WP9 T2 provides a special service for GÉANT development teams to make their code more robust against all kinds of threats, to increase the quality of the code or to help them be compliant with the GÉANT Software IPR policy. Besides, the PLM process requires to pass a quality gate before the software can be put into production. A code assessment conducted by WP9 T2 or an IPR check are examples of such a quality gate. The prerequisite for an assessment is that the application or service is listed in the GÉANT Software Catalogue.

Introduction

We offer several types of review services for code assessment. They vary concerning the method of review, scope and granularity of the report.

Each type of the above-mentioned services is a combination of various review procedures. Differences between the procedures are briefly discussed below:

Additionally, we offer a WhiteSource software scan supporting software's IPR check.

Types of service we offer

SonarQube setup assistance

This is not a code review, but a special service offered to development teams. We assist you to set up your project in SonarQube so that your team can use the tool for continuous evaluation and improvement by itself. SonarQube should be used by all GÉANT software development teams to improve and assure software quality.

This option requires the least effort for the requestor and provides instant, continuous access to the assessment results. It involves no proxy to execute the assessment.

Recommended for: Teams that expect regular, frequent feedback on the code quality.

SonarQube-based expert review

This review type is a combination of a tools-based SonarQube review and a manual expert analysis. It involves Subject-Matter Experts to cross-validate the results collected by the tool. This review type is most frequently asked for and therefore supposed to be the standard review type.

Recommended for: Teams that expect occasional and highly reliable reports concerning the code quality. Due to the considerable effort needed to perform the manual validation by experts, it is not recommended for frequent quality assessments.

Extended source code review

The extended review can be requested either as a one-off service or in addition to the SonarQube-based expert review. It focuses on a comprehensive, manual assessment of the code by selected Subject Matter Experts that best match with their expert skills your specific assessment requirements. Since the extended review often addresses special requirements, it does not necessarily aim for a code quality attestation as required by the PLM process.

This is the most laborious, but also the highly customizable type of review, as it relies on a manual review that requires the involvement of (possibly) several subject-matter experts. It is not frequently expected in the usual practice of development teams and must be negotiated on a per-request basis.

Recommended for: Teams that expect a thorough, multi-directional insight into the project quality.

WhiteSource setup assistance

This is a technical supporting service for the PLM or IPR software compliance check. We assist you to set up your project in the WhiteSource tool, to get your team an insight into the 3rd party libraries imported into the software project. The tool delivers two-fold information about the 3rd party software: licence compliance and security information about the vulnerabilities and defects identified in the 3rd party components used in a project.

This option requires minimal effort from your side during the setup phase and provides instant, continuous access to the assessment results. However, once the WhiteSource scanning of libraries and licences and scanning is established, the teams should perform scans whenever a major refactoring of the software is made, or if there have been changes in software dependencies or input or output IPR and licences. Also, the teams should be able to interpret WhiteSource results and reports by themselves.

Recommended for: Teams that expect regular, frequent feedback for risks associated with the infringement of IPR and associated security vulnerabilities that may be inherent in third-party libraries; WhiteSource setup assistance is also performed as preparatory work for WhiteSource scan analysis.

WhiteSource scan analysis

This is a technical consulting service for the PLM or IPR software compliance check. We adjust the WhiteSource licence settings to be aligned with your intended or actual licensing policy, perform the scan of your software project and help you in interpreting the obtained results. Our experience shows that more than one scan is usually necessary until all possible parameters are adjusted the way that the result meets your needs.

We assist your team in getting insight into the 3rd party libraries imported into the software project and their licences, as well as the initial information about the vulnerabilities and defects associated with them. These are inputs for the refinement of the IPR policy and licence selection for the software as well as tweaking of the usage of libraries. Obtaining satisfactory results may require several iterations and WhiteSource scans.

The consultative nature of this service requires strong cooperation between our WhiteSource experts and your team. A clearly expressed expectation about the focus of the scan and resulting analysis is useful, as well as information about a trigger for the scan, such as a change in the IPR policy, in the software or in its dependencies. Any major refactoring of the software or change in software dependencies or input or output IPR and licences is likely to require a new request for a WhiteSource scan analysis.

Recommended for: Teams that want to verify their own licensing policy, licences of dependencies or effects of changes in the software.

Overview of request options


Tool setupSummary reportDetailed reportQuality gate confirmation for PLM

SonarQube setup assistance

SonarQube


SonarQube-based expert reviewSonarQubexxy/n
Extended reviewCustomxxy/n
WhiteSource setup assistanceWhiteSource

x
WhiteSource scan analysisWhiteSourcexxy/n

Contact us

Contact Task 2 team to request any of the before-mentioned services.