Date   
Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2019-04.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2019-03-302019-04-29
Total Projects22162296
Projects 25%+831862
Projects 50%+683709
Projects 75%+540565
Projects passing273285

Here are the projects that first achieved a passing badge in 2019-04:

  1. tpm2-tss at 2019-04-01 19:29:20 UTC
  2. vinyldns at 2019-04-03 02:01:25 UTC
  3. TySug at 2019-04-08 06:42:58 UTC
  4. cryptor at 2019-04-13 20:35:35 UTC
  5. PRoot at 2019-04-18 01:35:35 UTC
  6. OpenSwitch (OPX) at 2019-04-19 15:53:14 UTC
  7. java-html-sanitizer at 2019-04-20 19:43:45 UTC
  8. ONAP External API at 2019-04-23 08:58:41 UTC
  9. react-kentico-blog at 2019-04-25 14:46:02 UTC
  10. ONAP ESR (External System Register) at 2019-04-26 15:10:34 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2019-03.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2019-02-272019-03-30
Total Projects21702216
Projects 25%+811831
Projects 50%+664683
Projects 75%+527540
Projects passing263273

Here are the projects that first achieved a passing badge in 2019-03:

  1. scripts-common at 2019-03-03 01:10:16 UTC
  2. Yocto Project at 2019-03-06 18:29:56 UTC
  3. SPDX Tools at 2019-03-10 01:22:25 UTC
  4. prosody at 2019-03-14 21:19:56 UTC
  5. readme-inspector at 2019-03-15 21:23:57 UTC
  6. TiKV at 2019-03-19 18:02:58 UTC
  7. go-github at 2019-03-21 18:49:11 UTC
  8. Hyperledger Indy at 2019-03-21 20:26:32 UTC
  9. hexo-theme-next at 2019-03-23 16:45:49 UTC
  10. ONAP DCAE at 2019-03-26 20:19:47 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

CII Badge project - some recent URLs that discuss it

David A. Wheeler
 

If you’re curious about the current status of the badge project, I have a useful summary in the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019” (2019-03-14) - https://events.linuxfoundation.org/wp-content/uploads/2018/07/cii-bp-badge-2019-03.pdf . This was a presentation at the Linux Foundation's Open Source Leadership Summit 2019 in Half Moon Bay, CA.

 

The badging project was also mentioned in some other recent places:

* A Sample Security Assurance Case Pattern (2018) - https://www.ida.org/idamedia/Corporate/Files/Publications/IDA_Documents/ITSD/2019/P-9278.pdf – this discusses how to create secure software by applying an assurance case, and uses the Badge Application's assurance case as an example.

* FLOSS Weekly 522: Railroader - https://twit.tv/shows/floss-weekly/episodes/522) primarily discussed the [Railroader](https://railroader.org) project, but it also touched on the continued progress of the CII Best Practices badge.

 

If you know of other places where the badging project is discussed, let us know, and/or update the Wiki page here:

https://github.com/coreinfrastructure/best-practices-badge/wiki/Publicity

 

Thanks!!

 

--- David A. Wheeler

 

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2019-02.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2019-01-302019-02-27
Total Projects20912170
Projects 25%+789811
Projects 50%+645664
Projects 75%+511527
Projects passing249263

Here are the projects that first achieved a passing badge in 2019-02:

  1. newspaper-server at 2019-02-03 15:34:04 UTC
  2. restgoose at 2019-02-05 15:57:57 UTC
  3. Awesome Framework at 2019-02-05 16:03:52 UTC
  4. trickster at 2019-02-12 02:05:14 UTC
  5. Jastacry at 2019-02-12 14:07:53 UTC
  6. jtools at 2019-02-16 02:58:49 UTC
  7. BlurWal at 2019-02-19 21:30:01 UTC
  8. TransmogrifAI at 2019-02-19 22:35:23 UTC
  9. Gitano at 2019-02-20 07:57:44 UTC
  10. NetSurf Browser at 2019-02-20 08:47:57 UTC
  11. js-data-structure at 2019-02-22 03:33:34 UTC
  12. drace at 2019-02-26 10:12:49 UTC
  13. LinuxTV at 2019-02-27 15:18:02 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

FYI: Rails upgrade for BadgeApp

David A. Wheeler
 

FYI: In our effort to keep the Best Practices Badge website running smoothly, we just upgraded from the Rails 5.1 to Rails 5.2 (specifically version 5.2.2).

 

If you notice a problem, please let us know!!

 

Rail 6 will come out April 30 of 2019; at that time, Rails 5.1 will stop receiving guaranteed security updates.  So we really needed to upgrade at some point, and it’d be safer to do that now.  This required a few subtle changes, which were resolved.

 

Everything seems to be fine (so far) on the upgraded system.  We have a decent automated test suite; the test suite did detect some problems with a “naïve” upgrade, but we corrected those problems before we even merged it into our initial-test tier (“master”).  If desperate we can revert the running version & switch to a backup database, but hopefully it will never come to THAT J.

 

--- David A. Wheeler

 

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2019-01.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2018-12-302019-01-30
Total Projects20412091
Projects 25%+770789
Projects 50%+630645
Projects 75%+497511
Projects passing240249

Here are the projects that first achieved a passing badge in 2019-01:

  1. landscapeapp at 2019-01-03 18:58:37 UTC
  2. BioCor at 2019-01-12 15:24:23 UTC
  3. svg-autocrop at 2019-01-13 00:36:53 UTC
  4. ticketguardian-python at 2019-01-15 23:36:27 UTC
  5. skipper at 2019-01-16 13:36:35 UTC
  6. PENTESTON at 2019-01-17 13:00:05 UTC
  7. TensorFlow at 2019-01-18 23:32:59 UTC
  8. SmartCar Shield at 2019-01-19 16:05:54 UTC
  9. busdater at 2019-01-20 06:44:03 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Re: C++ static analysis tools for CII badge

David A. Wheeler
 

Daniel Heckhenberg:

> Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger contexts.  Most of the projects in the ASWF domain are used for making images, typically in environments that are not open to general network access or arbitrary inputs from untrusted users.  As far as I'm aware, there are no existing published vulnerabilities (e.g. CVSS scored examples) from these projects.  This is partly why our community seems to be struggling a little to know how to adhere to the spirit of the CII badging requirements.

Yes.  I hope it’s clear that if you don’t have any published vulnerabilities, fixing them takes zero time J.

> So... we can't map CVSS medium and high to any specific set of analysis checks or even particular coding errors.

Right.  Whether or not a particular coding error is a medium or high vulnerability is very dependent on the intended use of the component, not just the kind of error it is.

> But we'd still like to be able to provide some good-practice examples of specific analysis configurations for our projects to follow. 
> Looking at the curl example, and specifically the clang-tidy checks:
https://github.com/curl/curl/blob/52e27fe9c6421d36337c0b69df6ca2b3b2d72613/src/Makefile.am#L145
> This appears to be just running the default set of clang-tidy checks with a few globally disabled to avoid false positives.  Similarly, the lgtm config seems to be just the default.  These would be very easy to add for our projects.  Is this a reasonable setup to guide our community?

Yes, that’d be just fine.  In the criterion “static_analysis” we even list some similar tools as examples (e.g., SpotBugs, FindBugs, lintr, and goodpractice).

It’s really hard to give specific guidance for checks.  Different languages are often best handled by different tools.  There’s also always a trade-off of how far to configure checkers: if you turn them up too much & too quickly you get flooded by reports.  What you should do is set up at least one checker, and then slowly increase the rigor it enforces.  Adding more checkers over time, and gradually increasing their pickiness, is far more practical than trying to turn on everything at once (unless you’re a brand new project).  The static analysis criterion is focused on making sure you’ve at least started down that path; once you have *some* tools in place, it’s a lot easier to gradually increase what they check.

Criterion “static_analysis_common_vulnerabilities” SUGGESTs that at least one be used to look for common vulnerabilities.  But this is SUGGESTed, not a MUST or SHOULD; there are a long list of reasons that it might not worth be it for your project.

Let me know if you have other questions!

--- David A. Wheeler

Re: C++ static analysis tools for CII badge

Daniel Heckenberg
 

Thanks again for the very helpful replies!

Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger contexts.  Most of the projects in the ASWF domain are used for making images, typically in environments that are not open to general network access or arbitrary inputs from untrusted users.  As far as I'm aware, there are no existing published vulnerabilities (e.g. CVSS scored examples) from these projects.  This is partly why our community seems to be struggling a little to know how to adhere to the spirit of the CII badging requirements.

So... we can't map CVSS medium and high to any specific set of analysis checks or even particular coding errors.  But we'd still like to be able to provide some good-practice examples of specific analysis configurations for our projects to follow. 

Looking at the curl example, and specifically the clang-tidy checks:
https://github.com/curl/curl/blob/52e27fe9c6421d36337c0b69df6ca2b3b2d72613/src/Makefile.am#L145

This appears to be just running the default set of clang-tidy checks with a few globally disabled to avoid false positives.  Similarly, the lgtm config seems to be just the default.  These would be very easy to add for our projects.  Is this a reasonable setup to guide our community?

Thanks!
Daniel

Re: C++ static analysis tools for CII badge

David A. Wheeler
 

On Thu, 10 Jan 2019, Daniel Heckenberg wrote:
A very specific CII badge aspect is that detection and timely remedy of CVSS
v2 medium and high severity issues is required.  coverity seems to
have a report generator which performs this, but I haven't seen any
direct or automatic way to map other C/C++ analysis tool outputs to
CVSS scores.  How is this usually done?
Daniel Stenberg:
I don't know about "usually", but I can tell you how we do it in curl (which incidentally also matches what I see in several other C/C++ projects).
In the curl project we run several static code analyzers, fuzzers etc on the code *before release* and we fix the issues we find, meaning that whatever these tools find never typically cause any CVSS scores at all. We fix those problems before release.
The security flaws we do get reported, are thus typically found by others (or tests that runs outside of our CI infra) or by our own developers on released code. They're not issued automatically by anyone and they're received and dealt with by humans.
I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not normally get CVSS scores. Nowadays people often make continuous changes to a git master branch, and then use various ways to release it (put in in a package manager distro, tag it, and/or merge it into a production branch).

If a vulnerability is found in a *released* version of the software, organizations like NIST typically do the CVSS scoring for you. You can also calculate the CVSS score yourself, the CVSS base score is easy to figure out. The reason the criteria use the CVSS score is to ensure that at least the *important* vulnerabilities get fixed relatively quickly once they are known publicly, to reduce the risk to people using that software.

One point that may not be obvious: tool findings are not necessarily vulnerabilities. Many tools are based on heuristics, and they do not "know" the larger environment & expectations.

Hope that helps!

--- David A. Wheeler

Re: C++ static analysis tools for CII badge

Daniel Stenberg
 

On Thu, 10 Jan 2019, Daniel Heckenberg wrote:
A very specific CII badge aspect is that detection and timely remedy of CVSS v2 medium and high severity issues is required.  coverity seems to have a report generator which performs this, but I haven't seen any direct or automatic way to map other C/C++ analysis tool outputs to CVSS scores.  How is this usually done?
I don't know about "usually", but I can tell you how we do it in curl (which incidentally also matches what I see in several other C/C++ projects).

In the curl project we run several static code analyzers, fuzzers etc on the code *before release* and we fix the issues we find, meaning that whatever these tools find never typically cause any CVSS scores at all. We fix those problems before release.

The security flaws we do get reported, are thus typically found by others (or tests that runs outside of our CI infra) or by our own developers on released code. They're not issued automatically by anyone and they're received and dealt with by humans.

--

/ daniel.haxx.se

Re: C++ static analysis tools for CII badge

Daniel Heckenberg
 

Thanks for the informative replies, Daniel and Kevin.

I'd also seen the current outage with coverity -- hopefully that is resolved soon.
lgtm looks appealing and may be suitable for our projects.  

A very specific CII badge aspect is that detection and timely remedy of CVSS v2 medium and high severity issues is required.  coverity seems to have a report generator which performs this, but I haven't seen any direct or automatic way to map other C/C++ analysis tool outputs to CVSS scores.  How is this usually done?

