[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T366233

Application Security Review Request : Metrics Platform extension
Closed, ResolvedPublic
Actions

Description

Project Information

P63637 MetricsPlatform.scc
1───────────────────────────────────────────────────────────────────────────────
2Language Files Lines Blanks Comments Code Complexity
3───────────────────────────────────────────────────────────────────────────────
4JSON 6 5300 0 0 5300 0
5PHP 3 320 26 40 254 2
6Markdown 2 11 4 0 7 0
7JavaScript 1 29 2 11 16 0
8License 1 339 58 0 281 0
9gitignore 1 24 2 3 19 0
10───────────────────────────────────────────────────────────────────────────────
11Total 14 6023 92 54 5877 2
12───────────────────────────────────────────────────────────────────────────────
13Estimated Cost to Develop (organic) $173,463
14Estimated Schedule Effort (organic) 7.07 months
15Estimated People Required (organic) 2.18
16───────────────────────────────────────────────────────────────────────────────
17Processed 204728 bytes, 0.205 megabytes (SI)
18───────────────────────────────────────────────────────────────────────────────

Description of the tool/project:
MetricsPlatform is an extension that hooks into EventStreamConfig by checking for stream configs managed by the Metrics Platform team via an API. This is part of a bigger project to build the Metrics Platform Instrument Configurator
Description of how the tool will be used at WMF:
This extension will enable authorized WMF staff to manage stream configurations via a new tool called MPIC.
Dependencies

List dependencies, or upstream projects that this project relies on.

Has this project been reviewed before?
No

Please link to tasks or wiki pages of previous reviews.

Working test environment

Please link or describe setup process for setting up a test environment.

https://mpic-next.wikimedia.org

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Data Products - @cjming

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

cjming created this task.May 30 2024, 5:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 30 2024, 5:46 AM
cjming mentioned this in T366234: Deploy the Metrics Platform extension.May 30 2024, 5:54 AM
sbassett moved this task from Incoming to Back Orders on the secscrum board.Jun 3 2024, 5:18 PM
sbassett moved this task from Back Orders to Upcoming Quarter Planning Queue on the secscrum board.Jun 13 2024, 6:24 PM
Jdforrester-WMF added a parent task: T366234: Deploy the Metrics Platform extension.Jun 17 2024, 4:28 PM
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.Jul 3 2024, 5:12 PM
sbassett changed the task status from Open to In Progress.Jul 3 2024, 5:14 PM
sbassett assigned this task to mmartorana.
sbassett triaged this task as Medium priority.
cjming added a comment.Mon, Aug 12, 8:33 PM

hi ! just fyi, the MP extension has been deployed to testwiki on beta cluster (see T366234)

mmartorana added a comment.Fri, Aug 16, 3:36 PM

Hello, thank you for informing us. The review will be published shortly.

mmartorana closed this task as Resolved.EditedWed, Aug 21, 5:10 PM
mmartorana moved this task from In Progress to Our Part Is Done on the secscrum board.

Security Review Summary - T366233 - 2024-08-21
Last commit reviewed: 18f9619

Summary

Overall, the code of this extension seems secure and adheres to best practices. There are no identified vulnerable dependencies or SAST issues, resulting in a strong security posture with an overall low risk score.

Vulnerable Packages - Production
none

Vulnerable Packages - Development
none

Outdated Packages
As reported via npm outdated and composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWanted
mediawiki/mediawiki-codesniffer43.0.044.0.0

Static Analysis Findings
Risk: low
semgrep returned no results. low risk.
snyk returned no results. low risk.
bearer returned no results. low risk.
sast-scan returned no results. low risk.
horusec returned a bunch of false-positives. low risk.
bearer returned a bunch of false-positives. low risk.

General code health score

  1. The Wikimedia code health check tool returned a weighted risk score of 34.10.
PROJECT: MetricsPlatform@master
REPOSITORY: https://gerrit.wikimedia.org/r/mediawiki/extensions/MetricsPlatform

+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        4 |        3 |    0 |            10 |            10 |            7 |           7 |         10 |            0 |         0 |         34.10 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+

General security issues
whispers returned no results. low risk
gitleaks returned no results. low risk

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits