-
Type: Task
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Security
-
None
-
Needed - No Spec Changes
-
Drivers MUST integrate static analysis tooling for releases.
Drivers SHOULD use an established tool from their language ecosystem. DevProd may have recommendations (see: Static Analysis Scanning, #rnd-vulnerability-management). Individual tooling MAY vary by driver.
Tooling SHOULD support Static Analysis Results Interchange Format (SARIF) output. This will allow it to integrate with Silk to automate JIRA reporting and Service-Level Agreement (SLA) compliance. If SARIF output is not supported, teams MUST manually report JIRA tickets and create static analysis reports (see: Static Code Analysis: Artifacts to produce upon a release).
Drivers MUST assign severity levels to vulnerabilities flagged by the tooling and establish a process to do so on an ongoing basis. Drivers MAY customize the default severity levels in their tooling.
Drivers MUST ensure high and critical vulnerabilities are addressed prior to release. Lower severity issues MAY be fixed at the team’s discretion.
- split to
-
MOTOR-1303 Integrate static analysis for releases
- Backlog
-
CDRIVER-5536 Integrate static analysis for releases
- Closed
-
CSHARP-5049 Integrate static analysis for releases
- Closed
-
CXX-3009 Integrate static analysis for releases
- Closed
-
GODRIVER-3188 Integrate static analysis for releases
- Closed
-
JAVA-5431 Integrate static analysis for releases
- Closed
-
MONGOCRYPT-676 Integrate static analysis for releases
- Closed
-
NODE-6114 Integrate static analysis for releases
- Closed
-
PHPLIB-1435 Integrate static analysis for releases
- Closed
-
PHPORM-179 Integrate static analysis for releases
- Closed
-
PYTHON-4384 Integrate static analysis for releases
- Closed
-
RUBY-3450 Integrate static analysis for releases
- Closed
-
RUST-1920 Integrate static analysis for releases
- Closed