遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/6313)
<a href="https://www.bestpractices.dev/projects/6313"><img src="https://www.bestpractices.dev/projects/6313/badge"></a>
Fluid Attacks' core software repository.
We provide documentation on how to contribute to every side of our project. Writing concurrent code for our backend or frontend https://help.fluidattacks.com/portal/en/kb/articles/development-contributing Or writing blog or documentation entries https://help.fluidattacks.com/portal/en/kb/development/writing-guidelines
Currently and historically the project has been maintained 100% by Fluid Attacks Employees, which sign a CAA as part of their employment contracts, which makes them agree both to the DCO and the CLA. However, since we haven't had external contributors, we don't have a DCO or CLA in place for them, but we are open to adding such mechanisms once people outside of Fluid Attacks manifest their intention to contribute.
We currently mention this in: https://docs.fluidattacks.com/development/contributing#legal
https://docs.fluidattacks.com/development/governance
https://gitlab.com/fluidattacks/universe/-/blob/trunk/CODE_OF_CONDUCT.md
All of our members and permissions are declared here https://gitlab.com/fluidattacks/universe/-/project_members All of the members are capable of the basics of the project.
Here are our members https://gitlab.com/fluidattacks/universe/-/project_members There are multiple owners, maintainers, and developers who can replace one another.
https://gitlab.com/fluidattacks/universe/-/issues?label_name%5B%5D=roadmap%3A%3Ahigh
Each product has documentation of the architecture, including that of their sub-components: https://docs.fluidattacks.com/development/products. For instance: https://docs.fluidattacks.com/development/airs#architecture
Security requirements are presented here https://docs.fluidattacks.com/about/security
The quick start process is here https://docs.fluidattacks.com/tech/platform/introduction/ for our web application. Here for the organization consulting tool https://gitlab.com/fluidattacks/universe/-/tree/trunk/melts Here for the cybersecurity tool to scan and report vulnerabilities https://gitlab.com/fluidattacks/universe/-/tree/trunk/skims Here for our DevSecOps tool https://gitlab.com/fluidattacks/universe/-/tree/trunk/forces
We do not provide older versions of the product since all of them are used on web applications or APIs relying on the web apps' version.
The badge is publicly displayed here https://docs.fluidattacks.com/development
The website is accessible to persons with disabilities. The web apps are not intended to be used by persons with disabilities, and neither is the CLI software we provide.
The website and web applications are translatable but the CLI software that we provide is not.
We do not store any passwords for accessing to our web apps.
We do not provide older releases, the project is offered always in its latest/stable version.
We use Gitlab Issues https://gitlab.com/fluidattacks/universe/-/issues
Vulnerabilities are disclosed at https://status.fluidattacks.com/history and credit is given to the reporters of the vulnerability if they wish so, according to: https://docs.fluidattacks.com/about/security/transparency/public-incidents and https://docs.fluidattacks.com/about/security/transparency/hacking-our-technology
Our process for responding to vulnerability reports is documented in: https://docs.fluidattacks.com/about/security/transparency/hacking-our-technology
We follow guidelines for writing blog and documentation posts presented here https://docs.fluidattacks.com/development/writing Practices for our DynamoDB patterns https://docs.fluidattacks.com/development/stack/aws/dynamodb/patterns/ General conventions for Front End technologies https://docs.fluidattacks.com/development/products/integrates/frontend/ How to apply changes for our API https://docs.fluidattacks.com/development/components/integrates/backend/graphql-api/
We also encourage writing Python with the guides from Black documentation TypeScript + React using the code conventions provided by ESlint
We use Makes linters for our technologic stack
The project does not create binaries (some external libraries it depends on do)
The project does not create binaries (some external libraries it depends on do). It is written in scripting languages.
The installation process is written here https://docs.fluidattacks.com/development
The installation system is configured for using an external tool called Makes
The complete setting for the environment is explained here https://docs.fluidattacks.com/development
The project uses different languages, specifying the dependencies in the files needed: Front End dependencies: - https://gitlab.com/fluidattacks/universe/-/blob/trunk/docs/src/package.json - https://gitlab.com/fluidattacks/universe/-/blob/trunk/airs/front/package.json - https://gitlab.com/fluidattacks/universe/-/blob/trunk/integrates/front/package.json Back End dependencies: - https://gitlab.com/fluidattacks/universe/-/blob/trunk/integrates/back/env/pypi/runtime/pypi-deps.yaml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/skims/env/development/pypi-deps.yaml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/forces/config/runtime/pypi-deps.yaml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/melts/config/runtime/pypi-deps.yaml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/observes/code_etl/pyproject.toml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/sorts/config/runtime/pypi-deps.yaml - https://gitlab.com/fluidattacks/universe/-/blob/trunk/reviews/runtime/pypi-deps.yaml
The project is periodically being reviewed by automated tools (https://gitlab.com/fluidattacks/universe/-/tree/trunk/skims and https://gitlab.com/fluidattacks/universe/-/tree/trunk/forces) or by our own hackers following the process we provide (https://docs.fluidattacks.com/tech/platform/reattacks/)
We mostly use PyPi or NPM package managers to use external dependencies.
We avoid depending on deprecated or obsolete functions in our products.
CI is executed on each change for every developer, and a test suite for each portion of code is also executed.
If regressions occur we add tests.
Code coverage does not apply for all parts of the project, we apply it for one app only and the result is public.
https://docs.fluidattacks.com/development/contributing
Not all the new functionalities inside the project can be tested. But we encourage that if a new functionality for certain projects can be tested it be added to the test suite.
The exclusions enabled must be documented with a reason explaining why the code is written that way.
https://docs.fluidattacks.com/about/security
https://help.fluidattacks.com/portal/en/kb/compliance
https://docs.fluidattacks.com/about/security/authentication/clients
https://docs.fluidattacks.com/about/security/integrity/certified-cloud-provider
Our primary language for development is Python. Requests initiated from Python (using libraries like requests or aiohttp) have certificate verification enabled when targeting productive endpoints.
https://docs.fluidattacks.com/about/security/privacy/transparent-use-cookies
Releases are not intended for widespread.
Versions are stable and released on a website, so there's no reason for signing releases.
All inputs from untrusted sources are rejected.
https://docs.fluidattacks.com/about/security/privacy/secure-data-delivery
We currently have company-wide security documentation here: https://docs.fluidattacks.com/about/security and security documentation for our biggest application: https://docs.fluidattacks.com/development/components/integrates/security/
We are a Cybersecurity company, we follow our own models for Static Code Analysis, including different tools and a team of hackers to test our applications. We also produce our own SCA FLOSS tool https://gitlab.com/fluidattacks/universe/-/tree/trunk/skims
All products are written with Python, TypeScript or Nix, not C or C++.
后退