When performing a technical evaluation of a module, create a copy of this document and use the conventions below to indicate the status of each criterion. The evaluation results should be placed in the module_evaluations directory and should conform to the following naming convention: {JIRA Key}_YYYY-MM-DD.MD
, e.g. TCR-1_2021-11-17.MD
. The date here is used to differentiate between initial and potential re-evaluation(s). It should be the date when the evaluation results file was created.
- ACCEPTABLE
-
INAPPLICABLE - UNACCEPTABLE
- comments on what was evaluated/not evaluated, why a criterion failed
- Uses Apache 2.0 license
- Module build MUST produce a valid module descriptor
- Module descriptor MUST include interface requirements for all consumed APIs
- Third party dependencies use an Apache 2.0 compatible license
- Direct dependencies:
- github.com/MikeTaylor/catlogger v0.0.2 uses Apache 2.0
- github.com/google/uuid v1.4.0 uses BSD 3-Clause "New" or "Revised" License](https://github.com/google/uuid/blob/master/LICENSE), which we expect to be whitelisted
- github.com/indexdata/foliogo v0.1.5 uses Apache 2.0
- github.com/jackc/pgx/v5 v5.5.0 uses MIT Licence
- Indirect dependencies:
- github.com/jackc/pgpassfile v1.0.0 uses MIT Licence
- github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a uses MIT Licence
- github.com/jackc/puddle/v2 v2.2.1 uses MIT Licence
- github.com/smartystreets/goconvey v1.8.1 uses MIT Licence
- golang.org/x/crypto v0.9.0 uses BSD-3-Clause
- golang.org/x/sync v0.1.0 uses BSD-3-Clause
- golang.org/x/text v0.9.0 uses BSD-3-Clause
- moul.io/http2curl v1.0.0 uses Apache 2.0 or MIT Licence as we prefer
- Summary: this requirement is met provided that we determine the BSD-3-Clause and MIT licences to be Apache-compatible
- Direct dependencies:
- Installation documentation is included
- -note: read more at https://github.com/folio-org/mod-search/blob/master/README.md
- Personal data form is completed, accurate, and provided as
PERSONAL_DATA_DISCLOSURE.md
file - Sensitive and environment-specific information is not checked into git repository
- Module is written in a language and framework from the officially approved technologies page
- Module only uses FOLIO interfaces already provided by previously accepted modules e.g. a UI module cannot be accepted that relies on an interface only provided by a back end module that hasn't been accepted yet
- Module gracefully handles the absence of third party systems or related configuration
-
INAPPLICABLESonarqube hasn't identified any security issues, major code smells or excessive (>3%) duplication- The code does not go through Sonarqube, but is vetted by six separate code-style tools.
- Uses officially supported build tools
- Unit tests have 80% coverage or greater, and are based on officially approved technologies
- Module's repository includes a compliant Module Descriptor
- Module includes executable implementations of all endpoints in the provides section of the Module Descriptor
- Environment vars are documented in the ModuleDescriptor
- -note: read more at https://wiki.folio.org/pages/viewpage.action?pageId=65110683
- If a module provides interfaces intended to be consumed by other FOLIO Modules, they must be defined in the Module Descriptor "provides" section
- All API endpoints are documented in RAML or OpenAPI
- All API endpoints protected with appropriate permissions as per the following guidelines and recommendations, e.g. avoid using
*.all
permissions, all necessary module permissions are assigned, etc. -
INAPPLICABLEModule provides reference data (if applicable), e.g. if there is a controlled vocabulary where the module requires at least one value -
INAPPLICABLEIf provided, integration (API) tests must be written in an officially approved technology- -note: while it's strongly recommended that modules implement integration tests, it's not a requirement
- -note: these tests are defined in https://github.com/folio-org/folio-integration-tests
- Data is segregated by tenant at the storage layer
- The module doesn't access data in DB schemas other than its own and public
- The module responds with a tenant's content based on x-okapi-tenant header
- Standard GET
/admin/health
endpoint returning a 200 response- -note: read more at https://wiki.folio.org/display/DD/Back+End+Module+Health+Check+Protocol
- High Availability (HA) compliant
- Possible red flags:
- Connection affinity / sticky sessions / etc. are used
- Local container storage is used
- Services are stateful
- Possible red flags:
- Module only uses infrastructure / platform technologies on the officially approved technologies list.
- e.g. PostgreSQL, ElasticSearch, etc.
[Please include here any suggestions that you feel might improve the TCR Processes.]