Skip to content
New issue

DESTF Milestone 4

Past due by 5 months 25% complete

Q1 2024 / Milestone 4

Workstream 1: Build OpenJS Project Security Programs

Activities

A. Perform outreach to identify existing security resources for each OpenJS Project
B. Establish minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
C. Develop JavaScript-specific d…

Q1 2024 / Milestone 4

Workstream 1: Build OpenJS Project Security Programs

Activities

A. Perform outreach to identify existing security resources for each OpenJS Project
B. Establish minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
C. Develop JavaScript-specific developer guidance for OpenSSF Best Practices Programs
D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs

Deliverables

Document: ONGOING UPDATES OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers
Document: DRAFT Minimum Security Compliance Guidelines for New and Existing OpenJS Projects

Workstream 2: Coordinated Vulnerability Disclosure and CVE Management

Activities

A. Engage OpenJS Projects to understand historical researcher disclosures and CVEs
B. Understand current vulnerability disclosure processes and challenges for OpenJS Projects
C. Develop CVD and CVE guidance for OpenJS Projects and ecosystem projects

Deliverables

Document: Reference of past CVEs and challenges for OpenJS Projects
Document: WORKING DRAFT Guidelines for CVD and CVEs for OpenJS Projects

Workstream 3: SBOMs in JavaScript

Activities

A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s)
C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance

Deliverables

Document: IN PROGRESS Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs

Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript

Activities

A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices
C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance

Deliverables

Document: ONGOING UPDATES Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools
Document: IN PROGRESS Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems