Q2 2024 / Milestone 5

Workstream 1: Build OpenJS Project Security Programs

Activities

B. Establish Minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs
E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria
F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level

Deliverables

Document: ONGOING UPDATES OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers
Document: PUBLISH Security Compliance Guidelines for New and Existing OpenJS Projects
Document: ONGOING Security Roadmaps for OpenJS Projects
Document: ONGOING Analysis of current and needed resourcing to achieve Security Roadmap

Workstream 2: Coordinated Vulnerability Disclosure and CVE Management

Activities

C. Finalize CVD and CVE guidance for OpenJS Projects and ecosystem projects
D. Support OpenJS Projects in implementing guidance and handling disclosures

Deliverables

Document: PUBLISH Guidelines for CVD and CVEs for OpenJS Projects

Workstream 3: SBOMs in JavaScript

Activities

A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s)
C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance
E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption

Deliverables

Document: IN PROGRESS Prototype guidance for OpenJS projects to publish SBOMs with existing tools
Document: DRAFT Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs
Document: IN PROGRESS OpenJS Project Way Forward and Barriers to SBOM
Document: IN PROGRESS Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem
Document: IN PROGRESS Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems

Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript

Activities

A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices
C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance
D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices

Deliverables

Document: ONGOING Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools
Document: DRAFT Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems
Document: IN PROGRESS OpenJS Project Way Forward and Barriers to C-SCRM
Document: IN PROGRESS Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems