Q3 2024 / Milestone 6

Workstream 1: Build OpenJS Project Security Programs

Activities

B. Establish Minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs
E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria
F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level
G. Develop a dashboard for tracking OpenJS Project Security Compliance using OpenSSF Best Practices Badge, Scorecard, or other data sources

Deliverables

Document: ONGOING OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers
Document: ONGOING Security Compliance Guidelines for New and Existing OpenJS Projects
Document: ONGOING Security Roadmaps for OpenJS Projects
Document: ONGOING Analysis of current and needed resourcing to achieve Security Roadmap
Dashboard: PROTOTYPE OpenJS Project adherence to Security Compliance guidelines and Project scores from OpenSSF BPB and/or Scorecard

Workstream 2: Coordinated Vulnerability Disclosure and CVE Management

Activities

D. Support OpenJS Projects in implementing guidance and handling disclosures

Deliverables

Document: MAINTAIN Guidelines for CVD and CVEs for OpenJS Projects
Document: MAINTAIN Reference of past CVEs and challenges for OpenJS Projects

Workstream 3: SBOMs in JavaScript

Activities

A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s)
C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance
D. Roadmap plan or identify barriers to OpenJS Projects implementing SBOMs
E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption

Deliverables

Document: DRAFT Prototype guidance for OpenJS projects to publish SBOMs with existing tools
Document: DRAFT Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs
Document: DRAFT OpenJS Project Way Forward and Barriers to SBOM
Document: DRAFT Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem
Document: DRAFT Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems

Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript

Activities

A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices
C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance
D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices
E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance C-SCRM adoption

Deliverables

Document: WORKING DRAFT Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools
Document: DRAFT Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems
Document: DRAFT OpenJS Project Way Forward and Barriers to C-SCRM
Document: DRAFT Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems
Document: DRAFT Recommendations for policymakers and ideas for future work to help advance C-SCRM adoption in the Node.js and npm ecosystems