Date   
I intend to allow "OWASP Juice Shop" badge to stand (project 223)

David A. Wheeler
 

The OWASP Juice Shop project has (after some time) gotten a badge, and I plan to let their application stand:

  https://bestpractices.coreinfrastructure.org/projects/223

 

This is an odd project for the badging application, because it is an *intentionally* insecure webapp, designed for security training.  You could certainly argue that it shouldn’t have a badge *because* it has known vulnerabilities that won’t be fixed (since that is its purpose).  They certainly had to provide extra text for some of the project justifications J.

 

However, in *context* I think it’s fine.  The project badge entry, and the project page itself, make it immediately clear that this is an "intentionally insecure webapp” – and thus the security expectations are different for it.  I understand from the description that they intend to leave vulnerabilities that are supposed to be there, and fix vulnerabilities that are not supposed to be there (or document them so that they're supposed to be there too).  That means they still have to deal with vulnerability reports.. it’s just that what they count as a vulnerability is a little different J.

 

In a broad sense this project helps our mission too, because we're all trying to help develop more secure software.  It’s very unlikely someone would field this project for “real” work (since it’s known to be vulnerable), so these vulnerabilities are unlikely to cause serious harm.  Indeed, the presence of these vulnerabilities should help train people.  Most industries have a variety of test objects & training materials that help people meet various objectives, and I think this project fits into that category.

 

I didn’t want people to think I’d ignored this issue, though.  If you have very strong objections, please let me know.

 

--- David A. Wheeler

 

Https links are not accepted in CII badging

Seshu m <seshu.kumar.m@...>
 

Hi

 

I finding issue while trying to update the https link in the CII badging for the following project

 

https://bestpractices.coreinfrastructure.org/en/projects/1702

 

Under the section,

The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.

 

when we provide a https link (or keep it blank) , the website throws an error

 

// Given an http: URL.

               

 

This is effecting the score of the CII badging for ONAP SO project, request to help resolving the issue.

 


Best regards

Seshu Kumar M

Huawei Technologies India Pvt, Ltd.


本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI, which
is intended only for the person or entity whose address is listed above. Any use of the
information contained herein in any way (including, but not limited to, total or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!

 

German translation for BadgeApp complete!

David A. Wheeler
 

A big “CONGRATS!” to the German translators, who just completed translating the BadgeApp into German.  Thank you very much!

 

We now have complete translations for German (de), French (fr), Japanese (ja), Russian (ru), and Chinese (zh-CN), in addition to English (en).

 

I am very grateful to all of our amazing and dedicated translators.  THANK YOU.

 

Also: We have some early work on Spanish (es) that *just* started up.  If any native Spanish speakers would like to help, please let me know!!

 

--- David A. Wheeler

 

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2018-02.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2018-01-302018-02-27
Total Projects13281387
Projects 25%+467492
Projects 50%+389412
Projects 75%+304327
Projects passing136142

Here are the projects that first achieved a passing badge in 2018-02:

  1. VF-C (Virtual Function Controller Project) at 2018-02-05 08:13:27 UTC
  2. NetworkParser at 2018-02-09 14:54:26 UTC
  3. ONAP VNFSDK at 2018-02-09 20:44:34 UTC
  4. NEO•ONE at 2018-02-10 15:16:47 UTC
  5. Pipeline at 2018-02-15 11:42:02 UTC
  6. Hyperledger Composer at 2018-02-27 10:33:32 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Move from CVSS version 2.0 to version 3.0?

David A. Wheeler
 

I think we should switch from Common Vulnerability Scoring System (CVSS) version 2.0 to version 3.0 in the criteria.  Any objections?

 

We don’t need to do this quickly, but I’d like it to be in the queue.  If people have opinions on how fast we should do this, I’d like to know.  I want to be cautious about anything that would affect existing badge-holders, but I do not think this will affect any current badge-holders.

 

Details below.

 

--- David A. Wheeler

 

=== DETAILS ===

 

A very few of our criteria mention CVSS.  For example, [dynamic_analysis_fixed] says this:

CRITERION: “All medium and high severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.”

DETAILS: A vulnerability is medium to high severity if its CVSS 2.0 base score is 4. If you are not running dynamic code analysis and thus have not found any vulnerabilities in this way, choose "not applicable" (N/A).

 

CVSS version 3 has been around for a while, but we didn’t use it because the NIST National Vulnerability Database (NVD) only provided version 2 data, and not version 3 data.  However, NIST has since added support for version 3.  More info:

https://nvd.nist.gov/vuln-metrics/cvss

 

This should have little effect in practice.  CVSS version 3 rates some vulnerabilities more risky than version 2 did (in particular, Heartbleed gets a higher risk score under version 3 compare to version 2).  That said, if a project has that many vulnerabilities where the CVSS version change matters, that’s a problem in itself.

 

BadgeApp performance

David A. Wheeler
 

I recently made some tweaks that seem to really bump up website performance.

 

By adding some “preload” statements and a fragment cache, the front page on the “master” branch is getting webpagetest.org median performance figures of load time 0.730s, start render 0.567s.  That’s with a fast Internet connection assuming the site is all-the-way-up, but that’s also from a cold start (“never-seen-site before”).  Once a user visits the site at all, much of the “big stuff” (like CSS and JavaScript) is cached, which makes performance even better.  Details here:

https://www.webpagetest.org/result/180214_2T_c03d80608ab7e2531d71a448613cb023/

 

The site doesn’t need to be blazingly fast, we just don’t want people to turn away because of interminable page loads.  I think ideal is under 1s, and we must be under 2s response in such conditions.  We’re easily meeting those requirements.

 

In the longer term I intend to replace the font-awesome font icon file, which is huge & doesn’t play nicely with dyslexic fonts, with loading specific SVGs (or maybe SVG sprites).  That should reduce the cold start page load time even further.

 

--- David A. Wheeler

 

Spanish translation ongoing!

David A. Wheeler
 

I’d like to say a quick “THANKS!” to Borja Martín, who has volunteered to work on a Spanish translation of the BadgeApp.  He has already begun; once it’s further along, I look forward to adding to the list of selectable options.

 

While I’m at it: a BIG THANK YOU to all of you who’ve helped translate, or in any way helped in developing the BadgeApp or its criteria.  Like any OSS project, it takes a lot of hands to make something successful, and I’m grateful to everyone.

 

--- David A. Wheeler

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2018-01.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2017-12-302018-01-30
Total Projects12481328
Projects 25%+442467
Projects 50%+364389
Projects 75%+287304
Projects passing130136

Here are the projects that first achieved a passing badge in 2018-01:

  1. in-toto at 2018-01-05 21:31:54 UTC
  2. containerd at 2018-01-09 15:11:14 UTC
  3. Seriously at 2018-01-10 16:47:33 UTC
  4. bin2c Conversion Tool. at 2018-01-19 11:08:28 UTC
  5. MSB(Microservices Bus) at 2018-01-30 02:33:00 UTC
  6. cli at 2018-01-30 12:30:32 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Video: Quick demo on how to start getting a CII Best Practices badge

David A. Wheeler
 

I just posted a very short & simple video titled

“Quick demo on how to start getting a CII Best Practices badge”

  https://www.youtube.com/watch?v=dhLYLpsvvc0

 

There’s nothing fancy here – I didn’t even create a title screen or put in intro music.  But some people find it easier to learn by watching others, and this a start towards that.

 

--- David A. Wheeler

 

Deleting a project now requires justification

David A. Wheeler
 

The best practices production site now has a new form for those who ask to delete projects (when they have the permissions necessary to do so). The system now requires that there be some text that explains *why* they are deleting a project entry. As I noted earlier, I'm sure we can't please everyone, but if there's a common issue we can resolve in the future, this will at least help us find out *why* someone is deleting their project entry. This new form also makes it harder to accidentally delete a project.

We continue to add projects, and more projects are getting badges. You can see the details here:
https://bestpractices.coreinfrastructure.org/project_stats
As of yesterday, 1294 projects are participating, and of those, 133 having passing badges.

--- David A. Wheeler

Another citation of the best practices badge project!

David A. Wheeler
 

FYI, Mike Samuel let me know that he said nice things about the best practices badge project in his article "A Roadmap for Node.js Security". It is part of a larger discussion about how to aggregate information that is useful when picking third-party dependencies or making build vs. reuse decisions.

More details:
https://nodesecroadmap.fyi/chapter-3/knowing_dependencies.html

--- David A. Wheeler

Stuff that's happening in the CII best practices badge project

David A. Wheeler
 

FYI, I thought I’d share some of the things that are going on in the CII best practices badge project.  I think it’s especially important because much of this may be otherwise invisible to you.  Details below.

 

The number of participating projects, and the number of projects with passing badges, continue to grow.  You can see the statistics & graphs here:  https://bestpractices.coreinfrastructure.org/project_stats

 

Of course, the *real* goal is to get projects to improve themselves, & help them show users that they’re well-run.  I think the badging project continues to do that, and I hope you do too.

 

Thanks!

 

--- David A. Wheeler

 

============= DETAILS =======================

 

We’ve improved our ability to provide data to others.  We’ve supported a REST API and JSON from essentially the beginning, but we’ve significantly improved the API documentation and created a separate page for it <https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/api.md>.  In addition, we’ve added support for CORS, so that JavaScript clients on browsers can access some of our data.  This should make it easier to create dashboards, analysis tools, and other such things that base themselves on tool data.  We *want* people to build on data as long as it doesn’t interfere with personal privacy.   We still don’t have the API defined using OpenAPI/Swagger, but we’d love the help: <https://github.com/coreinfrastructure/best-practices-badge/issues/129>

 

The master branch has a new form for those who want to delete projects.  Project entries aren’t deleted often, but when they are, we currently don’t know why.  The new form requires that there be some text that explains *why* they are deleting a project entry.  I’m sure we can’t please everyone, but if there’s a common issue we can resolve in the future, this will at least help us find out.  This also makes it harder to accidentally delete a project, which has happened.  Some people habitually say “yes” to any “are you sure” message, so having a special form should reduce the risk of accidental deletion.  If someone really does want to delete their project entry, we will of course honor that, but I think this change will make things better for all.

 

A number of projects are making slow & steady progress towards getting silver & gold badges.  These are (intentionally) much harder levels to achieve; even the “passing” level is challenging for many projects. This is very encouraging for the long term.

 

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2017-12.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2017-11-292017-12-30
Total Projects11671248
Projects 25%+419442
Projects 50%+345364
Projects 75%+273287
Projects passing119130

Here are the projects that first achieved a passing badge in 2017-12:

  1. distro-tracker at 2017-12-04 20:53:54 UTC
  2. linkerd at 2017-12-05 20:13:47 UTC
  3. Vita Genetic Programming Framework at 2017-12-12 16:24:14 UTC
  4. NSD: Name Server Daemon at 2017-12-14 21:07:01 UTC
  5. perl-test-timer at 2017-12-16 21:36:23 UTC
  6. Jobber at 2017-12-17 23:20:12 UTC
  7. EPICS Base at 2017-12-20 03:45:23 UTC
  8. Node-Data at 2017-12-20 13:04:47 UTC
  9. crypto-tk at 2017-12-21 12:29:21 UTC
  10. Fruit at 2017-12-27 10:41:24 UTC
  11. edumips64 at 2017-12-29 20:53:32 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

CommonMark has received a silver badge!

David A. Wheeler
 

The league/commonmark project (which implements a Markdown processor) has received a silver badge!!

 

More details here:

  https://bestpractices.coreinfrastructure.org/projects/126

 

As always, if there’s a problem please let us know.  However, on a brief spotcheck it looks fine.  For example, they expressly note that they exceed the 80% statement coverage requirement.

