WP9 T2 provides a special service for GÉANT development teams to make their code more robust against all kinds of threats, to increase the quality of the code or to help them be compliant with the GÉANT Software IPR policy. Besides, the PLM process requires to pass a quality gate before the software can be put into production. A code assessment conducted by WP9 T2 or an IPR check are examples of such a quality gate. The prerequisite for an assessment is that the application or service is listed in the GÉANT Software Catalogue.
We offer several types of review services for code assessment. They vary concerning the method of review, scope and granularity of the report.
Each type of the above-mentioned services is a combination of various review procedures. Differences between the procedures are briefly discussed below:
Additionally, we offer a WhiteSource software scan supporting software's IPR check.
This is not a code review, but a special service offered to development teams. We assist you to set up your project in SonarQube so that your team can use the tool for continuous evaluation and improvement by itself. SonarQube should be used by all GÉANT software development teams to improve and assure software quality.
This option requires the least effort for the requestor and provides instant, continuous access to the assessment results. It involves no proxy to execute the assessment.
Recommended for: Teams that expect regular, frequent feedback on the code quality.
This review type is a combination of a tools-based SonarQube review and a manual expert analysis. It involves Subject-Matter Experts to cross-validate the results collected by the tool. This review type is most frequently asked for and therefore supposed to be the standard review type.
Recommended for: Teams that expect occasional and highly reliable reports concerning the code quality. Due to the considerable effort needed to perform the manual validation by experts, it is not recommended for frequent quality assessments.
The extended review can be requested either as a one-off service or in addition to the SonarQube-based expert review. It focuses on a comprehensive, manual assessment of the code by selected Subject Matter Experts that best match with their expert skills your specific assessment requirements. Since the extended review often addresses special requirements, it does not necessarily aim for a code quality attestation as required by the PLM process.
We use additional assessment tools beyond those used in SonarQube. The analysis tools will be run and critical or major issues in their output are verified manually in the source code. Sometimes specific test cases/scenarios are executed with those tools.
This is the most laborious, but also the highly customizable type of review, as it relies on a manual review that requires the involvement of (possibly) several subject-matter experts. It is not frequently expected in the usual practice of development teams and must be negotiated on a per-request basis.
Recommended for: Teams that expect a thorough, multi-directional insight into the project quality.
This is a technical supporting service for the PLM or IPR software compliance check. We assist you to set up your project in the WhiteSource tool, to get your team an insight into the 3rd party libraries imported into the software project. The tool delivers two-fold information about the 3rd party software: licence compliance and security information about the vulnerabilities and defects identified in the 3rd party components used in a project.
This option requires minimal effort from your side during the setup phase and provides instant, continuous access to the assessment results. However, once the WhiteSource scanning of libraries and licences and scanning is established, the teams should perform scans whenever a major refactoring of the software is made, or if there have been changes in software dependencies or input or output IPR and licences. Also, the teams should be able to interpret WhiteSource results and reports by themselves.
Recommended for: Teams that expect regular, frequent feedback for risks associated with the infringement of IPR and associated security vulnerabilities that may be inherent in third-party libraries; WhiteSource setup assistance is also performed as preparatory work for WhiteSource scan analysis.
This is a technical consulting service for the PLM or IPR software compliance check. We adjust the WhiteSource licence settings to be aligned with your intended or actual licensing policy, perform the scan of your software project and help you in interpreting the obtained results. Our experience shows that more than one scan is usually necessary until all possible parameters are adjusted the way that the result meets your needs.
We assist your team in getting insight into the 3rd party libraries imported into the software project and their licences, as well as the initial information about the vulnerabilities and defects associated with them. These are inputs for the refinement of the IPR policy and licence selection for the software as well as tweaking of the usage of libraries. Obtaining satisfactory results may require several iterations and WhiteSource scans.
The consultative nature of this service requires strong cooperation between our WhiteSource experts and your team. A clearly expressed expectation about the focus of the scan and resulting analysis is useful, as well as information about a trigger for the scan, such as a change in the IPR policy, in the software or in its dependencies. Any major refactoring of the software or change in software dependencies or input or output IPR and licences is likely to require a new request for a WhiteSource scan analysis.
Recommended for: Teams that want to verify their own licensing policy, licences of dependencies or effects of changes in the software.
|Tool setup||Summary report||Detailed report||Quality gate confirmation for PLM|
SonarQube setup assistance
|SonarQube-based expert review||SonarQube||x||x||y/n|
|WhiteSource setup assistance||WhiteSource||x|
|WhiteSource scan analysis||WhiteSource||x||x||y/n|
Contact Task 2 team to request any of the before-mentioned services.