Add SECURITY.md to IF #1084
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -8,6 +8,7 @@ The following document is a rule set of guidelines for contributing. | |||||
|
|
||||||
| - [What and when to contribute](#what-and-when-to-contribute) | ||||||
| - [Reporting bugs](#reporting-bugs) | ||||||
| - [Disclosing vulnerabilities](#disclosing-vulnerabilities) | ||||||
| - [Code Contributions](#code-contributions) | ||||||
| - [Step 1: Fork](#step-1-fork) | ||||||
| - [Step 2: Branch](#step-2-branch) | ||||||
|
|
@@ -37,27 +38,27 @@ We appreciate bug reports! If you experience an issue with IF, you can report it | |||||
| 3. Click on `Create New Issue` and select the `Bug Report` template. | ||||||
| 4. Fill out the requested information. | ||||||
|
|
||||||
| The more detailed information you provide in the bug report, the easier it will be for us to diagnose, triage, and resolve your issue. We ask for some simple information about your issue, including a description of the error, the expected behaviour, the actual behaviour and the steps we can take to reproduce the error in our local environments. We also then prompt you to provide a link to [Stackblitz](https://stackblitz.com/) or a similar online environment where we can run your manifest and observe the error. If you prefer *not* to send a link, we would appreciate a copy of the manifest file that you ran to produce the error, information about your runtime environment, and any additional code that's required to reproduce the error. This is all designed to enable us to reproduce the same error and debug it for you as quickly as possible. | ||||||
|
|
||||||
| Once a suitably detailed bug report exists, we will triage it. We hold weekly triage calls on Tuesdays. In most cases, the triage call will be the core team's first interaction with the bug, although in some cases we may engage asynchronously in advance of the call. Triage means that the core team will examine the issue and assign an urgency label - either Low, Medium or High. | ||||||
|
|
||||||
| The assessment rubric is as follows: | ||||||
|
|
||||||
| | | Consequence | Severity | | ||||||
| | ---------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | -------- | | ||||||
| | Bugs in IF core leading to incorrect calculations | unusable framework | 5 | | ||||||
| | Bugs in builtins leading to incorrect calculations | core pathways fail, IF very limited in functionality | 5 | | ||||||
| | Bugs in template | Harder to build plugins, ecosystem growth is impacted | 2 | | ||||||
| | Bugs in docs | product does not match expectation, hard to debug, frustration, loss of adoption | 2 | | ||||||
| | Security flaw: privacy related | leak user data, unlikely to achieve adoption in serious orgs | 5 | | ||||||
| | Security flaw: permissions escalation | expose user to malware | 5 | | ||||||
| | Code not addressing user needs | no product market fit, loss of adoption | 5 | | ||||||
| | Communication failures within team | Conflicting or duplicating work, frustration, morale damage | 4 | | ||||||
| | Communication failures with community | we lose product market fit, we do not have good community retention, reputational damage | 3 | | ||||||
| | Communication failures with leadership | product does not meet business goals | 3 | | ||||||
| | License compliance failures, including in supply chain (e.g. exposing privileged api responses for free via a plugin) | 4 | | ||||||
| | Bugs affecting releases | users stuck on old versions | 4 | | ||||||
| | Strategy failures | no product market fit | 2 | | ||||||
|
|
||||||
| The mapping of severity to label is as follows: | ||||||
|
|
||||||
|
|
@@ -69,9 +70,9 @@ The mapping of severity to label is as follows: | |||||
| | 4 | H | | ||||||
| | 5 | H | | ||||||
|
|
||||||
| During the bug triage we will also discuss a remediation plan for the bug. This will be communicated in the comments on the bug report. For high urgency bugs, the fix will be implemented as soon as possible, maybe reorganizing our current work to accommodate it. For medium priority bugs, we will schedule the fix in the next available sprint. Low priority bugs will be backlogged and addressed when there is developer time available. Low priority bugs will also be tagged `help-wanted` so that they can be addressed by community members. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Not every bug will be fixed. We may decide *not* to fix a bug in cases such as: | ||||||
|
|
||||||
| - fixing the bug has some detrimental side effect elsewhere in the product | ||||||
| - the bug has a fix coming soon as part of another upgrade | ||||||
|
|
@@ -80,17 +81,30 @@ Not every bug will be fixed. We may decide _not_ to fix a bug in cases such as: | |||||
|
|
||||||
| The bug will be labelled `fix-now`, `fix-later` or `wont-fix` to reflect our remediation plan and details will be provided in issue comments. | ||||||
|
|
||||||
| ## Disclosing vulnerabilities | ||||||
|
|
||||||
| If you discover a security vulnerability in IF, please report it to [email protected]. | ||||||
|
|
||||||
| Include the following information: | ||||||
|
|
||||||
| - description of the issue | ||||||
| - steps to reproduce | ||||||
| - steps to fix, if known | ||||||
|
|
||||||
| The IF team will respond as quickly as possible. Post-graduation there will be no full-time development team, but GSF staff will aim to get the vulnerability patched as quickly as possible, aiming for <=14 day response time. | ||||||
|
|
||||||
|
|
||||||
| ## Code Contributions | ||||||
|
|
||||||
| ### Step 1: Fork | ||||||
|
|
||||||
| Fork the project on [GitHub](https://github.com/Green-Software-Foundation/if) | ||||||
|
|
||||||
| You then have your own copy of the repository that you can change. | ||||||
