Mike, 

I'm unqualified to comment on most of the server-side stuff, i.e. any module starting with "mod-". A list of places where I disagreed with a recommendation, or at least questioned it, is included below. (I didn't have write-access to the spreadsheet, and besides this is a shorter list to review.)

Zak


n folio-org/cql2pgjson-java https://github.com/folio-org/cql2pgjson-java
    this sounds like a core library to me, and the kind of place we'd want to examine for SQL injections. 

n folio-org/mod-graphql https://github.com/folio-org/mod-graphql
    this is likely to become a core, low-level library that every front-end package depends on. granted it's completely immature right now. 

n folio-org/stripes-smart-components https://github.com/folio-org/stripes-smart-components
    this is a core UI repo; we should consider including it.

y folio-org/okapi-cli https://github.com/folio-org/okapi-cli
    is this still in use? all front-end tooling has migrated to stripes-cli. 
    
y folio-org/okapi-stripes https://github.com/folio-org/okapi-stripes
    is this still in use? all front-end tooling has migrated to stripes-cli. 

y folio-org/platform-complete https://github.com/folio-org/platform-complete
    from a source-code point of view, there's nothing to audit here. a platform is simply a list of modules. 
    
y folio-org/platform-core https://github.com/folio-org/platform-core
    from a source-code point of view, there's nothing to audit here. a platform is simply a list of modules. 

y folio-org/ui-developer https://github.com/folio-org/ui-developer
    this is an internal tool; I don't think anything here will be part of the final release.

y folio-org/ui-items https://github.com/folio-org/ui-items
    this was deprecated and replaced by ui-inventory.


On Thu, Mar 21, 2019 at 10:48 AM Mike Gorrell <mdg@indexdata.com> wrote:
Please see the message below. In order to limit scope (and cost) but still provide the valuable analysis we are looking for from a security audit we felt it best to pinpoint which repositories were audited. The list below came from the FOLIO DevOps team and the y/n and criteria are mine - and could be completely wrong/off base. Could you all go and comment - or perhaps should we open it up to a wider development audience?

-mdg


Begin forwarded message:

From: Mike Gorrell <mdg@indexdata.com>
Subject: Re: IndexData Module Focus
Date: March 21, 2019 at 10:45:00 AM EDT
To: Brett Arpaia <brett.arpaia@nccgroup.com>
Cc: Graham Bucholz <graham.bucholz@nccgroup.com>

Thanks for reaching out Brett.

I haven’t had a chance to vet this list with others yet - please keep in mind it’s a draft - but should provide a sense for where we’re going.


-mdg


On Mar 21, 2019, at 9:48 AM, Brett Arpaia <brett.arpaia@nccgroup.com> wrote:

Hi Mike, 
 
Hope all’s well. We were working to finalize the scope of your project and were waiting for clarification on the modules you wanted tested.
 
Have you had a chance to prioritize the modules that you would like us to focus on?
 
Thank you,
 
Brett Arpaia
Account Executive
Phone: (646) 362-9613
<image001.png>


To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=KSs8tJVkzlTKhpRRanM6N1Eagj3DCxHw