目录
- client_side_only_implFixed build issue.7年前
- questionnairesUpdate questionnaires and sync JS with internal codebase.8年前
- third_partyAdding missing 3rd Party repros links6年前
- vsaqFixed build issue.7年前
- .gitignoreInitial commit10年前
- .gitmodulesAdding missing 3rd Party repros6年前
- AUTHORSInitial commit10年前
- CONTRIBUTINGInitial commit10年前
- LICENSEInitial commit10年前
- README.mdUpstreaming changes to support marking questions as 'required'.7年前
- compiler.flagsFix build process and merge internal updates.8年前
- do.shFix build process and merge internal updates.8年前
- download-libs.shAdded forgotten checkout for closure-stylesheets.7年前
- vsaq_server.pyInitial commit10年前
邀请码
版权所有:中国计算机学会技术支持:开源发展技术委员会
京ICP备13000930号-9
京公网安备 11010802032778号
VSAQ: Vendor Security Assessment Questionnaire
Introduction
Note: VSAQ is not an official Google product (experimental or otherwise); it’s just code that happens to be owned by Google.
VSAQ is an interactive questionnaire application. Its initial purpose was to support security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form.
At Google, questionnaires like the ones in this repository are used to assess the security programs of third parties. But the templates provided can be used for a variety of purposes, including doing a self-assessment of your own security program, or simply becoming familiar with issues affecting the security of web applications.
To test the application without deploying it, go to https://vsaq-demo.withgoogle.com.
Example Third-Party Security Review Workflow
Project Structure
Build Prerequisites
These instructions have been tested with the following software:
VSAQ Setup
These instructions assume a working directory of the repository root.
VSAQ includes an easy-to-use setup script called
do.sh. It supports the following commands:./do.sh {install_deps|check_deps}./do.sh {build|build_prod|build_templates|build_docs} [debug]./do.sh {run}./do.sh {clean|clean_deps}./do.sh {lint}Build
To build VSAQ, run the following commands:
./do.sh install_deps./do.sh buildLocal Development Server
To run the VSAQ development server locally, use the
runcommand:./do.sh runNote that the development app server uses a snapshot of the code, taken at the time you run it. If you make changes to the code, be sure to run the appropriate build command again and restart the dev server:
./do.sh buildto refresh the source code, static files, and templates../do.sh build_templatesto rebuild only the Closure Templates. Then run./do.sh runto restart the dev server.Deployment
The open source version of VSAQ does not require a dedicated back end. This means VSAQ can be hosted as a static application on any web server.
To deploy VSAQ, complete the following steps:
./do.sh build_prod— This will run a normal build, but will also remove test files.builddirectory into any directory hosted on your web server.Example: https://vsaq-demo.withgoogle.com/vsaq.html?qpath=questionnaires/test_template.json
Reference Implementation
The reference implementation in the
client_side_only_implfolder requires no code to run on a back end. All operations are performed byvsaq_main.jsin the browser.Although this makes deployment very easy, you may want to run a custom server-side component for storing answers and mapping questionnaires to users.
vsaq_main.jsprovides example code for submitting and loading questionnaire answers to/from a back end:submitQuestionnaireToServer_Submits questionnaire answers to a back end.loadAnswersFromServer_Loads questionnaire answers from a back end.Notes
JS-Files in
static/are compiled by the Closure Compiler and placed inbuild/vsaq_binary.js.Closure Templates are compiled by the Closure Template Compiler and placed in
build/templates/vsaq/static/questionnaire/templates.soy.js.The
/questionnairesdirectory and parts of the/staticdirectories are replicated inbuild/.Changes to the JSON
/questionnairesdo not require redeployment of the application code, and can be done on the server if required.