Add Compliance check: limitOrgOwners

[UlisesGascon]

How the Check Works

Provide a clear definition based on the spreadsheet

Pending Tasks

You can find more details in the contributing guide

• 1. Define a Good Implementation Example
  • Read the documentation (guidelines, best practices...)
  • Brainstorm how to implement this check (logic, alerts, tasks, validations, edge cases...).
  • Achieve an agreement on the implementation details before starting to work on this.
• 2. Update Check Record Example
  • Update the compliance_checks row with the following fields: how_to_url, implementation_status, implementation_type and implementation_details_reference
  • Check the migration scripts using npm run db:migrate and npm run db:rollback
  • Update the database schema by running npm run db:generate-schema
• 3. Implement the Business Logic Validator Example and Check Example
  • Add the specific validator in src/checks/validators/index.js
  • Add the check logic in src/checks/complianceChecks
  • Ensure that the check is in scope for the organization (use isCheckApplicableToProjectCategory)
  • Ensure that the severity value is well calculated (use getSeverityFromPriorityGroup)
  • Add the alert row in the compliance_checks_alerts table when is needed.
  • Add the task row in the compliance_checks_tasks table when is needed.
  • Add the result row in the compliance_checks_results table.
• 4. Ensure It Works as Expected
  • Add new unit tests for the validator check.
  • Add new integration test cases for this check.
  • Verify that all tests are passing.
  • Run the command check run --name {check_code_name} and verify the changes in the database. Update the seed script if needed (npm run db:seed)
• 5. Update the website Example
  • Review the current content it in https://openjs-security-program-standards.netlify.app/details/{check_code_name}
  • Create a PR in https://github.com/secure-dashboards/openjs-security-program-standards to include how we calculate this check and include additional information on the mitigation if needed.

[bjohansebas]

Although I haven’t yet thought about how to implement this, I know there are organizations like Express and Node.js that have more than 3 owners, which makes me question whether we should display alerts and tasks.

In Express, all TC members are owners, and we simply cannot reduce the TC list. The same applies to Node and any organization, and in some cases, owner access has been granted to the foundation.

[UlisesGascon]

Yep, we need to discuss this @ruddermann. We have the same scenario in Node and many other large projects