Merge branch 'main' into proposals/cicd

.gitvote.yml

@@ -0,0 +1,17 @@
+profiles:
+  default:
+    duration: 4w
+    pass_threshold: 51
+    periodic_status_check: "2 weeks"
+    close_on_passing: true
+    allowed_voters:
+      teams:
+        - oversight-committee-members
+  super:
+    duration: 4w
+    pass_threshold: 66
+    periodic_status_check: "2 weeks"
+    close_on_passing: true
+    allowed_voters:
+      teams:
+        - oversight-committee-members

CONTRIBUTING.md

@@ -60,6 +60,8 @@ We have also adopted [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md).
 
 ## Legal
 
+### License Headers
+
 Each source file must include a license header for the Apache
 Software License 2.0. Using the SPDX format is the simplest approach.
 e.g.
@@ -80,13 +82,19 @@ e.g.
 # limitations under the License.
 ```
 
-We have tried to make it as easy as possible to make contributions. This
-applies to how we handle the legal aspects of contribution. We use the
-same approach - the [Developer's Certificate of Origin 1.1 (DCO)](https://oscal-compass.github.io/compliance-trestle/contributing/DCO/) - that the Linux® Kernel [community](https://elinux.org/Developer_Certificate_Of_Origin)
-uses to manage code contributions.
+### Developer's Certificate of Origin
+
+We have tried to make it as easy as possible to make contributions. This applies to how we handle the legal aspects of contribution. 
+
+We use the [Developer's Certificate of Origin 1.1 (DCO)](https://developercertificate.org/) to manage code contributions (the same approach as the Linux® Kernel [community](https://elinux.org/Developer_Certificate_Of_Origin))
+
+The DCO requires developers to sign off each of their commits to certify that they have the right to submit the code to the project and that they agree to license their contribution under the project's open source license.
 
-We simply ask that when submitting a patch for review, the developer
-must include a sign-off statement in the commit message.
+You can read more about the DCO and its guidelines [here](https://github.com/cncf/foundation/blob/main/dco-guidelines.md).
+
+Note that DCO sign-off is enforced on all repositories by [DCO bot](https://github.com/probot/dco). Commits with a missing sign-off will be required to be rebased with the sign-off statement added before being accepted.
+
+#### How to Sign Off
 
 Here is an example Signed-off-by line, which indicates that the
 submitter accepts the DCO:
@@ -100,7 +108,4 @@ local git repository using the following command:
 
 ```bash
 git commit --signoff
-```
-
-Note that DCO signoff is enforced by [DCO bot](https://github.com/probot/dco). Missing DCO's will be required to be rebased
-with a signed off commit before being accepted.
+```

GOVERNANCE.md

@@ -2,6 +2,15 @@
 
 The following document outlines how the OSCAL Compass project governance operates.
 
+## Principles
+
+The OSCAL Compass community adheres to the following principles:
+
+**Open**: OSCAL-Compass is open source. See project guidelines [here](./CONTRIBUTING.md).
+**Welcoming and respectful**: See [Code of Conduct](./CODE_OF_CONDUCT.md).
+**Transparent and accessible**: Work and collaboration should be done in public.
+**Merit**: Ideas and contributions are accepted according to their technical merit and alignment with project objectives, scope, and design principles. See our design proposal [process](./proposals/README.md)
+
 ## Governance Structure Overview
 
 The OSCAL Compass Project has a two-level governance structure with an Oversight Committee and Project Maintainers.
@@ -72,15 +81,29 @@ In the event that consensus cannot be reached, a Maintainer can call for a vote
 
 ### Explicit Voting
 
-The secondary decision-making process is done by explicit voting. 
+The secondary decision-making process is done by explicit voting.
+
+#### Process
+
+We use the [GitVote](https://github.com/cncf/gitvote) bot to streamline our voting efforts.
+
+- Organization-level voting must take place in the community (this repository) repository.
+- Only GitHub Issues and Pull Requests are supported.
+
+The GitVote [repository](https://github.com/cncf/gitvote/blob/main/README.md) has additional information on usage.
+
+There are some constant configurations between voting profiles:
+
+- The Oversight Committee members have binding votes in the community repository. All in the community can and are encouraged to participate in the vote, even if their vote is not binding.
+- The duration for voting is four weeks with status checks occurring at the two week mark.
 
-#### Simple Majority Vote
+##### Simple Majority Vote
 
-If a vote is called, the default is a simple majority vote - more than half of the appropriate deciding body.
+If a vote is called, the default is a simple majority vote - more than half of the appropriate deciding body. This is the default profile used when calling a vote with `/vote`
 
-#### Supermajority Vote
+##### Supermajority Vote
 
-In some cases, a supermajority vote is required for decision making - at least two-thirds of the appropriate deciding body.
+In some cases, a supermajority vote is required for decision making - at least two-thirds of the appropriate deciding body. You can use `/vote-super` to initiate this type of vote.
 
 Some examples include:
 
@@ -98,4 +121,4 @@ Trivial changes that do not introduce policy changes may be approved by two memb
 
 ## Acknowledgements
 
-This governance approach and documentation was adapted from InstructLab [governance](https://github.com/instructlab/community/blob/main/GOVERNANCE.md).
+Sections of this document were adapted from [InstructLab](https://github.com/instructlab/community/blob/main/GOVERNANCE.md) and [CoreDNS](https://github.com/coredns/coredns/blob/master/GOVERNANCE.md) projects.

