Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OpenSSF Best Practices Badge #14342

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OpenSSF Best Practices Badge #14342

wants to merge 1 commit into from
+1 −0

Conversation

maennchen
Copy link
Member

@maennchen maennchen commented Mar 18, 2025
edited
Loading

Changes

  • Adds the passing badge to the README

Best Practices

I've filled out the form to the best of my knowledge, the answers can be seen here: https://www.bestpractices.dev/en/projects/10187

Approving this PR is also about making sure that the info there is correct.

Unmet SUGGESTED practices

For SUGGESTED best practices, we can decide to ignore them and still pass the badge. The following have been marked as UNMET:

  • test_most - It is SUGGESTED that the test suite cover most (or ideally all) the code branches, input fields, and functionality.

    We currently do not have any test coverage reporting, it would be good to add a coverage reporter to the setup. - I have started exploring this here: Test Coverage Reporting #14343

  • static_analysis_common_vulnerabilities - It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment.
    static_analysis_often - It is SUGGESTED that static source code analysis occur on every commit or at least daily.

    We're currently using dialyzer, as well as various small tools like shellcheck and markdown lint. But we're not employing any static analysis on the Erlang / Elixir code focused on security. While there is tools in the ecosystem, such as elvis, sobelow, credo etc. I'm not convinced that they would have an impact on this repository.

  • dynamic_analysis - It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release.
    dynamic_analysis_enable_assertions - It is SUGGESTED that the project use a configuration for at least some dynamic analysis (such as testing or fuzzing) which enables many assertions. In many cases these assertions should not be enabled in production builds.

    To my knowledge we're not employing any dynamic analysis tools, and I also can't think of one that would make sense to use.

@kikofernandez
Copy link

Erlang/OTP is on the same boat with static analysis for Erlang, except that we also use CodeChecker for C/C++ and dynamic analysis for the C/C++ parts (valgrind).

What you wrote seems reasonable to me, and I think enough to get the passing badge.

kikofernandez
kikofernandez approved these changes Mar 20, 2025
View reviewed changes
Copy link

@kikofernandez kikofernandez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me and reasonable.
Dialyzer is a good static analysis tool, not a type system, so that criteria is met.
Regarding Security coding tools, I only know of SAFE from Erlang Solutions and it is not free (AFAIK).

@maennchen maennchen marked this pull request as ready for review March 20, 2025 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kikofernandez kikofernandez kikofernandez approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maennchen @kikofernandez