|
|
||||||
| ### Step 2: Branch | ||||||
|
|
||||||
| Create new branch in your forked copy of the `if` repository, which will contain your new feature, fix or change. | ||||||
|
|
||||||
| ```bash | ||||||
| $ git checkout -b <topic-branch-name> | ||||||
|
|
@@ -108,7 +122,7 @@ $ git config --global user.email "[email protected]" | |||||
| Each commit should cover one change to one resource. You should not add multiple changes to a single commit. | ||||||
| Commit message should clearly describe on which resource changes are made. | ||||||
| For the commit message, we adhere to the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. | ||||||
| Conventional commits are organized with a type, a scope and a description. The type can be one of: | ||||||
|
|
||||||
| - 'feat', | ||||||
| - 'fix', | ||||||
|
|
@@ -129,10 +143,10 @@ Here's an example of a valid commit message: | |||||
| feat(lib): initial commit for time-sync logic | ||||||
| ``` | ||||||
|
|
||||||
| or | ||||||
|
|
||||||
| ``` | ||||||
| test(lib): in teads-curve add unit test to check that error is raised on missing tdp param | ||||||
| ``` | ||||||
|
|
||||||
| Run `npm run fix` before commiting. If your commit message does not conform to the conventional commit specification or if you have not run `npm run fix` your commit will not satisfy the commitlint check. | ||||||
|
|
@@ -142,7 +156,7 @@ Add and commit with your commit message: | |||||
| ```bash | ||||||
| $ git add my/changed/files | ||||||
| $ git commit -m "<type-of-commit>(<my-optional-scope>): <my-commit-message>" | ||||||
| ``` | ||||||
|
|
||||||
| ### Step 5: Push | ||||||
|
|
||||||
|
|
@@ -154,29 +168,30 @@ $ git push origin <topic-branch-name> | |||||
|
|
||||||
| ### Step 6: Pull Request | ||||||
|
|
||||||
| Open a Pull Request from your fork of the repository to the `dev` branch of the IF repository with a clear title and description according to [template](.github/PULL_REQUEST_TEMPLATE.md). | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Pull requests will not be reviewed unless they pass all CI. This includes a lint check and running our unit tests. | ||||||
|
|
||||||
| ## Coding guidelines | ||||||
|
|
||||||
| ### Code structuring patterns | ||||||
|
|
||||||
| Avoid having functions which are responsible to do multiple things at the same time. Make sure one function/method does one thing, and does it well. | ||||||
|
|
||||||
| ### Functional Programming | ||||||
|
|
||||||
| We have a preference towards functional programming styles in the IF. This is because it makes it easier for different functions to be developed in isolation, composed in complex ways and executed in parallel. | ||||||
|
|
||||||
| We recommend starting with these [basic principles and guidelines](https://dev.to/jamesrweb/principles-of-functional-programming-4b7c) for functional programming. | ||||||
|
|
||||||
|
|
||||||
| ### Naming conventions | ||||||
|
|
||||||
| We prefer not to use abbreviations of contractions in parameter names. | ||||||
|
|
||||||
| Using fully descriptive names makes the code more readable, which in turn helps reviewers and anyone else aiming to understand how the plugin works. | ||||||
|
|
||||||
| It also helps to avoid ambiguity and naming collisions within and across plugins. Your name should describe what an element does as precisely as practically possible. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| For example, we prefer `functionalUnit` to `funcUnit`, `fUnit`, or any other abbreviation. | ||||||
|
|
||||||
|
|
@@ -189,6 +204,7 @@ In yaml files, we prefer to use kebab-case (`like-this`) for field names. For ex | |||||
|
|
||||||
| Global constants can be given capitalized names, such as `TIME_UNITS_IN_SECONDS`. | ||||||
|
|
||||||
|
|
||||||
| #### Documentation | ||||||
|
|
||||||
| Every logical unit (`function, method`) should be covered with appropriate documentation. For documenting such, multi-line comment style is used. | ||||||
|
|
@@ -205,10 +221,9 @@ const logMessage = (message: string) => console.log(message) | |||||
|
|
||||||
| ### Writing tests | ||||||
|
|
||||||
| One test file should be responsible for one module. `describe` blocks should be used for module and function/method description. First `describe` should follow `resource/module: ` pattern. Second describe title should follow `method(): ` pattern. Test units can use `it` blocks whose title should exactly describe behaviour and input argument. | ||||||
|
|
||||||
| See example: | ||||||
| ```ts | ||||||
| describe('util/args: ', () => { | ||||||
| describe('parseProcessArgument(): ', () => { | ||||||
|
|
@@ -234,9 +249,11 @@ To help us to diagnose and debug your issue, please provide either a [Stackblitz | |||||
| - links to any code (e.g. your own plugin code), it must be available online, | ||||||
| - runtime information such as OS, node version, package.json, IF version | ||||||
|
|
||||||
| Reported bugs will be discussed among the team in a weekly bug triage and be assigned a severity (low, medium or high). | ||||||
|
|
||||||
| High severity bugs will be fixed as soon as possible, whereas medium and low severity bug fixes will likely be backlogged for attention in the next available sprint. | ||||||
|
|
||||||
| In some cases, we might decide not to fix certain bugs if they are low severity, either because we anticipate fixes coming soon as part of already-scheduled upgrades or because we think the fixes make "good first issues" for community contributors. | ||||||
| Community members are welcome to report any issue they face and also work on fixing the low priority bugs. | ||||||
|
|
||||||
| *[⬅️ back to the root](/README.md#ief)* | ||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.