MAINTAINERS.md

@@ -12,6 +12,7 @@ The project-wide oversight committee
 - [`jpower432`](https://github.com/jpower432)
 - [`mrgadgil`](https://github.com/mrgadgil) - Chair
 - [`yuji-watanabe-jp`](https://github.com/yuji-watanabe-jp)
+- [`vikas-agarwal76`](https://github.com/vikas-agarwal76)
 
 ### Org Admins
 
@@ -23,6 +24,7 @@ Team with admin access to the `oscal-compass` org.
 - [`vikas-agarwal76`](https://github.com/vikas-agarwal76)
 - [`mrgadgil`](https://github.com/mrgadgil)
 - [`jflowers`](https://github.com/jflowers)
+- [`degenaro`](https://github.com/degenaro)
 - [`thelinuxfoundation`](https://github.com/thelinuxfoundation)
 
 ## Community
@@ -33,3 +35,4 @@ Team with maintainer access to the Community repository
 
 - [`jpower432`](https://github.com/jpower432)
 - [`vikas-agarwal76`](https://github.com/vikas-agarwal76)
+- [`degenaro`](https://github.com/degenaro)

README.md

@@ -1,4 +1,4 @@
-# <img alt="Logo" width="50px" src="./assets/oscal-compass-icon-800x800.png" style="vertical-align: middle;" /> OSCAL Compass Community
+# <img alt="Logo" width="50px" src="./assets/oscal-compass-icon-1200x1200.png" style="vertical-align: middle;" /> OSCAL Compass Community
 
 ## Welcome to the OSCAL Compass Community repository
 
@@ -50,15 +50,12 @@ Please attend! All are invited.
 Every other Tuesday starting on April 23, 2024 · 11:00 – 11:30am ET
 [convert to your local time](https://mytime.io/11am/ET)
 
-**Where**: [Google Meet Link](https://meet.google.com/cfr-rkxp-emg)
+**Where**: [Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/91709345128?password=5510325d-895f-4932-a843-df728dc3028d)
 
-Dial in:
-(US) +1 319-483-6865‬ PIN: ‪269 825 741‬#\
-[More phone numbers](https://tel.meet/cfr-rkxp-emg?pin=9717189704231)
 
 **What**: Meeting agenda and notes [Google Docs](https://docs.google.com/document/d/1XTYM7xnWlIqd-8Nn5-qtgvgk8kH3NSmYle5yZvaS7qs/edit?usp=sharing)
 
-We also have a [shared calendar](https://calendar.google.com/calendar/u/0?cid=NjZjNjdjY2E0ZGZmMWYwN2Q5OGQwZjkxYTMyOGFjZWYyZjRhNjdhMzQzOWYxNGY4NmIyZGU1NmEwYTgzNGEwMUBncm91cC5jYWxlbmRhci5nb29nbGUuY29t).
+We also have a [shared calendar](https://zoom-lfx.platform.linuxfoundation.org/meetings/trestlegrc?view=week).
 
 **Recordings**
 
@@ -86,7 +83,7 @@ If you would like to see the detailed LICENSE click [here](LICENSE).
 Consult [maintainers](MAINTAINERS.md) for the current list of maintainers for various projects in the oscal-compass community.
 
 ```text
-# Copyright (c) 2020 The OSCAL Compass Authors. All rights reserved.
+# Copyright (c) 2024 The OSCAL Compass Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -101,3 +98,17 @@ Consult [maintainers](MAINTAINERS.md) for the current list of maintainers for va
 # limitations under the License.
 
 ```
+
+-----
+
+We are a Cloud Native Computing Foundation sandbox project.
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://www.cncf.io/wp-content/uploads/2022/07/cncf-white-logo.svg">
+  <img src="https://www.cncf.io/wp-content/uploads/2022/07/cncf-color-bg.svg" width=300 />
+</picture>
+
+The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage)".
+
+*OSCAL Compass was originally contributed by IBM.*
+

SECURITY.md

@@ -0,0 +1,48 @@
+# OSCAL Compass Security Policy
+
+This policy describes OSCAL Compass security and disclosure information.
+
+## Reporting a vulnerability
+
+To report a vulnerability, either:
+
+1. Report it on Github directly you can follow the procedure described
+   [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+   and:
+
+    - Navigate to the security tab (e.g. `trestle` [security tab](https://github.com/oscal-compass/compliance-trestle/security)) on the repository
+    - Click on 'Advisories'
+    - Click on 'Report a vulnerability'
+    - Detail the issue, see below for some examples of info that might be
+      useful including.
+
+2. Send an email to `[email protected]` detailing the issue and impacted project(s).
+
+### What to include
+
+Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding:
+
+* Versions of impacted project(s) used
+* Detailed list of steps to reproduce the vulnerability
+* Consequences of the vulnerability
+* Severity you feel should be attributed to the vulnerabilities
+* Screenshots or logs
+
+## Public Disclosure
+
+Vulnerabilities once fixed will be shared publicly as a Github [security
+advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)
+and mentioned in the fixed versions' release notes.
+
+## Supported Versions
+
+All OSCAL Compass projects follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z:
+- where x is the major version
+- y is the minor version
+- and z is the patch version
+
+Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility.
+
+## Acknowledgments
+
+Parts of this policy were adapted from the Crossplane [security policy](https://github.com/crossplane/crossplane/blob/master/SECURITY.md)