Core Infrastructure Initiative (CII) compliance for the Jenkins core - status thread

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Core Infrastructure Initiative (CII) compliance for the Jenkins core - status thread

Oleg Nenashev
Hi all,

This is a follow-up to the Community Bridge funding thread and to contributor summit discussions about CII. As discussed there, Linux Foundation expects all projects on Community Bridge to be also a part of the Core Infrastructure Initiative which is their program for strengthening security in open-source projects. In particular, there is a badge program here. All Community Bridge projects are expected to eventually pass certification there.

I believe that being compliant with CII is a net positive thing for us, because it can help to promote the project and to address some quality-related and certification queries from current and potential Jenkins users (e.g. see this recent thread). It also unlocks access to  targeted security project funding / engineering time donations by CII corporate members (Assistance program) and to tooling like Snyk.

I started working on a CII checklist for the Jenkins core, plugins are out of the scope for me at the moment. You can find the current status on this page. We are currently at the 80% completion state, and there are some open topics which need to be clarified. I have summarized the topics below after the email, and I will start follow-up threads for them so that they can be discussed separately.

CII is definitely a case when the remaining 20% for the work require 80% of effort, but I hope to gradually get to the full certification checklist for the Jenkins core. Even if we do not pass the certification criteria there, it is nice to have a documented status for quality/security expectations. I will appreciate any feedback about the CII compliance in general and about the self-certification page. Unfortunately documentation-as-code is not supported there, but I am happy to incorporate any suggested changes.

Best regards,
Oleg

#### Open topics: 

Problem 1. Incoming issues triage (section status). We do not longer have an active triage team which would be regularly reviewing incoming issues in Jira. Alex Earl made a proposal to have an official triage team in 2017 (dev list thread), but it was not implemented at the moment. I was doing regular issue triage until Dec 2018 before I stepped down (see the same thread). Right now we regularly look at the Jenkins release community ratings and reported regressions, but I would not say we have a real triage process, especially for RFEs and bugs reported to non-core components 
  • CII Criteria:
    • " The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix."
    • " The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).  "
  • My assumption is that we are below these criteria
  • Potential solution: Maybe we should revise this topic. Since we have more active core maintainers now, maybe we could have a rotation for the incoming issues in Jenkins Jira. To be discussed in a separate thread
Problem 2. Quality and Code analysis warnings (section status). The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. Jenkins core addresses it, because we have a bunch of tools enabled like Spotbugs, Animal Sniffer or Maven Enforcer. But there are some downstream criteria
  • Problematic CII criteria:
    • The project should fix warnings or mark them in the source code as false positives. Ideally there would be no warnings, but a project MAY accept some warnings (typically less than 1 warning per 100 lines or less than 10 warnings).  
    • It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical.
  • Problem: We ignore some warnings without explicitly supressing them (Javadoc and other minor things). And we definitely do not set maximally strict requirements, our SpotBugs runs on the High threshold by default. Stefan Spieker is doing a great job with the issues cleanup, for "Medium", but there are still a lot of issues left
  • Potential solution: Fail the Suggested criteria for now, review the warnings we get from tools and address quick-wins. Suppress the rest?
Problem 3. Security requirements (status). There is a bunch of certification criteria there which requires a careful review and response (usage of encryption, delivery process, etc.). My understanding is that we are not fully compliant with the certification rules there, and that making Jenkins core fully compliant would be a stretch goal. It does not mean we have security issues, but the formal criteria there set a high bar and opinionated requirements about how security issues should be handled.
  • Plan: I will be following up with the Security team on this certification section.







--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Core Infrastructure Initiative (CII) compliance for the Jenkins core - status thread

Tracy Miranda
Hi Oleg,

Thanks for putting this together and establishing that baseline score!

IMHO it is a great exercise to run through as proven by the issues you raised in the email. (Also nice to see the badge linked when I click on Jenkins on the CDF and CNCF landscapes). 
I look forward to the follow on threads, plus also plan to take a more detailed look at the report. 

Thanks,
Tracy

On Tue, Feb 18, 2020 at 6:50 AM Oleg Nenashev <[hidden email]> wrote:
Hi all,

This is a follow-up to the Community Bridge funding thread and to contributor summit discussions about CII. As discussed there, Linux Foundation expects all projects on Community Bridge to be also a part of the Core Infrastructure Initiative which is their program for strengthening security in open-source projects. In particular, there is a badge program here. All Community Bridge projects are expected to eventually pass certification there.

I believe that being compliant with CII is a net positive thing for us, because it can help to promote the project and to address some quality-related and certification queries from current and potential Jenkins users (e.g. see this recent thread). It also unlocks access to  targeted security project funding / engineering time donations by CII corporate members (Assistance program) and to tooling like Snyk.

I started working on a CII checklist for the Jenkins core, plugins are out of the scope for me at the moment. You can find the current status on this page. We are currently at the 80% completion state, and there are some open topics which need to be clarified. I have summarized the topics below after the email, and I will start follow-up threads for them so that they can be discussed separately.

CII is definitely a case when the remaining 20% for the work require 80% of effort, but I hope to gradually get to the full certification checklist for the Jenkins core. Even if we do not pass the certification criteria there, it is nice to have a documented status for quality/security expectations. I will appreciate any feedback about the CII compliance in general and about the self-certification page. Unfortunately documentation-as-code is not supported there, but I am happy to incorporate any suggested changes.

Best regards,
Oleg

#### Open topics: 

Problem 1. Incoming issues triage (section status). We do not longer have an active triage team which would be regularly reviewing incoming issues in Jira. Alex Earl made a proposal to have an official triage team in 2017 (dev list thread), but it was not implemented at the moment. I was doing regular issue triage until Dec 2018 before I stepped down (see the same thread). Right now we regularly look at the Jenkins release community ratings and reported regressions, but I would not say we have a real triage process, especially for RFEs and bugs reported to non-core components 
  • CII Criteria:
    • " The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix."
    • " The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).  "
  • My assumption is that we are below these criteria
  • Potential solution: Maybe we should revise this topic. Since we have more active core maintainers now, maybe we could have a rotation for the incoming issues in Jenkins Jira. To be discussed in a separate thread
Problem 2. Quality and Code analysis warnings (section status). The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. Jenkins core addresses it, because we have a bunch of tools enabled like Spotbugs, Animal Sniffer or Maven Enforcer. But there are some downstream criteria
  • Problematic CII criteria:
    • The project should fix warnings or mark them in the source code as false positives. Ideally there would be no warnings, but a project MAY accept some warnings (typically less than 1 warning per 100 lines or less than 10 warnings).  
    • It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical.
  • Problem: We ignore some warnings without explicitly supressing them (Javadoc and other minor things). And we definitely do not set maximally strict requirements, our SpotBugs runs on the High threshold by default. Stefan Spieker is doing a great job with the issues cleanup, for "Medium", but there are still a lot of issues left
  • Potential solution: Fail the Suggested criteria for now, review the warnings we get from tools and address quick-wins. Suppress the rest?
Problem 3. Security requirements (status). There is a bunch of certification criteria there which requires a careful review and response (usage of encryption, delivery process, etc.). My understanding is that we are not fully compliant with the certification rules there, and that making Jenkins core fully compliant would be a stretch goal. It does not mean we have security issues, but the formal criteria there set a high bar and opinionated requirements about how security issues should be handled.
  • Plan: I will be following up with the Security team on this certification section.







--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CACTaz6prRnkR-CRaXJqjGBgQR5VYmdSgc23ke1rHmf2h_0j8Rg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Core Infrastructure Initiative (CII) compliance for the Jenkins core - status thread

Oleg Nenashev
Updates here:
  • Right now we are at the 80% mark w.r.t the compliance: https://bestpractices.coreinfrastructure.org/en/projects/3538
  • We would be interested to pass Core Infrastructure Initiative certification as a part of the CDF graduation process (see this thread).
  • I started working on addressing the current issues in the certification:
    • Issue Triage: We need a formal process w.r.t providing initial feedback to bug reports and feature requests. I restarted a thread about the Bug Triage team for the Jenkins core. See https://groups.google.com/d/msg/jenkinsci-dev/XToix3QpL_k/u6-7awD4AwAJ and further comments
    • Security checklist: I started a Google Doc for the Security checklist. It should help us to perform a joint review of the requirements and to prepare a response.
Any feedback about the wording and the security checklist would be appreciated.

Best regards,
Oleg


On Tuesday, February 18, 2020 at 9:00:44 PM UTC+1, Tracy Miranda wrote:
Hi Oleg,

Thanks for putting this together and establishing that baseline score!

IMHO it is a great exercise to run through as proven by the issues you raised in the email. (Also nice to see the badge linked when I click on Jenkins on the <a href="https://landscape.cd.foundation/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cd.foundation%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEerbTUpZiG0KtoxT76HNM86qR7Mw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cd.foundation%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEerbTUpZiG0KtoxT76HNM86qR7Mw&#39;;return true;">CDF and <a href="https://landscape.cncf.io/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cncf.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4ES7NRqgHswzNC5G1KL7-K0F0iA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cncf.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4ES7NRqgHswzNC5G1KL7-K0F0iA&#39;;return true;">CNCF landscapes). 
I look forward to the follow on threads, plus also plan to take a more detailed look at the report. 

Thanks,
Tracy

On Tue, Feb 18, 2020 at 6:50 AM Oleg Nenashev <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="pA_nUN_6BgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">o.v.n...@...> wrote:
Hi all,

This is a follow-up to the <a href="https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ&#39;;return true;">Community Bridge funding thread and to contributor summit discussions about CII. As discussed there, Linux Foundation expects all projects on Community Bridge to be also a part of the <a href="https://www.coreinfrastructure.org/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvz0lDKes9whDMtvLN59sdwpiX5Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvz0lDKes9whDMtvLN59sdwpiX5Q&#39;;return true;">Core Infrastructure Initiative which is their program for strengthening security in open-source projects. In particular, there is a badge program <a href="https://bestpractices.coreinfrastructure.org/en" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhMrIzbmKwks2QaWdsaCQn9a0C_A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhMrIzbmKwks2QaWdsaCQn9a0C_A&#39;;return true;">here. All Community Bridge projects are expected to eventually pass certification there.

I believe that being compliant with CII is a net positive thing for us, because it can help to promote the project and to address some quality-related and certification queries from current and potential Jenkins users (e.g. see <a href="https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA&#39;;return true;">this recent thread). It also unlocks access to  targeted security project funding / engineering time donations by CII corporate members (<a href="https://www.coreinfrastructure.org/programs/assistance-program/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2Fprograms%2Fassistance-program%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFsPI_nUHV5jr9cbg3QwYBqFxCJnA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2Fprograms%2Fassistance-program%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFsPI_nUHV5jr9cbg3QwYBqFxCJnA&#39;;return true;">Assistance program) and to tooling like Snyk.

I started working on a CII checklist for the Jenkins core, plugins are out of the scope for me at the moment. You can find the current status on <a href="https://bestpractices.coreinfrastructure.org/en/projects/3538" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;">this page. We are currently at the 80% completion state, and there are some open topics which need to be clarified. I have summarized the topics below after the email, and I will start follow-up threads for them so that they can be discussed separately.

CII is definitely a case when the remaining 20% for the work require 80% of effort, but I hope to gradually get to the full certification checklist for the Jenkins core. Even if we do not pass the certification criteria there, it is nice to have a documented status for quality/security expectations. I will appreciate any feedback about the CII compliance in general and about the <a href="https://bestpractices.coreinfrastructure.org/en/projects/3538" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;">self-certification page. Unfortunately documentation-as-code is not supported there, but I am happy to incorporate any suggested changes.

Best regards,
Oleg

#### Open topics: 

Problem 1. Incoming issues triage (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#reporting" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23reporting\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3YN-rFA4Gz9ZzEkMhv5XdwC1jyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23reporting\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3YN-rFA4Gz9ZzEkMhv5XdwC1jyQ&#39;;return true;">section status). We do not longer have an active triage team which would be regularly reviewing incoming issues in Jira. Alex Earl made a proposal to have an official triage team in 2017 (<a href="https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ&#39;;return true;">dev list thread), but it was not implemented at the moment. I was doing regular issue triage until Dec 2018 before I stepped down (see the same thread). Right now we regularly look at the Jenkins release community ratings and reported regressions, but I would not say we have a real triage process, especially for RFEs and bugs reported to non-core components 
  • CII Criteria:
    • " The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix."
    • " The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).  "
  • My assumption is that we are below these criteria
  • Potential solution: Maybe we should revise this topic. Since we have more active core maintainers now, maybe we could have a rotation for the incoming issues in Jenkins Jira. To be discussed in a separate thread
Problem 2. Quality and Code analysis warnings (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#quality" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23quality\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVODfW0lig-WZxEsrl5WTfE36wJQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23quality\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVODfW0lig-WZxEsrl5WTfE36wJQ&#39;;return true;">section status). The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. Jenkins core addresses it, because we have a bunch of tools enabled like Spotbugs, Animal Sniffer or Maven Enforcer. But there are some downstream criteria
  • Problematic CII criteria:
    • The project should fix warnings or mark them in the source code as false positives. Ideally there would be no warnings, but a project MAY accept some warnings (typically less than 1 warning per 100 lines or less than 10 warnings).  
    • It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical.
  • Problem: We ignore some warnings without explicitly supressing them (Javadoc and other minor things). And we definitely do not set maximally strict requirements, our SpotBugs runs on the High threshold by default. Stefan Spieker is doing a great job with the issues cleanup, for "Medium", but there are still a lot of issues left
  • Potential solution: Fail the Suggested criteria for now, review the warnings we get from tools and address quick-wins. Suppress the rest?
Problem 3. Security requirements (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#security" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23security\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFD8RYGYov5zG5Ot8dprBQpLQpgRw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23security\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFD8RYGYov5zG5Ot8dprBQpLQpgRw&#39;;return true;">status). There is a bunch of certification criteria there which requires a careful review and response (usage of encryption, delivery process, etc.). My understanding is that we are not fully compliant with the certification rules there, and that making Jenkins core fully compliant would be a stretch goal. It does not mean we have security issues, but the formal criteria there set a high bar and opinionated requirements about how security issues should be handled.
  • Plan: I will be following up with the Security team on this certification section.







--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="pA_nUN_6BgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkin...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/34719107-5860-42cb-9950-2aef4fcd0dd8o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Core Infrastructure Initiative (CII) compliance for the Jenkins core - status thread

Oleg Nenashev
Hi all,

Just a quick update, after submitting the security checklist and our current Jira metrics to https://bestpractices.coreinfrastructure.org/en/projects/3538, I am happy to announce that we have reached the 133% mark and hence the Jenkins project is now officially passing the Core Infrastructure Initiative certification. Thanks a lot to all contributors, and special thanks to the Jenkins Security team (esp. Daniel and Wadeck) for multiple cycles of reviews in the checklist!

Next steps would be to keep working on the CII certification towards silver (200%) and gold (300%) grades. There are much more strict requirements on these levels (e.g. strict license file requirements, infra authorization guidelines, etc. etc.). There will be a lot of work to get there, but I think we can keep working on requirements which we consider beneficial to the Jenkins project and the community