Thanks,
Daniel

Re: C++ static analysis tools for CII badge

Daniel Stenberg
 

On Wed, 9 Jan 2019, Daniel Heckenberg wrote:
Are there any existing resources that demonstrate an automated static analysis of C++ code for CII badge requirements?  I'm hoping for something like a specific set of clang-tidy checks that covers the CVSS v2 medium and high severity vulnerabilities.  
In the curl project (which is C, not C++) we run clang-tidy on every commit/PR using travis [1] (search for "tidy") and analyze it using lgtm [2]. That's pretty easy to setup.

It can be noted that coverity is in my experience the undisputed leader of the static code analyzers for C/C++ - but isn't free, they offer a gratis service to scan code as a service for open source but that's not suitable for on-every-commit runs and since a few days ago the service "unexpectedly ceased operations" so we'll have to see where that goes in the future... Would be a hard blow to open source everywhere if it goes away.

[1] = https://github.com/curl/curl/blob/master/.travis.yml
[2] = https://github.com/curl/curl/blob/master/.lgtm.yml

--

/ daniel.haxx.se

Re: C++ static analysis tools for CII badge

Kevin W. Wall
 

On Wed, Jan 9, 2019 at 3:24 PM Daniel Heckenberg
<@dheck> wrote:

Hello!

Are there any existing resources that demonstrate an automated static analysis
of C++ code for CII badge requirements? I'm hoping for something like a
specific set of clang-tidy checks that covers the CVSS v2 medium and high
severity vulnerabilities.

Background:
I'm the current chair of the TAC for the recently formed Academy Software Foundation
https://www.aswf.io/
We're hoping to assist our projects to achieve CII badges by providing
examples of static analysis for C++ projects that can be incorporated in
normal build processes, as well as our CI systems.
Daniel,

The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp)
might have some things. I recall talking to Kevin Greene (BCC'd) at an
AppSec USA conference maybe 3 or 4 years ago and I seem to recall that
they had some stuff for C and C++. Not sure if / how well it supports
Continuous Integration though. (Also, I'm not sure that Kevin is still
at DHS, but if he is, perhaps he will reply to you.)

On the commercial side, there are things like Microfocus' Fortify,
which is a SAST tool that does a pretty good job identifying lots of
vulnerabilities in both C and C++. It's a mature product and I have
used it for some sizeable (5M LOC) C++ projects.

Hope that helps.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter:@KevinWWallNSA: All your crypto bit are belong to us.

C++ static analysis tools for CII badge

Daniel Heckenberg
 

Hello!

Are there any existing resources that demonstrate an automated static analysis of C++ code for CII badge requirements?  I'm hoping for something like a specific set of clang-tidy checks that covers the CVSS v2 medium and high severity vulnerabilities.  

Background:
I'm the current chair of the TAC for the recently formed Academy Software Foundation 
https://www.aswf.io/  
We're hoping to assist our projects to achieve CII badges by providing examples of static analysis for C++ projects that can be incorporated in normal build processes, as well as our CI systems.  

Thanks!
Daniel

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2018-12.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2018-11-292018-12-30
Total Projects19962041
Projects 25%+754770
Projects 50%+617630
Projects 75%+485497
Projects passing234240

Here are the projects that first achieved a passing badge in 2018-12:

  1. Gardener at 2018-12-07 06:50:43 UTC
  2. go-lachesis at 2018-12-19 07:53:32 UTC
  3. Zowe - OpenSource for z/OS at 2018-12-20 14:54:45 UTC
  4. vipster at 2018-12-20 17:17:57 UTC
  5. ONAP SO at 2018-12-27 13:21:13 UTC
  6. kangaru at 2018-12-29 18:59:18 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

StackStorm got a passing badge... and made it clear that some people care about badges

David A. Wheeler
 

All: The StackStorm has received a passing badge earlier this year. I had an interaction with them that you might find interesting - in particular, it shows that there are people who care whether or not projects get badges.

First, some context. StackStorm (aka "IFTTT for Ops") is an "event-driven automation for auto-remediation, security responses, troubleshooting, deployments, and more. Includes rules engine, workflow, 2000+ integrations (see https://exchange.stackstorm.org), ChatOps, etc." It is part of the Cloud Native Computing Foundation (CNCF) landscape. They have a passing badge (congrats to them!), which you can see here:
https://bestpractices.coreinfrastructure.org/en/projects/1833
More (general) info about StackStorm is here:
https://stackstorm.com/

However, there was a bug in the CNCF landscape site (a dashboard site that aggregates data including CII badge status). As a result, even though StackStorm had a passing badge, at least recently the badge wasn't being displayed by the CNCF landscape site:
https://landscape.cncf.io/selected=stack-storm

That's now been fixed at the CNCF site, so they're correctly pulling in the badge status. Once the problem was reported, it was determined to be a minor bug in the landscape site and was fixed very quickly. I should note that the CII Best Practices badge site is specifically written to support external queries of project badge status, so this exactly the kind of thing we encourage.

One of the more *interesting* things I learned, because of this bug, was that StackStorm reported some users had just been recently asking about their badge status, and as a result it *mattered* to them that their badge status wasn't showing up correctly in a dashboard. I think that's awesome - it shows that there are people who care about whether or not projects get a badge.

I thought that was promising... and I hope you do too. And again, congrats to StackStorm!

--- David A. Wheeler

Over 2000 projects now participating in the CII Best Practices badge!

David A. Wheeler
 

We’ve hit a milestone – we now have over 2000 projects

participating in the CII Best Practices badge!  You can see

the statistics here:

https://bestpractices.coreinfrastructure.org/en/project_stats

 

My sincere thanks to everyone!

 

--- David A. Wheeler

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2018-11.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2018-10-302018-11-29
Total Projects19361996
Projects 25%+731754
Projects 50%+599617
Projects 75%+470485
Projects passing223234

Here are the projects that first achieved a passing badge in 2018-11:

  1. Sidecar Forward Proxy at 2018-11-02 09:56:02 UTC
  2. Sidecar Reverse Proxy at 2018-11-02 10:02:44 UTC
  3. portage-overlay at 2018-11-11 17:07:47 UTC
  4. Machinae at 2018-11-13 19:50:47 UTC
  5. bidict at 2018-11-17 22:09:25 UTC
  6. lamw at 2018-11-21 04:26:53 UTC
  7. pade at 2018-11-21 04:27:17 UTC
  8. aurora at 2018-11-25 08:04:46 UTC
  9. excelize at 2018-11-25 09:07:22 UTC
  10. Horovod at 2018-11-28 21:37:16 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

"Introduction to the CII best practices badge" video now posted to Youtube!

David A. Wheeler
 

There's a new video on Youtube, "Introduction to the CII best practices badge", at:

https://youtu.be/JMptmhV06j8

As you can probably guess, it provides a brief (11 1/2 minute) introduction/overview about the badging project. Most people on this list know much more, but several people have commented that it'd be really useful to have a relatively short video that explains it. That was a great comment, so here's a solution!!

--- David A. Wheeler

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2018-10.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2018-09-292018-10-30
Total Projects18891936
Projects 25%+718731
Projects 50%+588599
Projects 75%+459470
Projects passing208223

Here are the projects that first achieved a passing badge in 2018-10:

  1. Citizen Intelligence Agency at 2018-10-01 19:21:49 UTC
  2. Open vSwitch at 2018-10-03 16:52:35 UTC
  3. karma-simple at 2018-10-03 23:31:29 UTC
  4. abydos at 2018-10-08 08:49:50 UTC
  5. libwebsockets at 2018-10-08 11:31:23 UTC
  6. ONAP Model Loader at 2018-10-10 10:00:53 UTC
  7. etlegacy at 2018-10-10 10:06:44 UTC
  8. ONAP Babel at 2018-10-10 10:08:04 UTC
  9. DataExplorer at 2018-10-19 02:48:07 UTC
  10. cri-o at 2018-10-21 16:54:40 UTC
  11. cilium at 2018-10-22 07:41:37 UTC
  12. grpc at 2018-10-22 23:01:54 UTC
  13. ONAP DMaaP Data-Router at 2018-10-23 13:04:30 UTC
  14. ONAP AAF (Application Authorization Framework) at 2018-10-24 15:33:51 UTC
  15. ONAP DMaaP Buscontroller at 2018-10-24 16:45:25 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!