Content Comparison

Project Vitals

Project Data Template (currently used both for induction ☑️ and health review ✅ *)

LFN Lifecycle states and guidelines (metrics per lifecycle stage)

LFN Security Forum Best Practices

Best Practices

Passing badge

Scorecard

Project Name

☑️

README-template.md

PCC Project Definition

Project Creation Date

☑️

Age?

PCC Project Definition

Project License

☑️

LICENSE; README-template.md

^{[floss_license][floss_license_osi][license_location]}

Degree of FOS

PCC Project Definition

Legal Details and checks

PCC Project Definition

Community Size

☑️

#s

Contributing organizations (Diversity)

☑️ ✅

☑️

#s

Number of contributors

☑️

#s

Lifecycle Stage

☑️

PCC Project Definition

Release schedule

☑️

Months

Adoption

☑️

Not sure how to measure. Downloads?

Health Review

CNCF Devstats; CLOmonitor

Criticality Score

PCC Health Metrics; Insights

Github health metrics

Release Information

✅

Number of commits (over last year)

✅

Number of active committers

✅

Number of Active committers per organization

✅

Number of PR/changeset

✅

Mailing list activity

✅

Project & Community Resources

^[discussion]

Website

☑️

README.md

^{[description_good]}

Yes/NO

PCC Domain

Wiki

☑️

README.md

Yes/NO

PCC Wiki

Mailing List

☑️

README.md

Yes/NO

PCC mailing list

Slack

☑️

README.md

Yes/NO

Community Meetings

☑️

README.md

Yes/NO

PCC manage meetings

Project Governance

TSC/TOC

☑️

☑️

GOVERNANCE.md; GOVERNANCE-elections.md; GOVERNANCE-maintainer.md; 

Yes/No

Charter

☑️

Yes/No

Code of Conduct

☑️

CODE_OF_CONDUCT.md; README.md

Yes/No

How to contribute

☑️

☑️

CONTRIBUTING.md; README.md

^[interact]; ^{[contribution];}[contribution_requirements]

Yes/No

Project Roles

☑️

☑️

CONTRIBUTOR_LADDER.md

Yes/No

Maintainers

☑️

☑️

MAINTAINERS.md

How to Review

☑️

☑️

REVIEWING.md

Adding/Removing PTLs

☑️

☑️

MAINTAINERS.md ??

Sub-Project Lifecycle

☑️

☑️

GOVERNANCE-subprojects.md

Dispute Resolution

☑️

Adding/removing committers

☑️

☑️

Sub-projects without a lead

☑️

Documentation

^[english]

Technical Documentation

☑️

☑️

^{[documentation_basics]}[documentation_interface]

what should be minimum criteria? or scale

Contributor onboarding Documentation

☑️

^[interact]; ^{[contribution]}[contribution_requirements]

Yes/No

Company Diversity (past 12 months)

☑️

Number of Contributors

☑️

Release Management

☑️

^{[version_unique][version_semver]}[version_tags]^{[release_notes]}[release_notes_vulns]

Release notes contains patched and outstanding defects ( details)

CI CD integration

☑️

^[build];[build_common_tools][build_floss_tools]

degree of automation, analysis tools, traceability of overrides, failures

Adoption

☑️

Security Design Principals

☑️

Use Case/ Problem Statement

Problem that project solves

☑️

README.md

^{[description_good]}

Use Cases Scenarios

☑️

README.md

Infrastructure Tooling

Wiki

☑️

Repos

☑️

[repo_public]^{[repo_track][repo_interim][repo_distributed]}

Bug Tracking tool

☑️

[report_tracker]

Code review

☑️

CI/CD tooling

☑️

^[build];[build_common_tools][build_floss_tools]

Collaboration Tooling

☑️

Roadmap

Roadmap Guide

Near/long-term objectives

☑️

Milestones

☑️

Risks/Challenges

☑️

Timeline

☑️

Security Best Practices

Security Guidelines for New Projects

Security

Security Contacts

SECURITY-CONTACTS.md

[know_secure_design][know_common_errors]

Yes, channels,

We are lacking security contacts from projects

Code Scanning

☑️

license, code vulnerability, static, dynamic, manual

Snyk, Blubracket

Seed code handoff

☑️

Coding Standards

☑️

☑️

^{[warnings][warnings_fixed][warnings_strict]}

Security design principals

☑️

OSSF Scorecard; OSSF Best Practices

self assessment or audit, outside assessment/audit

Vulnerability Reporting

☑️

SECURITY.md; incident-response.md

[release_notes_vulns]^{[vulnerability_report_process][vulnerability_report_private]}[vulnerability_report_response]

Bug reporting

[report_process]^{[report_tracker][report_responses][enhancement_responses]}[report_archive]

days to patch, bug found during ( unit, static, dynamic, integration, field operations

Demonstrate Security Awareness

☑️

all of this column.

Practice Secure Lifecycle Management (per release)

☑️

cryptographic practices;
Secured delivery against man-in-the-middle (MITM) attacks; Publicly known vulnerabilities fixed; ^{[no_leaked_credentials]}

Security Documentation

☑️

[vulnerabilities_fixed_60_days] [vulnerabilities_critical_fixed]

CI/CD best practices

☑️

Secure project architecture

☑️

[sites_https]

Supply Chain Security

☑️

CNCF Supply Chain Security

code intake scans, 3rd party code ver alignment, 3rd party code vulnerability reporting

There is also OpenSSF S2C2F

SBOM creation

☑️

Yes/NO

export SBOM

OpenChain Telco SBOM

Static Application Security Testing (SAST)

☑️

^{[static_analysis][static_analysis_common_vulnerabilities]}[static_analysis_fixed][static_analysis_often]

<--

low hanging fruit

Dynamic Application Security Testing (DAST)

☑️

[dynamic_analysis]^{[dynamic_analysis_unsafe]}[dynamic_analysis_enable_assertions][dynamic_analysis_fixed]

<--

Software Composition Analysis (SCA)

☑️

SonarCloud / SonarType could be used.

Container vulnerablitiy scanning

☑️

Code Coverage Testing

☑️

[test][test_invocation]^[test_most][test_continuous_integration]; [test_policy][tests_are_added][tests_documented_added]

<--

Code Quality

☑️