Update CII-Best-Practices for Nodejs: Silver level #1306
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
UlisesGascon
commented
May 7, 2024
Comment on lines
241
to
+243
| > Build systems for native binaries MUST honor the relevant compiler and linker (environment) variables passed in to them (e.g., CC, CFLAGS, CXX, CXXFLAGS, and LDFLAGS) and pass them to compiler and linker invocations. A build system MAY extend them with additional flags; it MUST NOT simply replace provided values with its own. If no native binaries are being generated, select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
249
to
+251
| > The build and installation system SHOULD preserve debugging information if they are requested in the relevant flags (e.g., "install -s" is not used). If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
257
to
+259
| > The build system for the software produced by the project MUST NOT recursively build subdirectories if there are cross-dependencies in the subdirectories. If there is no build or installation system (e.g., typical JavaScript libraries), select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
283
to
+285
| > The installation system for end-users MUST honor standard conventions for selecting the location where built artifacts are written to at installation time. For example, if it installs files on a POSIX system it MUST honor the DESTDIR environment variable. If there is no installation system or no standard convention, select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
310
to
+312
| > Projects MUST monitor or periodically check their external dependencies (including convenience copies) to detect known vulnerabilities, and fix exploitable vulnerabilities or verify them as unexploitable. | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
418
to
+420
| > The project SHOULD support multiple cryptographic algorithms, so users can quickly switch if one is broken. Common symmetric key algorithms include AES, Twofish, and Serpent. Common cryptographic hash algorithm alternatives include SHA-2 (including SHA-224, SHA-256, SHA-384 AND SHA-512) and SHA-3. | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
442
to
+444
| > The software produced by the project SHOULD, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
450
to
+452
| > The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
458
to
+460
| > The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select "not applicable" (N/A). | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
Comment on lines
487
to
+489
| > The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (an *allowlist*), and reject invalid inputs, if there are any restrictions on the data at all. | ||
|
|
||
| **Met** | ||
| **Met. Warning: Requires lengthier justification.** |
There was a problem hiding this comment.
We need to provide a justification.
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ref: https://www.bestpractices.dev/en/projects/29?criteria_level=1