Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use CaseProcessToolsApplicability
1.) Existing Code
(Skeletons in the Closet)

Automated scan within build automation via Snyk CLI 

Scans of the published Docker images via Snyk  with notifications to SIR Team members / Snyk Administrators

Snyk

Community Bridge Advanced Snyk Reports

Clair

Scan automation occurs within the build - PR merge to master


2.) Code in Holding
(Analysis of code before it is accepted)

Submitter adds a DepShield banner to the README

Submitter includes scan findings from any of the recommended tools, for consideration as part of the code review

Submitter should include scan results which include consideration of compliance (license) as well as security vulnerability (e.g. CVE) data

Submitter should try to share the same relevant data as would be assessed within the context of a manual research process (e.g. paper study) so as to give the reviewers the complete view of what's being considered for inclusion within the project (e.g.  dependency project's age, popularity / maturity, evidence of security practices, recent commit / release history, diversity of committers, established security reporting practices or evidence of a process for reporting / addressing findings within the open source community, and any other observable evidence)

At a bare minimum, project dependencies can be assessed via any of the following: 

OpenHub

NVD Vulnerability Search,

Snyk CLI

Dependency-Check CLI

Nancy CLI (Sonatype)


When considering code that is under consideration for moving into the main EdgeX Foundry Org, out of holding


3.) Pull Request with new dependency

Submitter of a Pull Request (PR) will complete the Pull Request template to include any new changes that introduce dependency changes (e.g. imports or go module dependencies)

The standard Pull Request template includes a question that asks  - "Are there any new imports or modules? If so, what are they used for and why?"

Submitter of the PR will add a dependency label to the pull request.

If the dependency is security related, the submitter will add the security-review label to the PR so a member of the Security WG can help review.

Reviewers will see one of the changed files is go.mod.

Submitter should include scan results which include consideration of compliance (license) as well as security vulnerability (e.g. CVE) data, that can be reviewed by a Security WG member.

Note: Reviewers will see one of the changed files is go.mod for Go projects.

Pull Request Template with GitHub labels - dependency , security-review

Snyk 

Community Bridge Advanced Snyk Reports

Clair

For a PR with new dependencies, the submitter of the PR can assess the dependency using any one of the following: 

OpenHub

NVD Vulnerability Search

Snyk CLI

Dependency-Check CLI

Nancy CLI (Sonatype)

On a Pull Request, whenever there's a new dependency introduced as shown through changes to the go.mod


Note: the current Jenkins pipelines do not break the build if there is a compliance or security vulnerability finding within the build. 

Scans occur on merge to master only, not within the Pull Request build stage.

...