-
Notifications
You must be signed in to change notification settings - Fork 34
Self_Assesment_CII
Jim Caffrey edited this page Sep 7, 2016
·
1 revision
Anomaly detection engine for Linux Logs (ADE) meets the minimum requirements of the Core Infrastructure Initiative. Here is the self assessment using the criteria published at https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md on 29 August 2016.
The following table contains all of the MUST HAVES and any Should Haves or Suggestions that ADE meets.
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [homepage_url] | public website with a stable URL | meets https://developer.ibm.com/open/anomaly-detection-engine-for-linux-logs/ |
| [description_good] | describe what the software does be in language that potential users can understand |
meets http://openmainframeproject.github.io/ade/ |
| [interact] | information on how to:
|
meets http://openmainframeproject.github.io/ade/ |
| [contribution] | explain the contribution process | meets https://github.com/openmainframeproject/ade/wiki/How-to-contribute-to-ADE |
| [contribution_requirements] | SHOULD include the requirements for acceptable contributions | meets https://github.com/openmainframeproject/ade/wiki/How-to-contribute-to-ADE |
| [floss_license] | be licensed as FLOSS | meets GPL V3 license |
| [license_location] | post license(s) in a standard location | meets https://github.com/openmainframeproject/ade/blob/master/LICENSE |
| [documentation_interface] | include reference documentation that describes its interface. | meets http://openmainframeproject.github.io/ade/ |
| [sites_https] | support HTTPS using TLS. | meets - support provided by GITHUB |
| [discussion] | have one or more mechanisms
for discussion (including proposed changes and issues) that are:
|
meets - support provided by GITHUB issue and pull request discussions |
| [English] | include documentation in English and be able to accept bug reports and comments about code in English | meets http://openmainframeproject.github.io/ade/ |
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [repo_public] | a version-controlled source repository that is publicly readable and has a URL | meets https://github.com/openmainframeproject/ade |
| [repo_track] | track what changes were made, who made the changes, and when the changes were made | meets - support provided by GITHUB |
| [repo_interim] | MUST include interim versions for review between releases; it MUST NOT include only final releases | meets https://github.com/openmainframeproject/ade contains interim branches |
| [repo_distributed] | SUGGESTED that common distributed version control software be used | meets - support provided by GITHUB |
| [version_unique] | have a unique version number for each release intended to be used by users. | meets https://github.com/openmainframeproject/ade contains different releases following SemVer format |
| [version_semver] | SUGGESTED that the Semantic Versioning (SemVer) format be used for releases | meets https://github.com/openmainframeproject/ade contains different releases following SemVer format |
| [release_notes] | provide, in each release, release notes that are a human-readable summary of major changes in that release. | meets https://github.com/openmainframeproject/ade/blob/master/README.md |
| [release_notes_vulns] | identify every publicly known vulnerability that is fixed in each new release | N/A - no cryptology used by ADE no security related function provided by ADE |
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [report_process] | provide a process for users to submit bug reports | meets https://github.com/openmainframeproject/ade GitHub issue tracking used |
| [report_tracker] | use an issue tracker for tracking individual issues | meets https://github.com/openmainframeproject/ade GitHub issue tracking used |
| [report_responses] | acknowledge a majority of bug reports submitted in the last 2-12 months | meets https://github.com/openmainframeproject/ade see GitHub issue tracking |
| [enhancement_responses] | SHOULD respond to most enhancement requests in the last 2-12 months | meets https://github.com/openmainframeproject/ade see GitHub issue tracking |
| [report_archive] | have a publicly available archive for reports and responses for later searching | meets https://github.com/openmainframeproject/ade see GitHub issue tracking |
| [vulnerability_report_process] | publish the process for reporting vulnerabilities on the project site | N/A - no cryptology used by ADE no security related function provided by ADE |
| [vulnerability_report_private] | include how to send the information in a way that is kept private. | N/A - no cryptology used by ADE no security related function provided by ADE |
