vscode-extension-for-zowe icon indicating copy to clipboard operation
vscode-extension-for-zowe copied to clipboard

Published 20 hours ago verified publisher icon zowe

Zowe CII Badge items for Zowe Explorer

Open JillieBeanSim opened this issue 2 years ago • 4 comments

https://ibm.box.com/s/kp8020daf4fdd1lvwkpx9j1v4n2pucma

JillieBeanSim avatar Mar 24 '22 16:03 JillieBeanSim

As part of the CII efforts, we should also standardize on the way we call tree actions. From https://github.com/zowe/vscode-extension-for-zowe/pull/1821#discussion_r882602133

zFernand0 avatar May 31 '22 11:05 zFernand0

This document may help us go through the OpenSSF Best Practices https://ent.box.com/s/3uvtm4ooyovev1m2c8dichmsute1o1rt

Note: Edit it in Google Docs in order to view the checkboxes.

zFernand0 avatar Oct 13 '22 15:10 zFernand0

Here are some updates from today's TSC call (Dec 01, 2022)

Note

There is no hard deadline on when the OMP and LFX require us to meet these requirements. "As long as we can demonstrate that we are making progress" they are ok with this.

Requirements Discussed

The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix. The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).

  • The TSC has a general feeling that every squad is working towards this.
  • We should continue to address new issues in every extended call whenever possible

The project MUST have at least one primary developer who knows how to design secure software

  • "It is ok to have only the security knowledge required by the component"
  • It is in our best interest to have a few people take the free OpenSSF security courses
    • https://openssf.org/training/courses/

Dynamic Code Analysis

  • "Most of these items are suggestions"
  • Having automated tests with a full range of inputs and a high level of code coverage should satisfy this criteria

build system for the software produced by the project MUST NOT recursively build sub-directories if there are cross-dependencies in the sub-directories

  • This is mostly targeted for Makefiles calling other Makefiles
  • This does not prevent us from having a monorepo

Coverage considerations

  • we should continue to make progress towards this.
  • #1946
  • #1965

zFernand0 avatar Dec 01 '22 17:12 zFernand0

Regarding this criteria:

The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result.

It appears that rerunning the yarn package script twice in a row does not produce binary identical VSIX files, so we'll need to investigate this further.

t1m0thyj avatar Dec 01 '22 17:12 t1m0thyj