Best regards,
Oleg


On Monday, June 22, 2020 at 1:53:57 PM UTC+2, Oleg Nenashev wrote:
Updates here:
  • Right now we are at the 80% mark w.r.t the compliance: <a href="https://bestpractices.coreinfrastructure.org/en/projects/3538" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;">https://bestpractices.coreinfrastructure.org/en/projects/3538
  • We would be interested to pass Core Infrastructure Initiative certification as a part of the CDF graduation process (see <a href="https://groups.google.com/forum/#!topic/jenkinsci-dev/I3sUP2SB2JI" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkinsci-dev/I3sUP2SB2JI&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkinsci-dev/I3sUP2SB2JI&#39;;return true;">this thread).
  • I started working on addressing the current issues in the certification:
    • Issue Triage: We need a formal process w.r.t providing initial feedback to bug reports and feature requests. I restarted a thread about the Bug Triage team for the Jenkins core. See <a href="https://groups.google.com/d/msg/jenkinsci-dev/XToix3QpL_k/u6-7awD4AwAJ" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/XToix3QpL_k/u6-7awD4AwAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/XToix3QpL_k/u6-7awD4AwAJ&#39;;return true;">https://groups.google.com/d/msg/jenkinsci-dev/XToix3QpL_k/u6-7awD4AwAJ and further comments
    • Security checklist: I started a <a href="https://docs.google.com/document/d/1i4uzVk8u5d7933A8IqENj78_iGDIRQAKEmKQuAFDdQY/edit?usp=sharing" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://docs.google.com/document/d/1i4uzVk8u5d7933A8IqENj78_iGDIRQAKEmKQuAFDdQY/edit?usp\x3dsharing&#39;;return true;" onclick="this.href=&#39;https://docs.google.com/document/d/1i4uzVk8u5d7933A8IqENj78_iGDIRQAKEmKQuAFDdQY/edit?usp\x3dsharing&#39;;return true;">Google Doc for the Security checklist. It should help us to perform a joint review of the requirements and to prepare a response.
Any feedback about the wording and the security checklist would be appreciated.

Best regards,
Oleg


On Tuesday, February 18, 2020 at 9:00:44 PM UTC+1, Tracy Miranda wrote:
Hi Oleg,

Thanks for putting this together and establishing that baseline score!

IMHO it is a great exercise to run through as proven by the issues you raised in the email. (Also nice to see the badge linked when I click on Jenkins on the <a href="https://landscape.cd.foundation/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cd.foundation%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEerbTUpZiG0KtoxT76HNM86qR7Mw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cd.foundation%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEerbTUpZiG0KtoxT76HNM86qR7Mw&#39;;return true;">CDF and <a href="https://landscape.cncf.io/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cncf.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4ES7NRqgHswzNC5G1KL7-K0F0iA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Flandscape.cncf.io%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH4ES7NRqgHswzNC5G1KL7-K0F0iA&#39;;return true;">CNCF landscapes). 
I look forward to the follow on threads, plus also plan to take a more detailed look at the report. 

Thanks,
Tracy

On Tue, Feb 18, 2020 at 6:50 AM Oleg Nenashev <[hidden email]> wrote:
Hi all,

This is a follow-up to the <a href="https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msg/jenkinsci-dev/iLutO2X0bdg/r9AaKlA5CgAJ&#39;;return true;">Community Bridge funding thread and to contributor summit discussions about CII. As discussed there, Linux Foundation expects all projects on Community Bridge to be also a part of the <a href="https://www.coreinfrastructure.org/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvz0lDKes9whDMtvLN59sdwpiX5Q&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvz0lDKes9whDMtvLN59sdwpiX5Q&#39;;return true;">Core Infrastructure Initiative which is their program for strengthening security in open-source projects. In particular, there is a badge program <a href="https://bestpractices.coreinfrastructure.org/en" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhMrIzbmKwks2QaWdsaCQn9a0C_A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEhMrIzbmKwks2QaWdsaCQn9a0C_A&#39;;return true;">here. All Community Bridge projects are expected to eventually pass certification there.

I believe that being compliant with CII is a net positive thing for us, because it can help to promote the project and to address some quality-related and certification queries from current and potential Jenkins users (e.g. see <a href="https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!topic/jenkins-infra/ZMWy36BXwLA&#39;;return true;">this recent thread). It also unlocks access to  targeted security project funding / engineering time donations by CII corporate members (<a href="https://www.coreinfrastructure.org/programs/assistance-program/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2Fprograms%2Fassistance-program%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFsPI_nUHV5jr9cbg3QwYBqFxCJnA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.coreinfrastructure.org%2Fprograms%2Fassistance-program%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFsPI_nUHV5jr9cbg3QwYBqFxCJnA&#39;;return true;">Assistance program) and to tooling like Snyk.

I started working on a CII checklist for the Jenkins core, plugins are out of the scope for me at the moment. You can find the current status on <a href="https://bestpractices.coreinfrastructure.org/en/projects/3538" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;">this page. We are currently at the 80% completion state, and there are some open topics which need to be clarified. I have summarized the topics below after the email, and I will start follow-up threads for them so that they can be discussed separately.