| [vulnerability_report_response] | vulnerability report received in the last 6 months MUST be less than or equal to 14 days | N/A - no cryptology used by ADE no security related function provided by ADE |
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [build] | provide a working build system that can automatically rebuild the software from source code | meets http://openmainframeproject.github.io/ade/Installation.html |
| [build_common_tools] | SUGGESTED that common tools be used for building the software. For example, Maven, Ant, cmake, the autotools, make, or rake | meets http://openmainframeproject.github.io/ade/Installation.html uses Maven |
| [build_floss_tools] | SHOULD be buildable using only FLOSS tools | meets http://openmainframeproject.github.io/ade/Installation.html uses Maven |
| [test] | have at least one automated test suite that is publicly released as FLOSS | meets https://github.com/openmainframeproject/ade |
| [test_policy] | have a general policy (formal or not) that as major new functionality is added, tests of that functionality SHOULD be added to an automated test suite | meets https://github.com/openmainframeproject/ade/wiki/How-to-contribute-to-ADE |
| [tests_are_added] | have evidence that such tests are being added in the most recent major changes to the project. | meets https://github.com/openmainframeproject/ade see additions to regression test suite for Poesten Kill 1.0.2 |
| [tests_documented_added] | that this policy on adding tests be documented in the instructions for change proposals | meets https://github.com/openmainframeproject/ade/wiki/How-to-contribute-to-ADE |
| [warnings] | enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, | meets: using Sonarqube to provide "lint"; see pull tagged with squid for examples of fixed sonarqube issues https://github.com/openmainframeproject/ade/pulls?q=is%3Apr+is%3Aclosed |
| [warnings_fixed] | address warnings | meets: using Sonarqube to provide "lint"; see pull tagged with squid for examples of fixed sonarqube issues https://github.com/openmainframeproject/ade/pulls?q=is%3Apr+is%3Aclosed |
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [know_secure_design] | have at least one primary developer who knows how to design secure software | meets |
| [know_common_errors] | know of common kinds of errors that lead to vulnerabilities in this kind of software, as well as at least one method to counter or mitigate each of them | meets |
| [crypto_published] | use by default only cryptographic protocols and algorithms that are publicly published and reviewed by experts. | N/A - no cryptology used by ADE no security related function provided by ADE |
| [crypto_floss] | cryptography MUST be implementable using FLOSS. | N/A - no cryptology used by ADE no security related function provided by ADE |
| [crypto_keylength] | use default keylengths that at least meet the NIST minimum requirements through the year 2030 | N/A - no cryptology used by ADE no security related function provided by ADE |
| [crypto_working] | MUST NOT depend on cryptographic algorithms that are broken | N/A - no cryptology used by ADE no security related function provided by ADE |
| [crypto_password_storage] | If passwords are stored for authentication of external users, the project MUST store them as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm | N/A - no cryptology used by ADE no security related function provided by ADE |
| [crypto_random] | generate all cryptographic keys and nonces using a cryptographically secure random number generator, and MUST NOT do so using generators that are not cryptographically secure. | N/A - no cryptology used by ADE no security related function provided by ADE |
| [delivery_mitm] | provide its materials using a delivery mechanism that counters man-in-the-middle (MITM) attacks | meets - support provided by GITHUB |
| [vulnerabilities_fixed_60_days] | no unpatched vulnerabilities of medium or high severity that have been publicly known for more than 60 days | N/A - no cryptology used by ADE no security related function provided by ADE |
| [no_leaked_credentials] | eak a valid private credential (e.g., a working password or private key) that is intended to limit public access | N/A - no cryptology used by ADE no security related function provided by ADE |
| Core Infrastructure Key | Description of criteria | ADE status and when applicable url to web page that demonstrates compliance |
| [static_analysis] | applied to any proposed major production release of the software before its release | meets: Sonarqube run for every pull request, for results see https://sonarqube.com/overview?id=ADE |
| [static_analysis_often] | SUGGESTED that static source code analysis occur on every commit or at least daily. | meets: Sonarqube run for every pull request, for results see https://sonarqube.com/overview?id=ADE |