Source code, CI/CD, and supply chain security

[aj-stein-gsa]

User Story

As a project maintainer, in order to have confidence in the code, how it is tested, built, and published, with it dependencies, in this repository hosting system and elsewhere, I want policy, process, and supporting automation to check security properties of the source code, the CI/CD system, and the supply chain of dependent software.

NOTE: Once maintainers (and interested community members) determine the overall policy and process approach, maintainers will integrate the relevant policy, process, and supporting automation into the other repositories. At that time, the list below will be cross-linked to relevant GitHub issues for other projects.

• metaschema-framework/liboscal-java
• metaschema-framework/oscal-cli
• metaschema-framework/oscal-server
• metaschema-framework/metaschema
• metaschema-framework/metaschema.dev

Goals

• Identify, monitor, and demonstrate key security properties of
  • this project's source code
  • changes to the code, specifically pull requests from community members that are not maintainers
  • it dependencies
  • the environment(s) used to test project code and dependencies
  • the environment(s) used to deploy project code and dependencies

Dependencies

N/A

Acceptance Criteria

• All website and readme documentation affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

Revisions

No response

[david-waltermire]

At the moment we currently have some security information in this repo. The same approach is used in metaschema-framework/liboscal-java and metaschema-framework/oscal-cli. Is addressing this a matter of adjusting what we have and replicating this?

The websites have a slightly different CI/CD due to the different implementation nature. These will need a more specialized approach.

[david-waltermire]

For each of the goals listed above, we need to figure out what specifically we need to do. Any ideas?

[aj-stein-gsa]

For each of the goals listed above, we need to figure out what specifically we need to do. Any ideas?

I wanted to set up some time for us, the usual suspects. I can look for time and we sketch out a game plan and act on it?

[aj-stein]

Is this necessarily blocked anymore, @david-waltermire?

[aj-stein]

@david-waltermire we want to consider starting this up for a final v3.0.0 release?