Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2894

Integrate static analysis for releases

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Security
    • None
    • Needed - No Spec Changes
    • Hide

      Summary of necessary driver changes

      •  Please see the description in the linked DRIVERS ticket
      Show
      Summary of necessary driver changes  Please see the description in the linked DRIVERS ticket
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5536 Done 1.27.3
      CXX-3009 Fixed 3.11.0, 3.10.2
      CSHARP-5049 Done 2.26.0
      GODRIVER-3188 Fixed 1.16.0
      JAVA-5431 Fixed 5.1.1
      NODE-6114 Done
      MOTOR-1303 Backlog
      PYTHON-4384 Fixed 4.8
      PHPLIB-1435 Done
      RUBY-3450 Done
      RUST-1920 Fixed 3.1.0
      PHPORM-179 Done
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5536 Done 1.27.3 CXX-3009 Fixed 3.11.0, 3.10.2 CSHARP-5049 Done 2.26.0 GODRIVER-3188 Fixed 1.16.0 JAVA-5431 Fixed 5.1.1 NODE-6114 Done MOTOR-1303 Backlog PYTHON-4384 Fixed 4.8 PHPLIB-1435 Done RUBY-3450 Done RUST-1920 Fixed 3.1.0 PHPORM-179 Done

      Drivers MUST integrate static analysis tooling for releases.

      Drivers SHOULD use an established tool from their language ecosystem. DevProd may have recommendations (see: Static Analysis Scanning, #rnd-vulnerability-management). Individual tooling MAY vary by driver.

      Tooling SHOULD support Static Analysis Results Interchange Format (SARIF) output. This will allow it to integrate with Silk to automate JIRA reporting and Service-Level Agreement (SLA) compliance. If SARIF output is not supported, teams MUST manually report JIRA tickets and create static analysis reports (see: Static Code Analysis: Artifacts to produce upon a release).

      Drivers MUST assign severity levels to vulnerabilities flagged by the tooling and establish a process to do so on an ongoing basis. Drivers MAY customize the default severity levels in their tooling.

      Drivers MUST ensure high and critical vulnerabilities are addressed prior to release. Lower severity issues MAY be fixed at the team’s discretion.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: