Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2894

Integrate static analysis for releases

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Security
    • Labels:
      None
    • Needed - No Spec Changes
    • Hide

      Summary of necessary driver changes

      •  Please see the description in the linked DRIVERS ticket
      Show
      Summary of necessary driver changes  Please see the description in the linked DRIVERS ticket
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5536 Investigating
      CXX-3009 Backlog
      CSHARP-5049 Done 2.26.0
      GODRIVER-3188 Backlog
      JAVA-5431 In Code Review
      NODE-6114 Backlog
      MOTOR-1303 Backlog
      PYTHON-4384 Backlog
      PHPLIB-1435 In Code Review
      RUBY-3450 Backlog
      RUST-1920 In Progress
      PHPORM-179 Scheduled
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5536 Investigating CXX-3009 Backlog CSHARP-5049 Done 2.26.0 GODRIVER-3188 Backlog JAVA-5431 In Code Review NODE-6114 Backlog MOTOR-1303 Backlog PYTHON-4384 Backlog PHPLIB-1435 In Code Review RUBY-3450 Backlog RUST-1920 In Progress PHPORM-179 Scheduled

      Drivers MUST integrate static analysis tooling for releases.

      Drivers SHOULD use an established tool from their language ecosystem. DevProd may have recommendations (see: Static Analysis Scanning, #rnd-vulnerability-management). Individual tooling MAY vary by driver.

      Tooling SHOULD support Static Analysis Results Interchange Format (SARIF) output. This will allow it to integrate with Silk to automate JIRA reporting and Service-Level Agreement (SLA) compliance. If SARIF output is not supported, teams MUST manually report JIRA tickets and create static analysis reports (see: Static Code Analysis: Artifacts to produce upon a release).

      Drivers MUST assign severity levels to vulnerabilities flagged by the tooling and establish a process to do so on an ongoing basis. Drivers MAY customize the default severity levels in their tooling.

      Drivers MUST ensure high and critical vulnerabilities are addressed prior to release. Lower severity issues MAY be fixed at the team’s discretion.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: