search

Ericsson / codechecker

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy
https://codechecker.readthedocs.io
Apache License 2.0
2.26k stars 380 forks source link

Adopt Secure Software Development Best Practices of OpenSSF Scorecard #3977

Closed gkunz closed 1 year ago

gkunz commented 1 year ago

Is your feature request related to a problem? Please describe. This feature request proposes to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to strengthen the (supply chain) security posture of the CodeChecker project.

Describe the solution you would like The proposed solution is:

  1. running Scorecards against the CodeChecker repo,
  2. evaluation of the scan results of Scorecards in terms of applicability,
  3. adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/ [2] https://github.com/ossf/scorecard/tree/main#scorecard-checks

gkunz commented 1 year ago

Below are the scan results for the current state of the repository.

Low hanging fruits seem to be

Results:

{
  "date": "2023-08-10T22:00:05+02:00",
  "repo": {
    "name": "github.com/Ericsson/CodeChecker",
    "commit": "38f93156f678f84eb297672eec4a8dde8eb39586"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 4.8,
  "checks": [
    {
      "details": null,
      "score": 10,
      "reason": "no binaries found in the repo",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'force pushes' disabled on branch 'master'",
        "Info: 'allow deletion' disabled on branch 'master'",
        "Info: settings apply to administrators on branch 'master'",
        "Warn: status checks do not require up-to-date branches for 'master'",
        "Warn: 'last push approval' disabled on branch 'master'",
        "Info: status check found to merge onto on branch 'master'",
        "Warn: number of required reviewers is only 1 on branch 'master'",
        "Warn: stale review dismissal disabled on branch 'master'",
        "Warn: codeowner review is not required on branch 'master'",
        "Warn: 'force pushes' enabled on branch 'release-v6.22.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.2'",
        "Info: settings apply to administrators on branch 'release-v6.22.2'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.22.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.2'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.22.2'",
        "Warn: stale review dismissal disabled on branch 'release-v6.22.2'",
        "Warn: codeowner review is not required on branch 'release-v6.22.2'",
        "Warn: 'force pushes' enabled on branch 'release-v6.22.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.1'",
        "Info: settings apply to administrators on branch 'release-v6.22.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.22.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.22.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.22.1'",
        "Warn: codeowner review is not required on branch 'release-v6.22.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.22.0-rc1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.0-rc1'",
        "Info: settings apply to administrators on branch 'release-v6.22.0-rc1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.22.0-rc1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.0-rc1'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.0-rc1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.22.0-rc1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.22.0-rc1'",
        "Warn: codeowner review is not required on branch 'release-v6.22.0-rc1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.21.0-rc1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.21.0-rc1'",
        "Info: settings apply to administrators on branch 'release-v6.21.0-rc1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.21.0-rc1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.21.0-rc1'",
        "Warn: no status checks found to merge onto branch 'release-v6.21.0-rc1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.21.0-rc1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.21.0-rc1'",
        "Warn: codeowner review is not required on branch 'release-v6.21.0-rc1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.19.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.19.1'",
        "Info: settings apply to administrators on branch 'release-v6.19.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.19.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.19.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.19.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.19.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.19.1'",
        "Warn: codeowner review is not required on branch 'release-v6.19.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.18.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.18.2'",
        "Info: settings apply to administrators on branch 'release-v6.18.2'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.18.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.18.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.18.2'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.18.2'",
        "Warn: stale review dismissal disabled on branch 'release-v6.18.2'",
        "Warn: codeowner review is not required on branch 'release-v6.18.2'",
        "Warn: 'force pushes' enabled on branch 'release-v6.18.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.18.1'",
        "Info: settings apply to administrators on branch 'release-v6.18.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.18.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.18.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.18.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.18.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.18.1'",
        "Warn: codeowner review is not required on branch 'release-v6.18.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.15.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.15.2'",
        "Info: settings apply to administrators on branch 'release-v6.15.2'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.15.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.15.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.15.2'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.15.2'",
        "Warn: stale review dismissal disabled on branch 'release-v6.15.2'",
        "Warn: codeowner review is not required on branch 'release-v6.15.2'",
        "Warn: 'force pushes' enabled on branch 'release-v6.15.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.15.1'",
        "Info: settings apply to administrators on branch 'release-v6.15.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.15.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.15.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.15.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.15.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.15.1'",
        "Warn: codeowner review is not required on branch 'release-v6.15.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.12.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.12.1'",
        "Info: settings apply to administrators on branch 'release-v6.12.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.12.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.12.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.12.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.12.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.12.1'",
        "Warn: codeowner review is not required on branch 'release-v6.12.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.11.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.11.1'",
        "Info: settings apply to administrators on branch 'release-v6.11.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.11.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.11.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.11.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.11.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.11.1'",
        "Warn: codeowner review is not required on branch 'release-v6.11.1'",
        "Warn: 'force pushes' enabled on branch 'release-v6.11.0'",
        "Info: 'allow deletion' disabled on branch 'release-v6.11.0'",
        "Info: settings apply to administrators on branch 'release-v6.11.0'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.11.0'",
        "Warn: 'last push approval' disabled on branch 'release-v6.11.0'",
        "Warn: no status checks found to merge onto branch 'release-v6.11.0'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.11.0'",
        "Warn: stale review dismissal disabled on branch 'release-v6.11.0'",
        "Warn: codeowner review is not required on branch 'release-v6.11.0'",
        "Warn: 'force pushes' enabled on branch 'release-v6.10.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.10.1'",
        "Info: settings apply to administrators on branch 'release-v6.10.1'",
        "Warn: status checks do not require up-to-date branches for 'release-v6.10.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.10.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.10.1'",
        "Warn: number of required reviewers is 0 on branch 'release-v6.10.1'",
        "Warn: stale review dismissal disabled on branch 'release-v6.10.1'",
        "Warn: codeowner review is not required on branch 'release-v6.10.1'"
      ],
      "score": 2,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 9,
      "reason": "11 out of 12 merged PRs checked by a CI test -- score normalized to 9",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "all changesets reviewed",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,contour-terminal,ericsson,fossasia,llvm,llvm & @ericsson,microsoft,mozilla,stony brook university"
      ],
      "score": 10,
      "reason": "9 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Warn: tool 'RenovateBot' is not used: Follow the instructions from https://docs.renovatebot.com/configuration-options/. (Low effort)",
        "Warn: tool 'Dependabot' is not used: Follow the instructions from https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates. (Low effort)",
        "Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)",
        "Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)"
      ],
      "score": 0,
      "reason": "no update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.TXT:1",
        "Info: FSF or OSI recognized license: LICENSE.TXT:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) out of 30 and 6 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/Ericsson/codechecker/actions/runs/5545180425: .github/workflows/docker.yml:9"
      ],
      "score": 10,
      "reason": "publishing workflow detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/pypi.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/snap.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/snap.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/snap.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:188: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:189: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:1: pin your Docker image by updating ubuntu:18.04 to ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98",
        "Warn: containerImage not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:1: pin your Docker image by updating ubuntu:16.04 to ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6",
        "Warn: containerImage not pinned by hash: web/docker/Dockerfile:5",
        "Warn: containerImage not pinned by hash: web/docker/Dockerfile:43: pin your Docker image by updating python:3.9.7-slim-buster to python:3.9.7-slim-buster@sha256:76eaa9e5bd357d6983a88ddc9c4545ef4ad64c50f84f081ba952c7ed08e3bdd6",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:3-29",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:3-29",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:3-33",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:3-33",
        "Warn: downloadThenRun not pinned by hash: web/docker/Dockerfile:16-23",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: .github/workflows/pypi.yml:92",
        "Warn: pipCommand not pinned by hash: .github/workflows/pypi.yml:93",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:167",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:20",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:45",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:52",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:58",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:64",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:71",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:77",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:119",
        "Info: npm installs are pinned"
      ],
      "score": 1,
      "reason": "dependency not pinned by hash detected -- score normalized to 1",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 30 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: no topLevel permission defined: .github/workflows/config_coverage.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/docker.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/pypi.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/snap.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/test.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: no jobLevel write permissions found"
      ],
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-5cpq-8wj7-hf2v",
        "Warn: Project is vulnerable to: GHSA-cf7p-gm2m-833m / PYSEC-2023-112",
        "Warn: Project is vulnerable to: GHSA-jm77-qphf-c4w8",
        "Warn: Project is vulnerable to: GHSA-w7pp-m8wf-vj6r",
        "Warn: Project is vulnerable to: GHSA-x4qr-2fvf-3mr5",
        "Warn: Project is vulnerable to: GHSA-c2jc-4fpr-4vhg",
        "Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw",
        "Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25",
        "Warn: Project is vulnerable to: GHSA-3wcq-x3mq-6r9p",
        "Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q",
        "Warn: Project is vulnerable to: GHSA-2j2x-2gpw-g8fm",
        "Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c",
        "Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97",
        "Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j",
        "Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37",
        "Warn: Project is vulnerable to: GHSA-896r-f27r-55mw",
        "Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h",
        "Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq",
        "Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488",
        "Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g",
        "Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9",
        "Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm",
        "Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3",
        "Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h",
        "Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4",
        "Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g",
        "Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr",
        "Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765",
        "Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g",
        "Warn: Project is vulnerable to: GHSA-566m-qj78-rww5",
        "Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3",
        "Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp",
        "Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6",
        "Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw",
        "Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc",
        "Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3",
        "Warn: Project is vulnerable to: GHSA-6pw2-5hjv-9pf7",
        "Warn: Project is vulnerable to: GHSA-4w2j-2rg4-5mjw",
        "Warn: Project is vulnerable to: GHSA-mrgp-mrhc-5jrq",
        "Warn: Project is vulnerable to: GHSA-7jxr-cg7f-gpgv",
        "Warn: Project is vulnerable to: GHSA-xj72-wvfv-8985",
        "Warn: Project is vulnerable to: GHSA-ch3r-j5x3-6q2m",
        "Warn: Project is vulnerable to: GHSA-p5gc-c584-jj6v",
        "Warn: Project is vulnerable to: GHSA-whpj-8f3w-67p5",
        "Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5",
        "Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4",
        "Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j",
        "Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7",
        "Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh"
      ],
      "score": 0,
      "reason": "49 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}
gkunz commented 1 year ago

Intermediate result: we implemented

As a result of the dependabot upgrades, the number of reported vulns is also down from 44 to 36!

In total, this improve our score from an initial 4.8 (see above) to 7.0 (see below).

{
  "date": "2023-08-30T10:56:58+02:00",
  "repo": {
    "name": "github.com/Ericsson/CodeChecker",
    "commit": "f89a10edc8a09bebc759095aec08ee05c351ed7b"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 7,
  "checks": [
    {
      "details": null,
      "score": 10,
      "reason": "no binaries found in the repo",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'force pushes' disabled on branch 'master'",
        "Info: 'allow deletion' disabled on branch 'master'",
        "Info: settings apply to administrators on branch 'master'",
        "Warn: status checks do not require up-to-date branches for 'master'",
        "Warn: 'last push approval' disabled on branch 'master'",
        "Info: status check found to merge onto on branch 'master'",
        "Warn: number of required reviewers is only 1 on branch 'master'",
        "Warn: stale review dismissal disabled on branch 'master'",
        "Warn: codeowner review is not required on branch 'master'",
        "Info: 'force pushes' disabled on branch 'release-v6.22.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.2'",
        "Info: settings apply to administrators on branch 'release-v6.22.2'",
        "Info: status checks require up-to-date branches for 'release-v6.22.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.2'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.22.2'",
        "Info: stale review dismissal enabled on branch 'release-v6.22.2'",
        "Info: codeowner review is required on branch 'release-v6.22.2'",
        "Info: 'force pushes' disabled on branch 'release-v6.22.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.1'",
        "Info: settings apply to administrators on branch 'release-v6.22.1'",
        "Info: status checks require up-to-date branches for 'release-v6.22.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.22.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.22.1'",
        "Info: codeowner review is required on branch 'release-v6.22.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.22.0-rc1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.22.0-rc1'",
        "Info: settings apply to administrators on branch 'release-v6.22.0-rc1'",
        "Info: status checks require up-to-date branches for 'release-v6.22.0-rc1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.22.0-rc1'",
        "Warn: no status checks found to merge onto branch 'release-v6.22.0-rc1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.22.0-rc1'",
        "Info: stale review dismissal enabled on branch 'release-v6.22.0-rc1'",
        "Info: codeowner review is required on branch 'release-v6.22.0-rc1'",
        "Info: 'force pushes' disabled on branch 'release-v6.21.0-rc1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.21.0-rc1'",
        "Info: settings apply to administrators on branch 'release-v6.21.0-rc1'",
        "Info: status checks require up-to-date branches for 'release-v6.21.0-rc1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.21.0-rc1'",
        "Warn: no status checks found to merge onto branch 'release-v6.21.0-rc1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.21.0-rc1'",
        "Info: stale review dismissal enabled on branch 'release-v6.21.0-rc1'",
        "Info: codeowner review is required on branch 'release-v6.21.0-rc1'",
        "Info: 'force pushes' disabled on branch 'release-v6.19.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.19.1'",
        "Info: settings apply to administrators on branch 'release-v6.19.1'",
        "Info: status checks require up-to-date branches for 'release-v6.19.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.19.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.19.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.19.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.19.1'",
        "Info: codeowner review is required on branch 'release-v6.19.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.18.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.18.2'",
        "Info: settings apply to administrators on branch 'release-v6.18.2'",
        "Info: status checks require up-to-date branches for 'release-v6.18.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.18.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.18.2'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.18.2'",
        "Info: stale review dismissal enabled on branch 'release-v6.18.2'",
        "Info: codeowner review is required on branch 'release-v6.18.2'",
        "Info: 'force pushes' disabled on branch 'release-v6.18.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.18.1'",
        "Info: settings apply to administrators on branch 'release-v6.18.1'",
        "Info: status checks require up-to-date branches for 'release-v6.18.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.18.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.18.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.18.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.18.1'",
        "Info: codeowner review is required on branch 'release-v6.18.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.15.2'",
        "Info: 'allow deletion' disabled on branch 'release-v6.15.2'",
        "Info: settings apply to administrators on branch 'release-v6.15.2'",
        "Info: status checks require up-to-date branches for 'release-v6.15.2'",
        "Warn: 'last push approval' disabled on branch 'release-v6.15.2'",
        "Warn: no status checks found to merge onto branch 'release-v6.15.2'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.15.2'",
        "Info: stale review dismissal enabled on branch 'release-v6.15.2'",
        "Info: codeowner review is required on branch 'release-v6.15.2'",
        "Info: 'force pushes' disabled on branch 'release-v6.15.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.15.1'",
        "Info: settings apply to administrators on branch 'release-v6.15.1'",
        "Info: status checks require up-to-date branches for 'release-v6.15.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.15.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.15.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.15.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.15.1'",
        "Info: codeowner review is required on branch 'release-v6.15.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.12.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.12.1'",
        "Info: settings apply to administrators on branch 'release-v6.12.1'",
        "Info: status checks require up-to-date branches for 'release-v6.12.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.12.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.12.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.12.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.12.1'",
        "Info: codeowner review is required on branch 'release-v6.12.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.11.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.11.1'",
        "Info: settings apply to administrators on branch 'release-v6.11.1'",
        "Info: status checks require up-to-date branches for 'release-v6.11.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.11.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.11.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.11.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.11.1'",
        "Info: codeowner review is required on branch 'release-v6.11.1'",
        "Info: 'force pushes' disabled on branch 'release-v6.11.0'",
        "Info: 'allow deletion' disabled on branch 'release-v6.11.0'",
        "Info: settings apply to administrators on branch 'release-v6.11.0'",
        "Info: status checks require up-to-date branches for 'release-v6.11.0'",
        "Warn: 'last push approval' disabled on branch 'release-v6.11.0'",
        "Warn: no status checks found to merge onto branch 'release-v6.11.0'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.11.0'",
        "Info: stale review dismissal enabled on branch 'release-v6.11.0'",
        "Info: codeowner review is required on branch 'release-v6.11.0'",
        "Info: 'force pushes' disabled on branch 'release-v6.10.1'",
        "Info: 'allow deletion' disabled on branch 'release-v6.10.1'",
        "Info: settings apply to administrators on branch 'release-v6.10.1'",
        "Info: status checks require up-to-date branches for 'release-v6.10.1'",
        "Warn: 'last push approval' disabled on branch 'release-v6.10.1'",
        "Warn: no status checks found to merge onto branch 'release-v6.10.1'",
        "Warn: number of required reviewers is only 1 on branch 'release-v6.10.1'",
        "Info: stale review dismissal enabled on branch 'release-v6.10.1'",
        "Info: codeowner review is required on branch 'release-v6.10.1'"
      ],
      "score": 4,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "13 out of 13 merged PRs checked by a CI test -- score normalized to 10",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "all changesets reviewed",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,contour-terminal,ericsson,fossasia,llvm,llvm & @ericsson,microsoft,mozilla,stony brook university"
      ],
      "score": 10,
      "reason": "9 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Warn: tool 'RenovateBot' is not used: Follow the instructions from https://docs.renovatebot.com/configuration-options/. (Low effort)",
        "Info: tool 'Dependabot' is used: :0",
        "Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)",
        "Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.TXT:1",
        "Info: FSF or OSI recognized license: LICENSE.TXT:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/Ericsson/codechecker/actions/runs/5545180425: .github/workflows/docker.yml:11"
      ],
      "score": 10,
      "reason": "publishing workflow detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/config_coverage.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/config_coverage.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/pypi.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/pypi.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/snap.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/snap.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/snap.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/snap.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:194: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/codechecker/test.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:1: pin your Docker image by updating ubuntu:18.04 to ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98",
        "Warn: containerImage not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:1: pin your Docker image by updating ubuntu:16.04 to ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6",
        "Warn: containerImage not pinned by hash: web/docker/Dockerfile:5",
        "Warn: containerImage not pinned by hash: web/docker/Dockerfile:43: pin your Docker image by updating python:3.9.7-slim-buster to python:3.9.7-slim-buster@sha256:76eaa9e5bd357d6983a88ddc9c4545ef4ad64c50f84f081ba952c7ed08e3bdd6",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:3-29",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.bionic:3-29",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:3-33",
        "Warn: pipCommand not pinned by hash: docker/Dockerfile.test.sqlite.clang11.xenial:3-33",
        "Warn: downloadThenRun not pinned by hash: web/docker/Dockerfile:16-23",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: web/docker/Dockerfile:90-118",
        "Warn: pipCommand not pinned by hash: .github/workflows/pypi.yml:94",
        "Warn: pipCommand not pinned by hash: .github/workflows/pypi.yml:95",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:169",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:22",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:47",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:54",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:60",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:66",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:73",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:79",
        "Warn: pipCommand not pinned by hash: .github/workflows/test.yml:121",
        "Info: npm installs are pinned"
      ],
      "score": 1,
      "reason": "dependency not pinned by hash detected -- score normalized to 1",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 30 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Info: security policy file detected: SECURITY.md:1",
        "Info: Found linked content: SECURITY.md:1",
        "Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1",
        "Info: Found text in security policy: SECURITY.md:1"
      ],
      "score": 10,
      "reason": "security policy file detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Info: topLevel permissions set to 'read-all': .github/workflows/config_coverage.yml:24",
        "Info: topLevel permissions set to 'read-all': .github/workflows/docker.yml:8",
        "Info: topLevel permissions set to 'read-all': .github/workflows/pypi.yml:9",
        "Info: topLevel permissions set to 'read-all': .github/workflows/snap.yml:8",
        "Info: topLevel permissions set to 'read-all': .github/workflows/test.yml:6",
        "Info: no jobLevel write permissions found"
      ],
      "score": 10,
      "reason": "GitHub workflow tokens follow principle of least privilege",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-wfm5-v35h-vwf4",
        "Warn: Project is vulnerable to: GHSA-c2jc-4fpr-4vhg",
        "Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw",
        "Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25",
        "Warn: Project is vulnerable to: GHSA-3wcq-x3mq-6r9p",
        "Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q",
        "Warn: Project is vulnerable to: GHSA-2j2x-2gpw-g8fm",
        "Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c",
        "Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97",
        "Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j",
        "Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37",
        "Warn: Project is vulnerable to: GHSA-896r-f27r-55mw",
        "Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3",
        "Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4",
        "Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g",
        "Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr",
        "Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765",
        "Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g",
        "Warn: Project is vulnerable to: GHSA-566m-qj78-rww5",
        "Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3",
        "Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp",
        "Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6",
        "Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw",
        "Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc",
        "Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3",
        "Warn: Project is vulnerable to: GHSA-6pw2-5hjv-9pf7",
        "Warn: Project is vulnerable to: GHSA-4w2j-2rg4-5mjw",
        "Warn: Project is vulnerable to: GHSA-mrgp-mrhc-5jrq",
        "Warn: Project is vulnerable to: GHSA-7jxr-cg7f-gpgv",
        "Warn: Project is vulnerable to: GHSA-xj72-wvfv-8985",
        "Warn: Project is vulnerable to: GHSA-ch3r-j5x3-6q2m",
        "Warn: Project is vulnerable to: GHSA-p5gc-c584-jj6v",
        "Warn: Project is vulnerable to: GHSA-whpj-8f3w-67p5",
        "Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5",
        "Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4",
        "Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh"
      ],
      "score": 0,
      "reason": "36 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}
gkunz commented 1 year ago

I think we can close this issue for now as we successfully adopted some of the recommended security best practices. For further improvements, we should create new issues.

dkrupp commented 1 year ago

Allright. Thanks for your help!