s2c2f
s2c2f copied to clipboard
ossf
Annotate maturity graphic with requirement ID's
The maturity graphic is an excellent overview of the practices recomemnded at each maturity level. It could be even more useful for helping folks navigate and orient to the specififcation if the requirment ID's of the practices were indicated for each practice.
Further, I would recommend a stronger correlation to between the text in the diagram and the requirement titles. I recognise why the diagram can't easily use the full text title, but perhaps the sentence used in the diagram could be the start of the title and bolded in the title in the requirements table? i.e., the diagram lists "Use public package managers" and the requirements title becomes "Use public package managers trusted by your organization (i.e. NuGet.org, npmjs.com, PyPi.org, etc.)".
Alternatively, the requirements table could be broken down into title + description + benefit, or the description moved into the benefit column, so that the title text matches the diagram exactly.
Finally, the graphic is missing the most recently added AUD-5.
I'd make the change myself and submit a PR, but I can't find the "source" from which the maturity diagram is generated.
Here's a (garishly) annotated copy of the diagram I used to help orient my own reading of the s2c2f spec:
Hi @joshuagl , thanks for this feedback! Here is the proposed updated graphic. Does this work for you?
Thanks @adriandiglio ! AUD-5 is still missing from level 3, but otherwise this LGTM!
I just realised that AUD-5 was removed in #51, so this graphic looks complete. Thanks.
Thanks Josh. We'll open a PR to add this graphic, and then close this Issue.
AUD-5 was actually added by accident, so we reversed that change. The community had decided that there were better ways to address that threat as captured at the conclusion of this Issue: https://github.com/ossf/s2c2f/issues/17#issuecomment-1736170808.