 

Because of the *kind* of project it is, it’s a little easier for them to meet the criteria than some others.  They don’t do anything with cryptography, and they don’t produce compiled executables, so some criteria are no-ops.  Even so, getting silver is not an easy thing!!

 

I know a number of projects are pursuing the silver badge, but relatively few have achieved it, so congrats!!

 

--- David A. Wheeler

 

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2017-11.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2017-10-302017-11-29
Total Projects11101167
Projects 25%+401419
Projects 50%+333345
Projects 75%+264273
Projects passing114119

Here are the projects that first achieved a passing badge in 2017-11:

  1. git-buildpackage at 2017-11-01 18:12:26 UTC
  2. systemd at 2017-11-04 19:48:26 UTC
  3. CAIRIS at 2017-11-24 08:10:25 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Current plan: No criteria changes, focus on getting projects involved & getting badges

David A. Wheeler
 

All:

We want to slowly & carefully update the criteria as community norms improve. However, I don't see any need to update the criteria at this time. The passing criteria in particular appear to be "just hard enough" that a badge is worth having, without being so hard that it's impossible to earn one. Silver & gold are harder, but they are *supposed* to be harder, and I know several projects are slowly pursuing higher-level badges.

Instead, I think we need to focus on getting more projects *involved* in the badging process and eventually *getting* badges. We'll also continue to review badge claims to make sure that the badges have really been earned (nonsense badges drag down the badge's value for everyone). The good news is that projects really are getting involved & earning badges, as evidenced by the project statistics here: https://bestpractices.coreinfrastructure.org/project_stats

SO: Please try to convince other projects to work on a badge. As you can see on the front page, a lot of well-known projects have received badges! Of course, the real goal isn't badges, the goal is to improve practices in the projects that we all rely on.... but badges are the visible manifestation of that. If you know that a project made an improvement because of the badging project, please let us know; I'd like to record that!

Of course, if a criterion is misunderstood, or doesn't make sense in specific narrow cases, we can review clarifications & narrow reasonable exemptions. But for now, I think we should stay the course.

We should revisit the criteria around August 2018. I expect any future changes to be very gradual, anyway. People work hard to earn badges, and we don't want to make their hard work irrelevant.

As far as the site itself goes, it seems to be working fine, so the current plan is to make at most modest improvements/updates. Everything can be improved, but again, I think we should focus on getting more projects involved & eventually earning a badge.

If you think this is a terrible idea, please let us know!

--- David A. Wheeler

Projects that received badges (monthly summary)

badgeapp@...
 

This is an automated monthly status report of the best practices badge application covering the month 2017-10.

Here are some selected statistics for most recent completed month, preceded by the same statistics for the end of the month before that.

Ending dates2017-09-292017-10-30
Total Projects10491110
Projects 25%+388401
Projects 50%+321333
Projects 75%+251264
Projects passing110114

Here are the projects that first achieved a passing badge in 2017-10:

  1. AuthZForce Core PDP engine (Community Edition) at 2017-10-10 21:40:20 UTC
  2. libvirt at 2017-10-13 11:50:57 UTC
  3. Material-UI at 2017-10-17 18:47:47 UTC
  4. A Python library for automating interaction with websites. at 2017-10-22 11:37:46 UTC

We congratulate them all!

Do you know a project that doesn't have a badge yet? Please suggest to them that they get a badge now!

Someone created a long-term badge entry on a test tier.. please don't do that, & here are our steps to prevent future problems

David A. Wheeler
 

All:

 

We’ve just learned that someone had created a project badge entry on a *test* tier (master), with the intent of using that as the main information source.  Since that’s not what the test tiers are for, that did not work out well.  We occasionally copy data from the production site to the test tiers (master and staging), and we only learned about this situation after the data had already been overwritten (eek!).  We have many backups to prevent the loss of *production* data, but no one had considered the *test* tier data as something that needed backups, so some data was lost from that project’s badge entry.  The data can be recreated, but that’s not something I want to do often (!).

