Zowe CII Badge items for Zowe Explorer

[JillieBeanSim]

https://ibm.box.com/s/kp8020daf4fdd1lvwkpx9j1v4n2pucma

Tasks

Beta Give feedback

1. Confirm integration test coverage. vscode-extension-for-zowe#265
   Technical Debt Tests enhancement priority-low +4
2. Increase Unit Test Coverage vscode-extension-for-zowe#931
   Technical Debt +1
   
3. Bring up test coverage for project to 90% vscode-extension-for-zowe#1946
   Technical Debt +1
   
4. Increase coverage of project to 90% statement coverage vscode-extension-for-zowe#1964
   Technical Debt +1
5. Increase coverage of project to 80% branch coverage vscode-extension-for-zowe#1965
   Technical Debt +1
   
6. Make sure internal and external documentation meet the CII Badge standard vscode-extension-for-zowe#1966
   Technical Debt docs +2
7. Determine what is left and complete the Passing level of CII badge #2400
   Research Needed priority-high +2
   

[zFernand0]

As part of the CII efforts, we should also standardize on the way we call tree actions.
From #1821 (comment)

[zFernand0]

This document may help us go through the OpenSSF Best Practices
https://ent.box.com/s/3uvtm4ooyovev1m2c8dichmsute1o1rt

Note: Edit it in Google Docs in order to view the checkboxes.

[zFernand0]

Here are some updates from today's TSC call (Dec 01, 2022)

Note

There is no hard deadline on when the OMP and LFX require us to meet these requirements.
"As long as we can demonstrate that we are making progress" they are ok with this.

Requirements Discussed

The project MUST acknowledge a majority of bug reports submitted in the last 2-12 months (inclusive); the response need not include a fix.
The project SHOULD respond to a majority (>50%) of enhancement requests in the last 2-12 months (inclusive).

• The TSC has a general feeling that every squad is working towards this.
• We should continue to address new issues in every extended call whenever possible

The project MUST have at least one primary developer who knows how to design secure software

• "It is ok to have only the security knowledge required by the component"
• It is in our best interest to have a few people take the free OpenSSF security courses
  • https://openssf.org/training/courses/

Dynamic Code Analysis

• "Most of these items are suggestions"
• Having automated tests with a full range of inputs and a high level of code coverage should satisfy this criteria

build system for the software produced by the project MUST NOT recursively build sub-directories if there are cross-dependencies in the sub-directories

• This is mostly targeted for Makefiles calling other Makefiles
• This does not prevent us from having a monorepo

Coverage considerations

• we should continue to make progress towards this.
• Bring up test coverage for project to 90% #1946
• Increase coverage of project to 80% branch coverage #1965

[t1m0thyj]

Regarding this criteria:

The project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result.

It appears that rerunning the yarn package script twice in a row does not produce binary identical VSIX files, so we'll need to investigate this further.