On Apr 1, 2019, at 11:51 AM, Zak Burke <zburke@cornell.edu> wrote:

Mike, 

I'm unqualified to comment on most of the server-side stuff, i.e. any module starting with "mod-". A list of places where I disagreed with a recommendation, or at least questioned it, is included below. (I didn't have write-access to the spreadsheet, and besides this is a shorter list to review.)

Zak

n folio-org/cql2pgjson-java https://github.com/folio-org/cql2pgjson-java

    this sounds like a core library to me, and the kind of place we'd want to examine for SQL injections. 

n folio-org/mod-graphql https://github.com/folio-org/mod-graphql

    this is likely to become a core, low-level library that every front-end package depends on. granted it's completely immature right now. 

n folio-org/stripes-smart-components https://github.com/folio-org/stripes-smart-components

    this is a core UI repo; we should consider including it.

y folio-org/okapi-cli https://github.com/folio-org/okapi-cli

    is this still in use? all front-end tooling has migrated to stripes-cli. 

    

y folio-org/okapi-stripes https://github.com/folio-org/okapi-stripes

    is this still in use? all front-end tooling has migrated to stripes-cli. 

y folio-org/platform-complete https://github.com/folio-org/platform-complete

    from a source-code point of view, there's nothing to audit here. a platform is simply a list of modules. 

    

y folio-org/platform-core https://github.com/folio-org/platform-core

    from a source-code point of view, there's nothing to audit here. a platform is simply a list of modules. 

y folio-org/ui-developer https://github.com/folio-org/ui-developer

    this is an internal tool; I don't think anything here will be part of the final release.

y folio-org/ui-items https://github.com/folio-org/ui-items

    this was deprecated and replaced by ui-inventory.

On Thu, Mar 21, 2019 at 10:48 AM Mike Gorrell <mdg@indexdata.com> wrote:

Please see the message below. In order to limit scope (and cost) but still provide the valuable analysis we are looking for from a security audit we felt it best to pinpoint which repositories were audited. The list below came from the FOLIO DevOps team and the y/n and criteria are mine - and could be completely wrong/off base. Could you all go and comment - or perhaps should we open it up to a wider development audience?

-mdg

Begin forwarded message:

From: Mike Gorrell <mdg@indexdata.com>

Subject: Re: IndexData Module Focus

Date: March 21, 2019 at 10:45:00 AM EDT

To: Brett Arpaia <brett.arpaia@nccgroup.com>

Cc: Graham Bucholz <graham.bucholz@nccgroup.com>

Thanks for reaching out Brett.

I haven’t had a chance to vet this list with others yet - please keep in mind it’s a draft - but should provide a sense for where we’re going.

https://docs.google.com/spreadsheets/d/1YGqN9pC0IeJgKaE-1OBqzSQbYC6GW_aZXnHf5BFThYA/edit#gid=1835973151

-mdg

On Mar 21, 2019, at 9:48 AM, Brett Arpaia <brett.arpaia@nccgroup.com> wrote:

Hi Mike, 

 

Hope all’s well. We were working to finalize the scope of your project and were waiting for clarification on the modules you wanted tested.

 

Have you had a chance to prioritize the modules that you would like us to focus on?

 

Thank you,

 

Brett Arpaia

Account Executive

Phone: (646) 362-9613

<image001.png>

www.nccgroup.trust

To unsubscribe from this list please go to http://archives.simplelists.com

To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=SeK0ArgpLZB2ijVHc1q8eivZ4CXy8J2w