0.1.0 Administrative Security Review

This ticket documents the administrative security review performed against tag 0.1.0 of the nshmp-apps project.

assigned to @emartinez

Disclaimer.md

• In master (and all other) branch(es), this should include the provisional wording
• In approved tags, this should include the approved wording

This is admittedly confusing and could require a release candidate branch where the verbiage may be updated just prior to creating the tag.

Resolved by !107 (merged)

code.json

• DOI should be reserved and input where appropriate
  • Top-level "doi" attribute is not acceptable
  • doi|... tag is acceptable
• URLs should reference the raw variation as opposed to the blob variation
• URLs should point to resources matching version associated with the release
  • The version associated with the release is defined in the version top-level key
  • It is understandably confusing that this tag may not yet exist, but we can still accurately predict these URLs values

Resolved by !107 (merged)

CODE_OF_CONDUCT.md

• Link to scientific code of conduct should not include www sub-domain

Resolved by !107 (merged)

Environment variables available from ghsc/nshmp group should all be masked. Most variables should also be protected. Of particular concern are variables that might expose credentials in the public pipelines.

Environment variables under ghsc/nshmp have been updated to be masked and protected.

NPM audit reveals 14 vulnerabilities (6 low, 8 moderate) in package dependencies. Some effort should be made to remediate these.

Resolved by !138 (merged)

content.component.html

projects/nshmp-apps/src/app/dev/aws/submit-haz-jobs/componetns/content

Contains link to internal project. Is this project scheduled for public release (i.e., also currently under review)?

Removed internal link, resolved by !108 (merged)

app.default-values.ts

projects/nshmp-apps/src/app/dev/aws/submit-haz-jobs/utils

Contains links to internal projects. Are these projects scheduled for public release (i.e., also currently under review)?

Updated link to point to repository currently under review, scheduled for public release:

• https://code.usgs.gov/ghsc/nshmp/nshms/nshm-hawaii
• https://code.usgs.gov/ghsc/nshmp/nshmp-haz

Resolved by !108 (merged)

web-services.ts

projects/nshmp-apps/src/environments

Contains reference to internal domain name. Should be provided via configuration during deployment/runtime/environment. Must be purged from project history.

Updated to correct URL, see !110 (merged)

Internal domain name removed from project history. See bd6ff124 for example

Is this file required: mapbox-layer.component.ts-COPY

Removed file, resolved by !108 (merged)

I have completed the administrative security review as documented above. I've re-assigned this to @bclayton for reconciliation.

/cc @pmpowers

@emartinez

Once all issues are resolved should I create a new tag or overwrite the existing tag this security review is for?

assigned to @bclayton and unassigned @emartinez

mentioned in merge request !107 (merged)

mentioned in merge request !108 (merged)

mentioned in merge request !111 (closed)

changed milestone to %nshmp-apps Review

added In Progress label

mentioned in merge request !137 (closed)

mentioned in merge request !138 (merged)

All issues have been resolved.

assigned to @emartinez and unassigned @bclayton

removed In Progress label

added Needs Review label

mentioned in issue #94 (closed)

unassigned @emartinez

removed Needs Review label

changed milestone to %Prep nshmp-apps for publication: Part I

added To Do label

All issues resolved and repo was made public.

closed

removed To Do label