Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

OpenSSF scorecard #2958

Open
1 of 6 tasks
flavorjones opened this issue Aug 16, 2023 · 2 comments
Open
1 of 6 tasks

OpenSSF scorecard #2958

flavorjones opened this issue Aug 16, 2023 · 2 comments
Labels
topic/ci topic/security

Comments

@flavorjones
Copy link
Member

I'd like to explore the recommendations being made by the OpenSSF scorecard report. I ran it this morning manually and saw this:

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Branch-Protection      | internal error: error during   | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#branch-protection      |
|         |                        | branchesHandler.setup:         |                                                                                                                       |
|         |                        | internal error:                |                                                                                                                       |
|         |                        | githubv4.Query: Resource not   |                                                                                                                       |
|         |                        | accessible by personal access  |                                                                                                                       |
|         |                        | token                          |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 13 out of 13 merged PRs        | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: passing        | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10  | Code-Review            | found 6 unreviewed changesets  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#code-review            |
|         |                        | out of 8 -- score normalized   |                                                                                                                       |
|         |                        | to 2                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | 93 different organizations     | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#contributors           |
|         |                        | found -- score normalized to   |                                                                                                                       |
|         |                        | 10                             |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) out of 30 and 28  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#maintained             |
|         |                        | issue activity out of 30 found |                                                                                                                       |
|         |                        | in the last 90 days -- score   |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | publishing workflow detected   | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 6                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | https://github.com/ossf/scorecard/blob/5ec66fa906d68e00d80d2a407103b8434aac421e/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

Some things to explore:

  • set up codeql checks (SAST check)
  • pinned dependencies - not sure which one isn't pinned, looks like maybe just rubyzip?
  • token permissions - set github actions token permissions to "read" at top level, then increase for specific jobs (I think?)

Other recommendations from https://app.stepsecurity.io/securerepo?repo=https://github.com/sparklemotion/nokogiri

  • pin actions to a hash
    • and then have dependabot bump them
  • add a scorecard workflow
@flavorjones flavorjones added this to the v1.17.0 milestone Jul 3, 2024
@flavorjones
Copy link
Member Author

Updated report today:

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Binary-Artifacts       | binaries present in source     | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#binary-artifacts       |
|         |                        | code                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 8 out of 8 merged PRs          | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: Passing        | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Code-Review            | Found 0/8 approved changesets  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#code-review            |
|         |                        | -- score normalized to 0       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 92 contributing    | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing                | project is fuzzed              | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 16 issue      | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST                   | SAST tool is run on all        | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#sast                   |
|         |                        | commits                        |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy        | security policy file detected  | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#security-policy        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | 0 existing vulnerabilities     | https://github.com/ossf/scorecard/blob/1c448ee6522578a20a89d7f924debd0624c7bd71/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

@flavorjones
Copy link
Member Author

Pinning actions to hashes didn't affect the "pinned-dependencies" score ... not sure where that's coming from.

@flavorjones flavorjones removed this from the v1.17.0 milestone Jul 3, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
topic/ci topic/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flavorjones