 

So: If you know of a badge entry that’s starting on master.bestpractices.coreinfrastructure.org or staging.bestpractices.coreinfrastructure.org, please save the work (say as a JSON file, just add “.json” to the project URL), and let us help you move that data.  Please do NOT put “real” data on a test tier!!

 

We’re also taking these steps to prevent a recurrence:

1. We’ve turned on a warning message on non-production tiers (including master and staging) for when you try to create a new project, view a project, or edit a project (thanks to Jason Dossett, who implemented this).  The warning is at the top and will clearly state that this is a test tier.  That should make a recurrence unlikely.

2. We’ve turned on daily backups for master and staging.  Normally that’s pointless, but if someone does this again & lets us know within a few days, we should be able to recover the data.  Thus, even if this problem recurs, the backups should reduce the probability or impact of data loss.

 

Thanks!

 

--- David A. Wheeler

 

CII Best Practice badge: Sharing, logos of sample projects, cookie law - PLEASE TELL OTHERS about the badge!

David A. Wheeler
 

FYI, there have been a few changes to the CII Best Practices badge site:

 

1. We now have new “sharing” links at the bottom of the front page <https://bestpractices.coreinfrastructure.org/> for Twitter, Reddit, Facebook, LinkedIn, Google+, and Email.  Unlike “like” buttons, these are NOT tracking devices – they do nothing unless you click on them.  Credits to “Responsible Social Share Links” by Jonathan Suh for explaining how to do this in a privacy-respecting way (<https://jonsuh.com/blog/social-share-links/#use-share-urls>).

2. Also on the front page, we have a list of logos for some of the projects who have earned a badge.  Hopefully that will convince some people that “projects I know got a badge, I want to join the party!”.

3. On the /login page we link to a “/cookies” page, which explains how we use cookies.  This is an honest effort to comply with certain EU/UK laws.  The laws exempt session cookies, and we only use permanent cookies when local users enable “Keep me logged in” (which is not the default), so linking *just* there seems appropriate. I think these cookie laws are misguided, fail to provide *real* privacy, and it’s not clear that we have to comply anyway.  But it doesn’t seem hard to comply, and we want to make everything a *positive* experience for our friends in the EU/UK, so we’ve done our best.

 

PLEASE tell others about the CII Best Practices badge – and by all means, use the new “sharing” links to help you do that.  We are generally growing, both in terms of the number of participating projects and the number of passing projects, but I’d love to see faster growth.  The more FLOSS projects that get a badge, the better the results.

 

Thanks!

 

--- David A. Wheeler

 

Re: CII Best Practices co-developers - need to update Ruby & gems

David A. Wheeler
 

Dan: Thanks!

 

I tried to merge this logic into “update-ruby” so that the script just “works everywhere”.  I don’t have a Mac, so I don’t know if it actually works.  Testing welcome J.

 

--- David A. Wheeler

 

 

From: Dan Kohn [mailto:dan@...]
Sent: Monday, October 23, 2017 1:54 AM
To: Wheeler, David A
Cc: cii-badges@...
Subject: Re: [CII-badges] CII Best Practices co-developers - need to update Ruby & gems

 

On a Mac, it's:

 

brew update && brew upgrade ruby-build

rbenv install 2.4.2

gem install bundler

bundle


--

Dan Kohn <dan@...>

Executive Director, Cloud Native Computing Foundation https://www.cncf.io

+1-415-233-1000 https://www.dankohn.com

 

On Sun, Oct 22, 2017 at 5:27 PM, Wheeler, David A <dwheeler@...> wrote:

FYI:

 

If you are creating proposed changes to the CII Best Practices Badge code, I’ve recently updated the Ruby implementation (as well as all the gems I can).  So if you’ve had the badge application running, the next time after doing a “git pull” you’ll need to run this (in its directory):

 

./ruby-update   # Update Ruby

bundle install   # Install current gems

 

This is documented in the CONTRIBUTING.md file, but I thought I’d point this out here, because I want to make it easy for people to propose changes.

 

Thanks!

 

--- David A. Wheeler

 


_______________________________________________
CII-badges mailing list
CII-badges@...
https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges