Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please consider adopting OpenSSF Scorecard #8856

Closed
another-rex opened this issue Jul 10, 2024 · 4 comments
Closed

Please consider adopting OpenSSF Scorecard #8856

another-rex opened this issue Jul 10, 2024 · 4 comments
Labels
documentation About end-user documentation enhancement Issues that are considered to be enhancements

Comments

@another-rex
Copy link

Hello!

What is the feature you want to request?

OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of existing entrants.

We feel it helps boost the security credibility of the projects and products we're linking to.

Here's the results of a one-time run:

RESULTS
-------
Aggregate score: 6.6 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Branch-Protection      | internal error: error during   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#branch-protection      |
|         |                        | branchesHandler.setup:         |                                                                                                                       |
|         |                        | internal error:                |                                                                                                                       |
|         |                        | githubv4.Query: Resource not   |                                                                                                                       |
|         |                        | accessible by personal access  |                                                                                                                       |
|         |                        | token                          |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 20 out of 20 merged PRs        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: Passing        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | all changesets reviewed        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#code-review            |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 31 contributing    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 24 issue      | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST                   | SAST tool detected             | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#sast                   |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Signed-Releases        | 5 out of the last 5 releases   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#signed-releases        |
|         |                        | have a total of 5 signed       |                                                                                                                       |
|         |                        | artifacts.                     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Vulnerabilities        | 94 existing vulnerabilities    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
@another-rex another-rex added new feature Issues that are considered to be new features to triage Issues that need triaging labels Jul 10, 2024
@sschuberth
Copy link
Member

Hi @another-rex, could you please elaborate more what the exact ask is? Is the ask to improve the scores in those areas where ORT currently seems to perform low? If so, let me comment one some of these:

  • Branch-Protection: There's obviously some error in querying the API.
  • CII-Best-Practices: I've just made some edits to our entry that should improve the score.
  • Fuzzing: I believe fuzzing it not applicable for a JVM / locally running CLI application like ORT.
  • Pinned-Dependencies: We could think about locking dependency versions for Gradle, but in contrast to other ecosystem is a rather uncommon thing to do for JVM projects.
  • Security-Policy: Indeed we have to formal security policy file. Not sure if we intend to add one.
  • Signed-Releases: Releases are sign, and starting with the next release also build attestation should start working. Let's see if that gives us the full score.
  • Token-Permissions: We could investigate how to limit default permissions to the absolute minimum required.
  • Vulnerabilities: These vulnerabilities likely stem from test projects which deliberately contain vulnerabilities (for ORT itself to detect).

@sschuberth sschuberth added enhancement Issues that are considered to be enhancements documentation About end-user documentation and removed new feature Issues that are considered to be new features to triage Issues that need triaging labels Jul 10, 2024
@another-rex
Copy link
Author

another-rex commented Jul 11, 2024
edited
Loading

could you please elaborate more what the exact ask is?

The ask is mostly to use the scorecard github action https://scorecard.dev/#using-the-github-action to keep track of the score, and potentially putting a scorecard badge with the score in your readme: https://github.com/ossf/scorecard/blob/main/README.md#scorecard-badges.

The idea is essentially letting potential users know whether the project roughly follows good practices, as a way to help users decide whether to make use of a project.

Is the ask to improve the scores in those areas where ORT currently seems to perform low

Thanks for the explanation! I think scorecard does a poor job of explaining the score range, but 6.6 is actually not bad! For example other popular ossf projects (e.g. Allstar) has 7.1. Scorecard tries to score for the general case, so scores like vulnerabilities don't really work for a project like this one with test vulnerabilities.

sschuberth added a commit that referenced this issue Jul 11, 2024
@sschuberth
docs(README): Add an OpenSSF Scorecard badge
a902d67 
This complements the OpenSSF Best Practices badge. Resolves #8856.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth
Copy link
Member

I'm adding both the action and badge in #8860. @another-rex any idea why the badge shows a score of 6.1 when your manual run shows 6.6?

sschuberth added a commit that referenced this issue Jul 11, 2024
@sschuberth
docs(README): Add an OpenSSF Scorecard badge
248bbcb 
This complements the OpenSSF Best Practices badge. Resolves #8856.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit that referenced this issue Jul 11, 2024
@sschuberth
docs(README): Add an OpenSSF Scorecard badge
f7cd2f2 
This complements the OpenSSF Best Practices badge. Resolves #8856.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@another-rex
Copy link
Author

The reason GitHub action score is a bit different is most likely because the scorecard-action has older dependencies compared to the main scorecard (the GitHub action last release is May 20). A new release should be out soon for scorecard action though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation About end-user documentation enhancement Issues that are considered to be enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sschuberth @another-rex