Auditing process
- Select an audit team
- Team of at least 2 people well versed in the stack used
- Auditor must not be the submitter or original author
- Validate the Intent to Relicense form - are all software practices complete and does the submitter have manager approval?
- Work with submitter to push code to a new private repo in UWaterloo-Public (this repo becomes the public version once approved). Optionally squash commit history.
- Auditor performs audit in collaboration with submitter
- Verify that the release template files are present and complete
- Validate the appropriateness of the license
- Security - review dependabot alerts and perform Static Application Security Testing (SAST)
- Following README instructions, build and test that the software is executable
- If present, review unit tests and code coverage
- Review core functionality of the software
- Verify the code is Sufficiently Not Terrible (keep in mind, this code will be readable by the whole wide world)
- Should any issues be found, work with the submitter to resolve them and re-audit
- If issues found during the audit process are unresolvable, the project will not be approved for a permissive license under the UWaterloo Public GitHub profile
- Attach findings to the original Intent to Relicense issue
- Submit to CIO for final approval