Q4 2024 / Milestone 7

Workstream 1: Build OpenJS Project Security Programs

Activities

E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria
F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level
G. Develop a dashboard for tracking OpenJS Project Security Compliance using OpenSSF Best Practices Badge, Scorecard, or other data sources

Deliverables

Document: MAINTAIN OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers
Document: MAINTAIN Security Compliance Guidelines for New and Existing OpenJS Projects
Document: MAINTAIN Security Roadmaps for OpenJS Projects
Document: PUBLISH Analysis of current and needed resourcing to achieve Security Roadmap
Dashboard: PUBLISH OpenJS Project adherence to Security Compliance guidelines and Project scores from OpenSSF BPB and/or Scorecard

Workstream 2: Coordinated Vulnerability Disclosure and CVE Management

Activities

D. Support OpenJS Projects in implementing guidance and handling disclosures

Deliverables

Document: MAINTAIN Guidelines for CVD and CVEs for OpenJS Projects
Document: MAINTAIN Reference of past CVEs and challenges for OpenJS Projects

Workstream 3: SBOMs in JavaScript

Activities

A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s)
C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance
D. Roadmap plan or identify barriers to OpenJS Projects implementing SBOMs
E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption

Deliverables

Document: PUBLISH Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs
Document: MAINTAIN OpenJS Project Way Forward and Barriers to SBOM
Document: PUBLISH Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem
Document: PUBLISH Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems

Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript

Activities

A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices
C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance
D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices
E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance C-SCRM adoption

Deliverables

Document: PUBLISH Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems
Document: MAINTAIN OpenJS Project Way Forward and Barriers to C-SCRM
Document: PUBLISH Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems
Document: PUBLISH Recommendations for policymakers and ideas for future work to help advance C-SCRM adoption in the Node.js and npm ecosystems