diff --git a/.bestpractices.json b/.bestpractices.json index 699484e..98bd437 100644 --- a/.bestpractices.json +++ b/.bestpractices.json @@ -1,6 +1,6 @@ { "$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json", - "_comment": "OpenSSF Best Practices self-assessment for RandomCodeSpace/otelcontext. Project page: https://www.bestpractices.dev/en/projects/12646. This file follows the canonical flat per-criterion schema described in coreinfrastructure/best-practices-badge:docs/bestpractices-json.md so the autofill robot can pre-fill the criteria page on board flip. Each _status / _justification (and _url where required) mirrors the answers submitted to bestpractices.dev. Refresh whenever criteria scoring changes (RAN-58).", + "_comment": "OpenSSF Best Practices self-assessment for RandomCodeSpace/otelcontext. Project page: https://www.bestpractices.dev/en/projects/12646. This file follows the canonical flat per-criterion schema described in coreinfrastructure/best-practices-badge:docs/bestpractices-json.md so the autofill robot can pre-fill the criteria page on board flip. Each _status / _justification mirrors the answers submitted to bestpractices.dev; for url-required criteria the URL is embedded inline in the justification (bestpractices.dev has no separate per-criterion URL field). Refresh whenever criteria scoring changes (RAN-58).", "project_id": 12646, "name": "otelcontext", "description": "Self-hosted OTLP observability platform in a single Go binary \u2014 OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.", @@ -12,101 +12,78 @@ "project_page_url": "https://www.bestpractices.dev/en/projects/12646", "description_good_status": "Met", "description_good_justification": "See README.md. otelcontext is a self-hosted OTLP observability platform in a single Go binary \u2014 OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.", - "description_good_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/README.md", "interact_status": "Met", "interact_justification": "GitHub Issues for bug reports and discussion, SECURITY.md for private vulnerability disclosure (GitHub Security Advisories). Both linked from README.", - "interact_url": "https://github.com/RandomCodeSpace/otelcontext/issues", "contribution_status": "Met", "contribution_justification": "Contribution process documented in CONTRIBUTING.md (PR template, conventional commits, test + vet + lint requirements): https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md", - "contribution_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md", "contribution_requirements_status": "Met", "contribution_requirements_justification": "CONTRIBUTING.md documents PR requirements: `go test -race ./...` passing, `go vet ./...` clean, golangci-lint clean, Semgrep + OSV-Scanner + Trivy + Gitleaks security stack green, Conventional Commit style. See https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md", - "contribution_requirements_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md", "floss_license_status": "Met", "floss_license_justification": "MIT \u2014 https://opensource.org/licenses/MIT", "floss_license_osi_status": "Met", "floss_license_osi_justification": "MIT is OSI-approved.", "license_location_status": "Met", "license_location_justification": "LICENSE.md at repository root: https://github.com/RandomCodeSpace/otelcontext/blob/main/LICENSE.md", - "license_location_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/LICENSE.md", "documentation_basics_status": "Met", "documentation_basics_justification": "README.md covers what otelcontext is, how to run it, ports/protocols (OTLP gRPC :4317, HTTP :8080), database driver options, TLS bootstrap, and authentication. CLAUDE.md documents the architecture (ingestion, GraphRAG, MCP, storage, configuration).", - "documentation_basics_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/README.md", "documentation_interface_status": "Met", "documentation_interface_justification": "OTLP wire protocol surface (gRPC + HTTP /v1/{traces,logs,metrics}) follows the OpenTelemetry OTLP spec. MCP tool catalogue (21 tools, JSON-RPC 2.0 + SSE) documented in CLAUDE.md. REST API surface and configuration env vars documented in CLAUDE.md.", - "documentation_interface_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CLAUDE.md", "sites_https_status": "Met", "sites_https_justification": "All project links (README badges, docs, release downloads) use HTTPS via github.com.", "discussion_status": "Met", "discussion_justification": "GitHub Issues serves as the public discussion forum for bug reports and feature proposals.", - "discussion_url": "https://github.com/RandomCodeSpace/otelcontext/issues", "english_status": "Met", "english_justification": "All source comments, documentation, commit messages, and issue discussions are in English.", "maintained_status": "Met", "maintained_justification": "Active development on `main`. Recent fixes landed in commits 89de89a (RAN-56 HIGH/CRITICAL CVE patch), f433139 (RAN-53 OpenSSF stack), 4e0a4a2 (RAN-22). Dependabot weekly + security updates enabled.", - "maintained_url": "https://github.com/RandomCodeSpace/otelcontext/commits/main", "repo_public_status": "Met", "repo_public_justification": "Repository is public.", - "repo_public_url": "https://github.com/RandomCodeSpace/otelcontext", "repo_track_status": "Met", "repo_track_justification": "Git, hosted on GitHub.", - "repo_track_url": "https://github.com/RandomCodeSpace/otelcontext", "repo_interim_status": "Met", "repo_interim_justification": "All commits merged to `main` are publicly visible via GitHub. No batch or secret merges; small, reviewable PRs (e.g. PR #29..#34 land per-RAN-ticket).", "repo_distributed_status": "Met", "repo_distributed_justification": "Git is a distributed VCS; every clone holds full history.", "version_unique_status": "Met", "version_unique_justification": "Each release carries a unique semver tag (e.g. v0.0.11-beta.15) and an immutable git SHA.", - "version_unique_url": "https://github.com/RandomCodeSpace/otelcontext/tags", "version_semver_status": "Met", "version_semver_justification": "MAJOR.MINOR.PATCH-prerelease.N (e.g. v0.0.11-beta.15) \u2014 pre-release semver per https://semver.org. Pre-1.0 development phase.", - "version_semver_url": "https://github.com/RandomCodeSpace/otelcontext/tags", "version_tags_status": "Met", "version_tags_justification": "Tagged releases are published on GitHub.", - "version_tags_url": "https://github.com/RandomCodeSpace/otelcontext/tags", "release_notes_status": "Met", "release_notes_justification": "GitHub auto-generates release notes from PR titles for each tag; releases are listed at https://github.com/RandomCodeSpace/otelcontext/releases . Pre-1.0 cadence ships beta tags from main.", - "release_notes_url": "https://github.com/RandomCodeSpace/otelcontext/releases", "release_notes_vulns_status": "Met", "release_notes_vulns_justification": "Security fixes are landed in tagged commits with `fix(security):` Conventional-Commit prefix and surface in the auto-generated release notes (e.g. commit 89de89a `fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`).", "report_process_status": "Met", "report_process_justification": "SECURITY.md documents how to report bugs (GitHub Issues) vs vulnerabilities (private GitHub Security Advisory or email fallback to ak.nitrr13@gmail.com with `[otelcontext security]` subject prefix). See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md", - "report_process_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md", "report_tracker_status": "Met", "report_tracker_justification": "GitHub Issues is the public bug tracker.", - "report_tracker_url": "https://github.com/RandomCodeSpace/otelcontext/issues", "report_responses_status": "Met", "report_responses_justification": "Maintainer responds to reported issues within 14 days; SECURITY.md commits to a 5 business-day acknowledgement for security reports and a 10 business-day triage decision for High/Critical issues.", "enhancement_responses_status": "Met", "enhancement_responses_justification": "Enhancement requests are triaged via GitHub Issues; maintainer responds within 14 days.", "report_archive_status": "Met", - "report_archive_justification": "GitHub Issues is the public, searchable archive of bug reports, open and closed: https://github.com/RandomCodeSpace/otelcontext/issues?q=is%3Aissue . GitHub Security Advisories archives coordinated-disclosure reports.", - "report_archive_url": "https://github.com/RandomCodeSpace/otelcontext/issues?q=is%3Aissue", + "report_archive_justification": "GitHub Issues is the public, searchable archive of bug reports, open and closed: https://github.com/RandomCodeSpace/otelcontext/issues . GitHub Security Advisories archives coordinated-disclosure reports.", "vulnerability_report_process_status": "Met", "vulnerability_report_process_justification": "SECURITY.md is the canonical disclosure entry point: preferred channel is a private GitHub Security Advisory, with email fallback. Acknowledgement SLA 5 business days; triage SLA 10 business days for High/Critical; default embargo 90 days or first patched release. See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md", - "vulnerability_report_process_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md", "vulnerability_report_private_status": "Met", "vulnerability_report_private_justification": "GitHub private vulnerability reporting is the preferred channel; advisories are filed at https://github.com/RandomCodeSpace/otelcontext/security/advisories/new", - "vulnerability_report_private_url": "https://github.com/RandomCodeSpace/otelcontext/security/advisories/new", "vulnerability_report_response_status": "Met", "vulnerability_report_response_justification": "SECURITY.md commits to acknowledgement within 5 business days and a fix triage decision within 10 business days for High/Critical.", "build_status": "Met", "build_justification": "Single-command build: `go build -o otelcontext .` (or `make build`). CI builds every PR via `.github/workflows/ci.yml`.", - "build_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml", "build_common_tools_status": "Met", "build_common_tools_justification": "Go toolchain (go 1.25.9 per go.mod) + Node/npm 20+ for the embedded React UI. Both are widely available and standard.", "build_floss_tools_status": "Met", "build_floss_tools_justification": "Go (BSD-3-Clause), Node/npm (MIT/ISC), GNU Make (GPL). All FLOSS.", "test_status": "Met", "test_justification": "Automated test suite under internal/* runs on every push (`go test -race ./...`). Coverage spans graphrag, ingest, storage, queue, vectordb, telemetry, tls, compress, config, api.", - "test_url": "https://github.com/RandomCodeSpace/otelcontext/actions/workflows/ci.yml", "test_invocation_status": "Met", "test_invocation_justification": "`go test -race ./...` \u2014 documented in CONTRIBUTING.md and exercised by `.github/workflows/ci.yml`.", "test_most_status": "Met", "test_most_justification": "Tests cover the core packages: internal/graphrag (drain, builder, investigation, migrate, tenant), internal/ingest (otlp_grpc_limits, otlp_e2e, otlp_http_gzip), internal/storage, internal/queue (dlq), internal/vectordb, internal/tls (selfsigned, filelock), internal/api, internal/telemetry, internal/config, internal/compress.", "test_continuous_integration_status": "Met", "test_continuous_integration_justification": "CI runs full test suite (`go test -race -timeout 180s ./...`) on every PR and every push to main.", - "test_continuous_integration_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml", "test_policy_status": "Met", "test_policy_justification": "CONTRIBUTING.md requires tests for new features and regression tests for bug fixes; PR review enforces it.", "tests_are_added_status": "Met", @@ -115,7 +92,6 @@ "tests_documented_added_justification": "CONTRIBUTING.md documents the test-with-every-change expectation.", "warnings_status": "Met", "warnings_justification": "`go vet ./...` and `golangci-lint` (.golangci.yml) run on every CI build; any warning fails the build.", - "warnings_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.golangci.yml", "warnings_fixed_status": "Met", "warnings_fixed_justification": "All vet/lint warnings resolved on `main`; no suppressions without justification.", "warnings_strict_status": "Met", @@ -124,7 +100,6 @@ "know_secure_design_justification": "Maintainer applies defense-in-depth: per-tenant context propagation across HTTP/gRPC/MCP layers (internal/api/tenant_middleware.go, internal/ingest/otlp.go), tenant-scoped reads in internal/storage and internal/graphrag, signed-commit setup for `main` (scripts/setup-git-signed.sh), strict TLS (sslmode require/verify-ca/verify-full enforced when DB_AZURE_AUTH=true in internal/storage), parameterised queries via GORM, secrets via env (no in-repo secrets enforced by gitleaks).", "know_common_errors_status": "Met", "know_common_errors_justification": "Familiar with OWASP Top 10 and CWE-22/78/79/89/918. Semgrep `p/owasp-top-ten` + `p/security-audit` + `p/golang` rulesets run on every PR; OSV-Scanner against go.mod + ui/package-lock.json blocks merge on High/Critical.", - "know_common_errors_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml", "crypto_published_status": "Met", "crypto_published_justification": "Only published algorithms used: Go crypto/tls, crypto/rand, crypto/sha256. No custom crypto.", "crypto_call_status": "Met", @@ -149,15 +124,12 @@ "delivery_unsigned_justification": "Source is delivered exclusively via HTTPS-served git from github.com. No unsigned binary delivery channel: pre-1.0 betas are tagged commits (verifiable by SHA), and binary build is in the user's pipeline (`go build`) \u2014 there is no pre-built binary distribution in scope. Signed-commit hardening on `main` is configured via scripts/setup-git-signed.sh.", "vulnerabilities_fixed_60_days_status": "Met", "vulnerabilities_fixed_60_days_justification": "Most recent example: commit 89de89a (`fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`) landed within 60 days of the OSV/Trivy advisory. Dependabot + OSV-Scanner + Trivy run weekly.", - "vulnerabilities_fixed_60_days_url": "https://github.com/RandomCodeSpace/otelcontext/security/advisories", "vulnerabilities_critical_fixed_status": "Met", "vulnerabilities_critical_fixed_justification": "Zero High/Critical open. RAN-56 patched all OSV+Trivy HIGH/CRITICAL findings on PR #34 (commit 89de89a).", "no_leaked_credentials_status": "Met", "no_leaked_credentials_justification": "Gitleaks job in `.github/workflows/security.yml` scans the full git history on every PR and push; merge blocked on any finding. GitHub repo-level secret scanning + push protection enabled.", - "no_leaked_credentials_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml", "static_analysis_status": "Met", "static_analysis_justification": "Semgrep (p/security-audit + p/owasp-top-ten + p/golang) + golangci-lint run on every PR and push. Merge blocked on `--severity ERROR`.", - "static_analysis_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml", "static_analysis_common_vulnerabilities_status": "Met", "static_analysis_common_vulnerabilities_justification": "Semgrep `p/owasp-top-ten` and `p/security-audit` rulesets cover CWE-22/78/79/89/918 and the broader OWASP Top 10. `p/golang` adds Go-specific issue patterns.", "static_analysis_fixed_status": "Met", @@ -166,13 +138,12 @@ "static_analysis_often_justification": "Semgrep + golangci-lint run on every push to main and every PR; Dependabot weekly cadence catches advisory drift between commits.", "dynamic_analysis_status": "Met", "dynamic_analysis_justification": "`go test -race -timeout 180s ./...` runs in CI on every PR (.github/workflows/ci.yml). The race detector instruments concurrency-heavy paths (graphrag event workers, retention scheduler, DLQ replay) and fails the build on any race.", - "dynamic_analysis_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml", "dynamic_analysis_unsafe_status": "N/A", "dynamic_analysis_unsafe_justification": "N/A \u2014 Go is memory-safe. The codebase contains no `unsafe.Pointer` in application code; only stdlib-internal use via the standard libraries.", "dynamic_analysis_enable_assertions_status": "Met", "dynamic_analysis_enable_assertions_justification": "Go panics-on-invariants are used at boundary conditions (e.g. config validation in internal/config). The `-race` detector is the Go equivalent of runtime concurrency assertions and is enabled in CI.", "dynamic_analysis_fixed_status": "Met", "dynamic_analysis_fixed_justification": "Race-detector and `go test` failures gate every PR; no known unfixed dynamic-analysis findings on `main`.", - "self_assessment_date": "2026-04-26", + "self_assessment_date": "2026-06-18", "self_assessment_author": "TechLead (RAN-58)" } \ No newline at end of file