Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSF scorecard #2958

Open
1 of 6 tasks
flavorjones opened this issue Aug 16, 2023 · 2 comments
Open
1 of 6 tasks

OpenSSF scorecard #2958

flavorjones opened this issue Aug 16, 2023 · 2 comments
Labels
topic/ci topic/security

Comments

@flavorjones
Copy link
Member

I'd like to explore the recommendations being made by the OpenSSF scorecard report. I ran it this morning manually and saw this:

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Branch-Protection      | internal error: error during   | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#branch-protection      |
|         |                        | branchesHandler.setup:         |                                                                                                                       |
|         |                        | internal error:                |                                                                                                                       |
|         |                        | githubv4.Query: Resource not   |                                                                                                                       |
|         |                        | accessible by personal access  |                                                                                                                       |
|         |                        | token                          |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 13 out of 13 merged PRs        | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: passing        | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10  | Code-Review            | found 6 unreviewed changesets  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#code-review            |
|         |                        | out of 8 -- score normalized   |                                                                                                                       |
|         |                        | to 2                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 93 different organizations     | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#contributors           |
|         |                        | found -- score normalized to   |                                                                                                                       |
|         |                        | 10                             |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 28  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | publishing workflow detected   | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 6                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

Some things to explore:

  • set up codeql checks (SAST check)
  • pinned dependencies - not sure which one isn't pinned, looks like maybe just rubyzip?
  • token permissions - set github actions token permissions to "read" at top level, then increase for specific jobs (I think?)

Other recommendations from https://app.stepsecurity.io/securerepo?repo=https://github.com/sparklemotion/nokogiri

  • pin actions to a hash
    • and then have dependabot bump them
  • add a scorecard workflow
@flavorjones flavorjones added this to the v1.17.0 milestone Jul 3, 2024
@flavorjones
Copy link
Member Author

Updated report today:

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 8 out of 8 merged PRs          | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: Passing        | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | Found 0/8 approved changesets  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#code-review            |
|         |                        | -- score normalized to 0       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 92 contributing    | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed              | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 16 issue      | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST                   | SAST tool is run on all        | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#sast                   |
|         |                        | commits                        |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

@flavorjones
Copy link
Member Author

Pinning actions to hashes didn't affect the "pinned-dependencies" score ... not sure where that's coming from.

@flavorjones flavorjones removed this from the v1.17.0 milestone Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic/ci topic/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flavorjones