Code Validation
- Maurizio Pillitu
- Peter Monks
Warning
This page is now hosted on https://odp.finos.org/docs/development-infrastructure/code-validation/intro
Security vulnerabilities responsible disclosure
Read the FINOS security vulnerabilities responsible disclosure document to know how security incidents are managed across FINOS projects. Use WhiteSource to configure your FINOS project for automated scanning.
In order to assess Security, Quality and /wiki/spaces/FINOS/pages/75530375 of software hosted by the Foundation, project leads and committers can configure integrations with third-party systems that are provided by the Foundation; the result of these processes can be published in the project's documentation to improve the final consumer experience and when /wiki/spaces/FINOS/pages/75530376.
Below is the list of code validation systems currently available, ordered by features and languages supported.
Below is a matrix of features and languages.
Below is the list of validation tools currently documented by the Foundation.
Project compliance scan
Work in progress
We are working to align these checks with our Project Support Guidelines, read more on https://github.com/finos/open-developer-platform/issues/107
FINOS have developed a tool that scans all the GitHub repositories across all FINOS orgs and generates a report based on the following quality and compliance validations:
has-admin- One or more admin collaborators were found in this GitHub repository. FINOS Governance doesn't allow GitHub users to have Admin rights on repositories, therefore it must be removed.has-user- One or more user collaborators were found in this GitHub repository. FINOS Governance only allows GitHub users to be added via Teams. Please remove it, therefore it must be removed.disabled-issues- This GitHub repository does not have GitHub Issues enabled; make sure that there is a documented way to submit questions, feature requests and other communications to the project team.no-teams- This GitHub repository does not grant permissions to any FINOS Team, although it should be configured to grant access to the program and project specific teams defined in https://github.com/orgs/finos/teams. Please email help@finos.org and coordinate changes to the repository access permissions.no-issue-templates- This GitHub repository does not use issue templates; please check the issue template blueprints.no-contributing-CONTRIBUTING.mdfile is missing; check the CONTRIBUTING.md template.no-code-conduct-CODE_OF_CONDUCT.mdfile is missing; check the CODE_OF_CONDUCT.md template.notice-nok-NOTICEfile is incomplete; check line 4 of the NOTICE template.no-notice-NOTICEfile is missing; check the NOTICE template.no-readme-README.mdfile is missing; check the README.md template.no-description- This GitHub repository does not have a general description defined; theEditbutton is seen when on the repositories main page, which is theCodetab.is-archivable- This repository belongs to project{{project-name}}which is archived, therefore the GitHub repository is expected to be archived too. @finos-staff will get in touch with the project lead to sort it out.readme-nok-README.mdfile is incomplete; check the README.md template and make sure that## Contributingand## Licensesections exist.no-badge-README.mdfile is missing the FINOS badge; check the README.md template and make sure that it embeds one of SVG FINOS badges.wrong-badge- Our internal records state that this project is in {{project-state}} state, whereasREADME.mdstates{{readme-state}}; make sure thatREADME.mdembeds the right FINOS badge." :repo-not-on-file "We don't have this repository on file. We will fix this issue on our side as soon as possible and keep you posted.no-whitesource- WhiteSource configuration was not found; make sure that dependencies are scanned against security vulnerabilities. Read more on the WhiteSource Wiki page.
Code is publicly available on https://github.com/finos/metadata-tool, the command to invoke is check-project-repos.
Reporting via GitHub Issues
In order to deliver these reports directly to the teams, the Open Developer Platform have developed a GitHub Action that uses metadata-tool to generate the project reports and submits a GitHub Issue for each GitHub repository where validation problems were spotted; the issue will include a detailed description of the validation done and point the reader on how to resolve it.
This is an example of auto-generated issue for project compliance.
GitHub Action can be found in the ODP GitHub repo.
Ignoring validations
There may be corner cases, for example repositories that contain data don't need whitesource integration. In those cases, it is possible to define a .finos-blueprint.json file in the root folder, with the following structure:
{"ignore" : [
"no-whitesource",
"readme-nok"
]
}
Exporting to CSV
Here's a useful command to transform the metadata-tool JSON output in CSV.
cat finos-repo-validation.json| jq -r '.[] | [.org, .["repo-name"], .validations["has-admin"], .validations["has-user"], .validations["no-teams"], .validations["no-issues"], .validations["no-issue-templates"], .validations["no-contributing"], .validations["no-code-conduct"], .validations["notice-nok"], .validations["no-notice"], .validations["no-readme"], .validations["no-description"], .validations["is-archivable"], .validations["readme-nok"], .validations["no-badge"], .validations["wrong-badge"], .validations["repo-not-on-file"], .validations["no-whitesource"]] | @csv'
Need help? Email help@finos.org we'll get back to you.
Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.