
  • "It is ok to have only the security knowledge required by the component"
  • It is in our best interest to have a few people take the free OpenSSF security courses
  • https://openssf.org/training/courses/ Dynamic Code Analysis
  • "Most of these items are suggestions"
  • Having automated tests with a full range of inputs and a high level of code coverage should satisfy this criteria build system for the software produced by the project MUST NOT recursively build sub-directories if there are cross-dependencies in the sub-directories
  • This is mostly targeted for Makefiles calling other Makefiles
  • This does not prevent us from having a monorepo Coverage considerations
  • we should continue to make progress towards this.

  • 1946

  • 1965

t1m0thyj commented 1 year ago

Regarding this criteria:

The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result.

It appears that rerunning the yarn package script twice in a row does not produce binary identical VSIX files, so we'll need to investigate this further.