CII-Best-Practices for Nodejs: Gold level #956
Conversation
UlisesGascon
requested review from
fraxken,
mhdawson,
RafaelGSS,
marco-ippolito,
a team and
tniessen
|
@UlisesGascon overall a great pass though. One general suggestion is that we should probably include your comments on why met/unmet into what is landed as part of the PR versus just additional comments in the PR review? |
|
So the PR is back! Ready for review and feedback @nodejs/security . I added links to the documentation and the previous discussions. |
| Context: | ||
| - [CII Best Practices: Quality](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#upgrade-quality-1) | ||
|
|
||
| > The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. |
There was a problem hiding this comment.
Check if we met the 90% percentage.
There was a problem hiding this comment.
I've no idea if https://app.codecov.io/gh/nodejs/node is able to show statement coverage (it's showing line coverage).
https://github.com/nodejs/node/actions/workflows/coverage-linux.yml?query=branch%3Amain is reporting 95.5% statement coverage in the most recent run for JS code (via c8, see the "Report JS" twisty) but unfortunately no summary/easily readable numbers for the C++ code.
There was a problem hiding this comment.
I created this issue to follow up with the discussion. #1188
| - [CII Best Practices: Test Statement Coverage 90%](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/other.md#test_statement_coverage90) | ||
| - [Team Discussion](https://github.com/nodejs/security-wg/pull/956#discussion_r1307405014) | ||
|
|
||
| > The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. |
There was a problem hiding this comment.
I created this issue to follow up with the discussion. #1188
|
|
||
| ## Secured delivery against man-in-the-middle (MITM) attacks | ||
|
|
||
| > The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) |
There was a problem hiding this comment.
I created this issue to follow up with the discussion. #1190
|
@UlisesGascon could you summarize to us what's missing to conclude this initiative/pr? Just #1190? |
|
This seems like something that shouldn't ever go stale? |
Initiative: #953
Related: #955 and #1087
This pull request contains a dump of the current questions and answers for the Node.js project in OpenSSF Best Practices for Gold Level. The purpose is to review the current answers, update and comment on them until we have a final version, and then update the OpenSSF Best Practices site.