Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Compliance check: automateDependencyManagement #109

Open
24 tasks
UlisesGascon opened this issue Dec 13, 2024 · 1 comment
Open
24 tasks

Add Compliance check: automateDependencyManagement #109

UlisesGascon opened this issue Dec 13, 2024 · 1 comment
Assignees
@UlisesGascon
Labels
compliance-checks discussion implementation-needed Priority-Group-14
Milestone
Include all the c...

Comments

@UlisesGascon
Copy link
Member

How the Check Works

Provide a clear definition based on the spreadsheet

Pending Tasks

You can find more details in the contributing guide

  • 1. Define a Good Implementation Example
    • Read the documentation (guidelines, best practices...)
    • Brainstorm how to implement this check (logic, alerts, tasks, validations, edge cases...).
    • Achieve an agreement on the implementation details before starting to work on this.
  • 2. Update Check Record Example
    • Update the compliance_checks row with the following fields: how_to_url, implementation_status, implementation_type and implementation_details_reference
    • Check the migration scripts using npm run db:migrate and npm run db:rollback
    • Update the database schema by running npm run db:generate-schema
  • 3. Implement the Business Logic Validator Example and Check Example
    • Add the specific validator in src/checks/validators/index.js
    • Add the check logic in src/checks/complianceChecks
    • Ensure that the check is in scope for the organization (use isCheckApplicableToProjectCategory)
    • Ensure that the severity value is well calculated (use getSeverityFromPriorityGroup)
    • Add the alert row in the compliance_checks_alerts table when is needed.
    • Add the task row in the compliance_checks_tasks table when is needed.
    • Add the result row in the compliance_checks_results table.
  • 4. Ensure It Works as Expected
    • Add new unit tests for the validator check.
    • Add new integration test cases for this check.
    • Verify that all tests are passing.
    • Run the command check run --name {check_code_name} and verify the changes in the database. Update the seed script if needed (npm run db:seed)
  • 5. Update the website Example
@UlisesGascon UlisesGascon self-assigned this Dec 13, 2024
@UlisesGascon
Copy link
Member Author

While in the repositories table we have the column dependabot_security_updates_status with values enabled or disabled. I believe that is better to use OSSF Scorecard table dependency_update_tool_score and dependency_update_tool_details as they cover more tools.

But this method won't cover other tooling like Socket.dev, also the check is not completed:

This check can determine only whether the dependency update tool is enabled; it does not ensure that the tool is run or that the tool's pull requests are merged.

I think that only if the project use dependabot we can get a good quality information, so I suggest to avoid create tasks/alerts... also this is a PG14. WDYT @ruddermann?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@UlisesGascon UlisesGascon

Labels
compliance-checks discussion implementation-needed Priority-Group-14
Projects
None yet
Milestone
Include all the compliance checks
Development

No branches or pull requests
1 participant
@UlisesGascon