CII is definitely a case when the remaining 20% for the work require 80% of effort, but I hope to gradually get to the full certification checklist for the Jenkins core. Even if we do not pass the certification criteria there, it is nice to have a documented status for quality/security expectations. I will appreciate any feedback about the CII compliance in general and about the <a href="https://bestpractices.coreinfrastructure.org/en/projects/3538" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHi5HgRR5H3UT9VpBJxfqvbq4ofXQ&#39;;return true;">self-certification page. Unfortunately documentation-as-code is not supported there, but I am happy to incorporate any suggested changes.

Best regards,
Oleg

#### Open topics: 

Problem 1. Incoming issues triage (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#reporting" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23reporting\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3YN-rFA4Gz9ZzEkMhv5XdwC1jyQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23reporting\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3YN-rFA4Gz9ZzEkMhv5XdwC1jyQ&#39;;return true;">section status). We do not longer have an active triage team which would be regularly reviewing incoming issues in Jira. Alex Earl made a proposal to have an official triage team in 2017 (<a href="https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/forum/#!searchin/jenkinsci-dev/triage%7Csort:date/jenkinsci-dev/XToix3QpL_k/j2k0xeXvCQAJ&#39;;return true;">dev list thread), but it was not implemented at the moment. I was doing regular issue triage until Dec 2018 before I stepped down (see the same thread). Right now we regularly look at the Jenkins release community ratings and reported regressions, but I would not say we have a real triage process, especially for RFEs and bugs reported to non-core components 
  • CII Criteria:
    • " The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix."
    • " The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).  "
  • My assumption is that we are below these criteria
  • Potential solution: Maybe we should revise this topic. Since we have more active core maintainers now, maybe we could have a rotation for the incoming issues in Jenkins Jira. To be discussed in a separate thread
Problem 2. Quality and Code analysis warnings (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#quality" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23quality\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVODfW0lig-WZxEsrl5WTfE36wJQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23quality\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHVODfW0lig-WZxEsrl5WTfE36wJQ&#39;;return true;">section status). The project MUST enable one or more compiler warning flags, a "safe" language mode, or use a separate "linter" tool to look for code quality errors or common simple mistakes, if there is at least one FLOSS tool that can implement this criterion in the selected language. Jenkins core addresses it, because we have a bunch of tools enabled like Spotbugs, Animal Sniffer or Maven Enforcer. But there are some downstream criteria
  • Problematic CII criteria:
    • The project should fix warnings or mark them in the source code as false positives. Ideally there would be no warnings, but a project MAY accept some warnings (typically less than 1 warning per 100 lines or less than 10 warnings).  
    • It is SUGGESTED that projects be maximally strict with warnings in the software produced by the project, where practical.
  • Problem: We ignore some warnings without explicitly supressing them (Javadoc and other minor things). And we definitely do not set maximally strict requirements, our SpotBugs runs on the High threshold by default. Stefan Spieker is doing a great job with the issues cleanup, for "Medium", but there are still a lot of issues left
  • Potential solution: Fail the Suggested criteria for now, review the warnings we get from tools and address quick-wins. Suppress the rest?
Problem 3. Security requirements (<a href="https://bestpractices.coreinfrastructure.org/en/projects/3538#security" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23security\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFD8RYGYov5zG5Ot8dprBQpLQpgRw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fbestpractices.coreinfrastructure.org%2Fen%2Fprojects%2F3538%23security\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFD8RYGYov5zG5Ot8dprBQpLQpgRw&#39;;return true;">status). There is a bunch of certification criteria there which requires a careful review and response (usage of encryption, delivery process, etc.). My understanding is that we are not fully compliant with the certification rules there, and that making Jenkins core fully compliant would be a stretch goal. It does not mean we have security issues, but the formal criteria there set a high bar and opinionated requirements about how security issues should be handled.
  • Plan: I will be following up with the Security team on this certification section.







--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLC9Zo38XW8qpKE7vzRfS-EDR_016WViObFdU37a-No-ow%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a488af5a-4d11-49dc-ab68-5ad22243f63ao%40googlegroups.com.