As FINOS contributor, I want to access documentation to understand how FINOS security scanning works, how to set it up and use it

Description

Business Requirement: any Commit and Pull Request that is checked into a FINOS repository is scanned by CVS.

As a result of the investigation of new WhiteSource features for security scanning (see https://finosfoundation.atlassian.net/browse/ODP-81#icft=ODP-81), the following tasks have been defined:

Documentation on how to interact with GitHub bot
- Which languages and build systems are supported
- What to expect when it runs the first time (a github issue? a PR validation failure?)
- How to check if/when the GitHub bot run
- How to notify the FINOS staff when a CVE is spotted (ie topics, and @ mentions to finos-staff team)
Example of a FINOS project that uses the GitHub bot
- Documentation on how to setup the unified agent
- How to setup Travis CI
- When does the build fail? What gets logged in the build logs?
- How to notify the FINOS staff when a CVE is spotted
- Example of a FINOS project that uses the unified agent

Acceptance Criteria

None

Activity

Show:

Maurizio Pillitu

November 13, 2019 at 8:53 AM

(edited)

Pages published, documentation tasks completed, acceptance criteria are met

/CC @Rob Underwood @James McLeod

Maurizio Pillitu

November 5, 2019 at 9:07 AM

@Peter Monks, apologies for the delay, we're working to prepare an RFC that would be aligned with our project pilot (currently on https://github.com/finos/cla-bot) and the WhiteSource bot technical capabilities.

I hope to have the RFC ready by the end of the week, in the meantime, I'll reopen this issue.

Thanks for your interest, looking forward to receiving your valuable feedback, as soon as the RFC is ready!

Peter Monks

November 1, 2019 at 7:11 PM

@Maurizio Pillitu can you please open up the page referenced above? It’s currently restricted, so community members are unable to learn about or follow the new security scanning process.

Maurizio Pillitu

September 17, 2019 at 12:21 PM

(edited)

@James McLeod, good point.

The goal of this issue is to deliver documentation that out community can consume in order to understand how our security scanning works, how to set it up and use it (updated issue title accordingly).

The issue is marked as resolved, as we have delivered this page - https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/DRAFT+WhiteSource+for+GitHub.com ; I assume it will have to be updated every time we add or configure a new WhiteSource feature, and will be probably improved during the rollout phase.

Feel free to review and edit the page, or drop a comment on the Wiki. For bigger changes, we can reopen this issue and track work here.

James McLeod

September 13, 2019 at 1:22 PM

Hi @Maurizio Pillitu - Lets discuss our definition of done to make sure all new features are documented and referenced in the ODP wiki.

Resize issue view side panel

Unresolved

Details

Assignee

Maurizio Pillitu

Reporter

Maurizio Pillitu

Story Points

Priority

Medium

Labels

Created July 11, 2019 at 11:28 AM

Updated November 14, 2019 at 9:29 AM