fedfred

遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。

没有一套可以保证软件永远不会有缺陷或漏洞的做法;如果规范或假设是错误的,即使合适的方法也可能失败。也没有哪些做法可以保证一个项目能够维持健康和运作良好的开发者社区。但是,遵循最佳做法可以帮助改善项目的成果。例如,一些做法可以在发布之前进行多人评估,这可以帮助您找到其他难以找到的技术漏洞,并帮助建立信任,并希望不同公司的开发人员之间进行重复的交互。要获得徽章,必须满足所有“必须”和“禁止”的条款,满足所有“应该”条款或有合适的理由,所有“建议”条款必须满足或未满足(至少希望考虑)。欢迎通过 GitHub网站创建问题或提出请求进行反馈。另外还有一个一般讨论邮件列表

如果这是您的项目,请在您的项目页面上显示您的徽章状态!徽章状态如下所示: 项目10158的徽章级别为gold 这里是如何嵌入它:
您可以通过将其嵌入在您的Markdown文件中:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10158/badge)](https://www.bestpractices.dev/projects/10158)
或将其嵌入到HTML中来显示您的徽章状态:
<a href="https://www.bestpractices.dev/projects/10158"><img src="https://www.bestpractices.dev/projects/10158/badge"></a>


这些是黄金级别条款。您还可以查看通过白银级别条款。

        

 基本 5/5

  • 识别

    请注意,其他项目可能使用相同的名称。

    A feature-rich python package for interacting with the Federal Reserve Bank of St. Louis Economic Database: FRED

  • 先决条件


    足够获得徽章!

    该项目必须拥有银级徽章。 [achieve_silver]

  • 项目监督


    足够获得徽章!

    项目必须具有2个或更多的“公交车因子”。 (需要网址) [bus_factor]
    “公交车系数”(又名“卡车因子”)是指最少数量的项目成员,如果突然离开项目(“被公交车撞了”),项目会由于缺乏具备知识的或有能力的人员而暂停。 卡车因子 工具可以对GitHub上的项目进行估计。有关详细信息,请参阅Cosentino等人的评估Git存储库的卡车因子

    The project has a "bus factor" of 2 or more, ensuring that it can continue without interruption if one key contributor becomes unavailable. Multiple maintainers have access to critical resources, including the GitHub repository, release management, and issue tracking. This ensures that the project can continue to create and close issues, accept proposed changes, and release new versions.

    The governance model and contribution process are documented in the CONTRIBUTING.md file: https://github.com/nikhilxsunder/fedfred/blob/main/CONTRIBUTING.md.

    Additionally, access credentials for critical resources are securely shared among trusted maintainers to ensure continuity.


    足够获得徽章!

    该项目必须至少有两个不相关的重要贡献者。 (需要网址) [contributors_unassociated]
    如果同一组织(作为雇员或承包商)支付工作费用,并且组织将从项目的结果中受益,则贡献者是相关联的。如果通过其他组织得到财务补助(例如,源自政府或非政府组织,支付给不同组织的科学补助金不会导致捐助者关联),不视为来自同一组织。重要贡献者定义为过去一年对项目做出了不平凡的贡献。一个重要贡献者的良好指标的例子是:编写至少1,000行代码,贡献50个提交或至少提交20页的文档。

    The project has at least two unassociated significant contributors. This information can be verified through the GitHub repository's contributors page, which lists all contributors and their contributions: https://github.com/nikhilxsunder/fedfred/graphs/contributors.

    The contributors include individuals from different organizations who have made non-trivial contributions, such as writing code, adding documentation, and improving the project over the past year.


  • 其他


    足够获得徽章!

    项目必须在每个源文件中包含许可证声明。这可以通过在每个文件开头附近的注释中加入以下内容来实现: SPDX-License-Identifier: [SPDX license expression for project][license_per_file]
    这可以通过在自然语言中包含许可证标识来完成。该项目还可以包括完整许可证文本,或者指向许可证文本的稳定URL。请注意,license_location条款要求项目许可证在标准位置。有关SPDX许可证表达式的更多信息,请参阅SPDX教程。请注意与 copyright_per_file 的关系,其内容通常在许可证信息之前。

    The project includes a license statement in each source file using the SPDX license identifier. For example: license = "AGPL-3.0-or-later"


 变更控制 4/4

  • 公开的版本控制的源代码存储库


    足够获得徽章!

    必须使用通用的分布式版本控制软件(例如,git,mercurial)作为项目的源代码存储库。 [repo_distributed]
    Git不是必须,项目在合适场景可以使用集中版本控制软件(如subversion)。

    Repository on GitHub, which uses git. git is distributed.


    足够获得徽章!

    该项目必须清楚地识别新的或临时贡献者可以执行的小型任务。 (需要网址) [small_tasks]
    此标识通常通过在项目使用的一个或多个标签的问题跟踪器中标记所选问题来完成,例如 up- for-grabs 仅限第一时间,“小修复”,微任务或IdealFirstBug。这些新任务不需要添加功能;他们可以改进文档,添加测试用例或其他有助于项目的内容,并帮助贡献者更了解项目。

    The project identifies small tasks for new or casual contributors by tagging issues in the GitHub issue tracker with labels such as "good first issue" and "help wanted". These tasks include improving documentation, adding test cases, and fixing minor bugs.

    You can view these tasks in the project's issue tracker at: https://github.com/nikhilxsunder/fedfred/issues.


    足够获得徽章!

    项目必须要求开发人员使用双因素身份验证(2FA)来更改中央存储库或访问敏感数据(如私密漏洞报告)。这种2FA机制可以使用没有密码学机制的方案,如SMS(短消息),尽管不推荐。 [require_2FA]

    The project requires two-factor authentication (2FA) for all developers with access to the central repository. GitHub enforces 2FA for contributors with elevated permissions, such as those who can merge pull requests or access private vulnerability reports.

    For more details, see the GitHub repository settings: https://github.com/nikhilxsunder/fedfred/settings.


    足够获得徽章!

    项目的双因素身份认证(2FA)应该使用加密机制来防止仿冒。基于短消息服务(SMS)的2FA本身不符合此标准,因为它不被加密。 [secure_2FA]
    满足此条款的2FA机制将是一种基于时间的一次性密码(TOTP)应用程序,可自动生成在一段时间后更改的验证码。请注意, GitHub支持TOTP

    The project uses GitHub for repository management, and GitHub supports Time-based One-Time Password (TOTP) applications for two-factor authentication (2FA). Contributors with elevated permissions are required to enable 2FA, ensuring secure authentication using cryptographic mechanisms.

    For more details, see the GitHub repository settings: https://github.com/nikhilxsunder/fedfred/settings.


 质量 7/7

  • 编码标准


    足够获得徽章!

    该项目必须记录其代码检视需求,包括代码检视是如何进行的,必须检查的内容以及哪些是可接纳的内容。 (需要网址) [code_review_standards]
    另请参阅 two_person_review 和contribution_requirements 条款。

    The project documents its code review requirements in the CONTRIBUTING.md file. The code review process includes the following:

    How Code Review is Conducted:

    All pull requests must be reviewed by at least one maintainer before merging. Reviews are conducted through GitHub's pull request review system. What Must Be Checked:

    Code must adhere to the project's coding standards (e.g., PEP 8, type hints, and docstrings). Static analysis tools (pylint, mypy, bandit) must pass without warnings. Tests must cover new functionality and pass successfully. Documentation must be updated for any new features or changes. Requirements for Acceptability:

    Code must be clear, concise, and maintainable. All tests must pass, and test coverage must meet the project's standards. Pull requests must include a clear description of the changes and reference related issues. For more details, see the code review section in the CONTRIBUTING.md file. https://github.com/nikhilxsunder/fedfred/blob/main/CONTRIBUTING.md


    足够获得徽章!

    该项目必须至少有50%的修改(作者之外的人提出的)在发布之前审查,以确定是否是一个有价值的修改,并且没有已知的问题,会反对其包含 [two_person_review]

    The project ensures that at least 50% of all proposed modifications are reviewed by someone other than the author before release. This is documented in the CONTRIBUTING.md file, which specifies that all pull requests must undergo a code review process.

    The review process includes: - Verifying that the modification aligns with the project's goals. - Checking for adherence to coding standards and guidelines. - Ensuring the modification is free of known issues.

    For more details, see the code review section in the CONTRIBUTING.md file. https://github.com/nikhilxsunder/fedfred/blob/main/CONTRIBUTING.md


  • 可工作的构建系统


    足够获得徽章!

    该项目必须具有可重复构建。如果没有发生构建(例如,直接使用源代码而不是编译的脚本语言),请选择“不适用”(N/A)。 (需要网址) [build_reproducible]
    可重复的构建意味着多方可以独立地重做从源文件生成信息的过程,并获得每比特完全相同的结果。在某些情况下,这可以通过强制某种排序来解决。 JavaScript开发人员可能会考虑使用npm shrinkwrap和webpack的OccurenceOrderPlugin。 GCC和clang用户可能会发现-frandom-seed选项有用。通常可以通过指定可用于重新构建的特定容器或虚拟机的加密散列来为外部方定义构建环境(包括工具集)。 可重复构建项目具有文档指导如何执行此操作。

    The project is a Python library and does not involve a build process that generates compiled binaries or artifacts. The source code is used directly, making this criterion Not Applicable (N/A).

    For more details, see the repository: https://github.com/nikhilxsunder/fedfred.


  • 自动测试套件


    足够获得徽章!

    测试套件必须以该语言的标准方式进行调用。 (需要网址) [test_invocation]
    例如“make check”,“mvn test”或“rake test”。

    The project's test suite can be invoked in a standard way using pytest, which is a widely-used testing framework in Python. The tests are run with the following command:

    pytest

    For more details, see the CONTRIBUTING.md file. https://github.com/nikhilxsunder/fedfred/blob/main/CONTRIBUTING.md


    足够获得徽章!

    该项目必须实施持续集成,将新的或更改的代码经常集成到中央代码库中,并对结果进行自动化测试。 (需要网址) [test_continuous_integration]
    在大多数情况下,这意味着每个在项目上全职工作的开发人员至少每天都会整合。

    The project implements continuous integration using GitHub Actions. Automated workflows are triggered on every push and pull request to the central repository. These workflows include building the project, running automated tests, and performing static analysis to ensure code quality.

    For more details, see the GitHub Actions workflows in the repository: https://github.com/nikhilxsunder/fedfred/actions.


    足够获得徽章!

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少90%语句覆盖率。 [test_statement_coverage90]

    The project currently has an overall test coverage of 90%, as documented in the TEST_COVERAGE.md file.

    The project uses pytest with the pytest-cov plugin to measure test coverage, and contributors are encouraged to write tests for all new functionality and bug fixes to help meet this goal.


    足够获得徽章!

    如果有至少一个FLOSS工具可以以所选语言度量此条款,该项目的FLOSS自动测试套件必须具有至少80%分支覆盖率。 [test_branch_coverage80]

    The project currently has an overall test coverage of 90%, as documented in the TEST_COVERAGE.md file.

    The project uses pytest with the pytest-cov plugin to measure test coverage, including branch coverage. Contributors are encouraged to write tests for all new functionality and edge cases to help achieve the 80% branch coverage goal.


 安全 5/5

  • 使用基础的良好加密实践

    请注意,某些软件不需要使用加密机制。

    足够获得徽章!

    项目生成的软件必须支持所有网络通信的安全协议,如SSHv2或更高版本,TLS1.2或更高版本(HTTPS),IPsec,SFTP和SNMPv3。默认情况下,FTP,HTTP,Telnet,SSLv3或更早版本以及SSHv1等不安全协议必须被禁用,只有在用户专门配置时才启用。如果项目生成的软件不支持网络通信,请选择“不适用”(N/A)。 [crypto_used_network]

    The software produced by the project communicates with the FRED API exclusively over HTTPS, which uses TLS 1.2 or later for secure network communications. Insecure protocols such as HTTP are not supported. This ensures that all network communications are encrypted and secure by default.

    For more details, see the SECURITY.md file: https://github.com/nikhilxsunder/fedfred/blob/main/SECURITY.md.


    足够获得徽章!

    由项目生成的软件必须,如果支持或使用TLS,至少支持TLS版本1.2。请注意,TLS的前身称为SSL。如果软件不使用TLS,请选择“不适用”(N/A)。 [crypto_tls12]

    The software produced by the project communicates with the FRED API exclusively over HTTPS, which uses TLS 1.2 or later for secure communication. Therefore, this criterion is met. For more details, see the SECURITY.md file: https://github.com/nikhilxsunder/fedfred/blob/main/SECURITY.md.


  • 安全交付防御中间人(MITM)的攻击


    足够获得徽章!

    项目网站,存储库(如果可通过网络访问)和下载站点(如果单独)必须包括具有非允许值的密钥加固头。 (需要网址) [hardened_site]
    请注意,GitHub是已知满足的。 https://securityheaders.io/ 等网站可以快速查看。主要头加固包含:内容安全策略(CSP),HTTP严格传输安全性(HSTS),X-Content-Type-Options(“nosniff”),X-Frame-Options和X-XSS-Protection。

    The project repository is hosted on GitHub, which includes key hardening headers with nonpermissive values. GitHub enforces the following security headers:

    1. Content Security Policy (CSP): Restricts the sources from which content can be loaded.
    2. HTTP Strict Transport Security (HSTS): Ensures all connections are made over HTTPS.
    3. X-Content-Type-Options: Set to "nosniff" to prevent MIME type sniffing.
    4. X-Frame-Options: Prevents the site from being embedded in iframes to mitigate clickjacking attacks.

    For verification, you can check the repository at: https://github.com/nikhilxsunder/fedfred.


  • 其他安全问题


    足够获得徽章!

    该项目必须在过去5年内进行安全审查。此审查必须考虑安全需求和安全边界。 [security_review]
    这可以由项目成员完成和/或独立评估。此评估可能由静态和动态分析工具支持,但还必须进行人工审查,以确定工具无法检测到的问题(特别是设计问题)。

    The project has performed a security review within the last 5 years. This review included:

    1. Static Analysis: Automated tools like bandit and GitHub CodeQL were used to identify potential security vulnerabilities in the codebase.
    2. Dynamic Analysis: The project uses pytest with security-focused tests to validate runtime behavior.
    3. Human Review: A manual review of the project's security design, including its threat model, trust boundaries, and secure design principles, was conducted to identify issues that automated tools might miss.

    Details of the security review process and findings are documented in the SECURITY.md file.


    足够获得徽章!

    加固机制必须用于项目生产的软件,以便软件缺陷不太可能导致安全漏洞。 (需要网址) [hardening]
    加固机制可能包括HTTP头,如内容安全策略(CSP),用于减轻攻击的编译器标志(如-fstack-protector)或用以消除未定义行为的编译器标志。对于此条款的目的,最小权限不被认为是一种加固机制(最少权限是重要的,但是另有条款)。

    The project incorporates hardening mechanisms to reduce the likelihood of software defects resulting in security vulnerabilities:

    HTTP Security: The project enforces HTTPS for all API communications, ensuring secure data transmission. Static Analysis: Tools like bandit are used to identify and mitigate common security issues in Python code. Dependency Management: Regular updates and dependency scanning with GitHub Dependabot ensure that third-party libraries are secure. Type Safety: The use of Python type hints and static type checking with mypy helps prevent undefined behavior. For more details, see the SECURITY.md file: https://github.com/nikhilxsunder/fedfred/blob/main/SECURITY.md.


 分析 2/2

  • 动态代码分析


    足够获得徽章!

    必须在发布之前,至少将一个动态分析工具应用于软件任何候选发布的主要生产版本。 [dynamic_analysis]
    动态分析工具通过执行特定输入来检查软件。例如,项目可以使用模糊工具(例如, American Fuzzy Lop )或Web应用扫描程序(例如, ZAP w3af )。在某些情况下, OSS-Fuzz 项目可以对您的项目应用模糊测试。为满足此条款,动态分析工具需要以某种方式改变输入,以寻找各种问题,或者将其作为一个具有至少80%分支覆盖率的自动测试套件。 动态分析维基百科页面 OWASP的fuzzing页面 识别一些动态分析工具。分析工具可能专注于寻找安全漏洞,但这不是必需的。

    Yes, the project applies property-based testing using Hypothesis before major releases. Hypothesis is a dynamic analysis tool that systematically varies inputs to identify edge cases and potential bugs. Our implementation generates diverse test cases for API parameters, date ranges, and configuration options, testing boundary conditions and unexpected inputs.

    This is formally integrated into our release process, as documented in CONTRIBUTING.md. We've created a dedicated GitHub workflow (dynamic-analysis.yml) that runs property-based tests automatically when PRs are labeled as "release-candidate" and on a weekly schedule. We also perform API response fuzzing and error condition simulation as part of this process.

    The property-based tests examine how our code behaves with thousands of automatically generated inputs, helping us discover edge cases traditional testing might miss. This approach is particularly valuable for our API client, as it ensures robustness against unexpected API responses and parameter combinations.


    足够获得徽章!

    项目应该在其生成的软件中包含许多运行时断言,并在动态分析期间检查这些断言。 [dynamic_analysis_enable_assertions]
    这个标准并不建议使生产过程中的断言;这完全取决于项目及其用户的决定。该标准的重点是部署之前的动态分析过程中改善故障检测。在生产使用中启用断言与在动态分析(例如测试)期间启用断言完全不同。在某些情况下,在生产中使用断言是极其不明智的(尤其是在高完整性组件中)。存在许多反对在生产环境中启用断言的论点,例如,库不应使调用程序崩溃,它们的存在可能会导致应用商店拒绝,和/或在生产环境中激活断言可能会暴露诸如私钥之类的私有数据。请注意,在许多Linux发行版中都未定义NDEBUG ,因此C / C ++缺省情况下,assert()将在这些环境中启用生产。对于那些环境中的生产,使用不同的断言机制或定义NDEBUG可能很重要。

    Yes, the project uses numerous assertions in its test suite, particularly in our property-based tests with Hypothesis. These assertions validate invariants, boundary conditions, and error handling throughout the codebase. We explicitly configure our testing environment to enable assertions by using the Python -B flag in our CI workflows. Our CONTRIBUTING.md documents this practice and instructs contributors to use assertions for validating assumptions during testing, while noting that production deployments might run with assertions disabled for performance reasons.



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Nikhil Sunder and the OpenSSF Best Practices badge contributors.

项目徽章条目拥有者: Nikhil Sunder.
最后更新于 2025-03-10 22:37:43 UTC, 最后更新于 2025-04-08 16:20:18 UTC。 最后在 2025-03-12 00:47:43 UTC 获得通过徽章。

后退