As FINOS contributor, I want to access documentation to understand how FINOS security scanning works, how to set it up and use it
Description
Acceptance Criteria
Activity
Pages published, documentation tasks completed, acceptance criteria are met
https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/75530440/WhiteSource
https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/WhiteSource+for+GitHub.com
/CC @Rob Underwood @James McLeod
@Peter Monks, apologies for the delay, we're working to prepare an RFC that would be aligned with our project pilot (currently on https://github.com/finos/cla-bot) and the WhiteSource bot technical capabilities.
I hope to have the RFC ready by the end of the week, in the meantime, I'll reopen this issue.
Thanks for your interest, looking forward to receiving your valuable feedback, as soon as the RFC is ready!
@Maurizio Pillitu can you please open up the page referenced above? It’s currently restricted, so community members are unable to learn about or follow the new security scanning process.
@James McLeod, good point.
The goal of this issue is to deliver documentation that out community can consume in order to understand how our security scanning works, how to set it up and use it (updated issue title accordingly).
The issue is marked as resolved, as we have delivered this page - https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/DRAFT+WhiteSource+for+GitHub.com ; I assume it will have to be updated every time we add or configure a new WhiteSource feature, and will be probably improved during the rollout phase.
Feel free to review and edit the page, or drop a comment on the Wiki. For bigger changes, we can reopen this issue and track work here.
Hi @Maurizio Pillitu - Lets discuss our definition of done to make sure all new features are documented and referenced in the ODP wiki.
Business Requirement: any Commit and Pull Request that is checked into a FINOS repository is scanned by CVS.
As a result of the investigation of new WhiteSource features for security scanning (see https://finosfoundation.atlassian.net/browse/ODP-81#icft=ODP-81), the following tasks have been defined:
Documentation on how to interact with GitHub bot
Which languages and build systems are supported
What to expect when it runs the first time (a github issue? a PR validation failure?)
How to check if/when the GitHub bot run
How to notify the FINOS staff when a CVE is spotted (ie topics, and @ mentions to finos-staff team)
Example of a FINOS project that uses the GitHub bot
Documentation on how to setup the unified agent
How to setup Travis CI
When does the build fail? What gets logged in the build logs?
How to notify the FINOS staff when a CVE is spotted
Example of a FINOS project that uses the unified agent