gkunz
commented
11 months ago Below is a scan result of the current state of the repo:
Low hanging fruits seem to be
- addition of a SECURITY.MD file,
- configuration of GITHUB_TOKEN permissions,
- branch protection settings
Results:
{
"date": "2023-10-30T13:37:49+01:00",
"repo": {
"name": "github.com/Ericsson/ecchronos",
"commit": "cc17727477141847b4769d663ef58307135032b1"
},
"scorecard": {
"version": "(devel)",
"commit": "unknown"
},
"score": 5.5,
"checks": [
{
"details": null,
"score": 10,
"reason": "no binaries found in the repo",
"name": "Binary-Artifacts",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
"short": "Determines if the project has generated executable (binary) artifacts in the source repository."
}
},
{
"details": [
"Warn: branch protection not enabled for branch 'master'",
"Warn: branch protection not enabled for branch 'ecchronos-1.0'"
],
"score": 0,
"reason": "branch protection not enabled on development/release branches",
"name": "Branch-Protection",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
}
},
{
"details": null,
"score": 8,
"reason": "17 out of 21 merged PRs checked by a CI test -- score normalized to 8",
"name": "CI-Tests",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
"short": "Determines if the project runs tests before pull requests are merged."
}
},
{
"details": null,
"score": 0,
"reason": "no effort to earn an OpenSSF best practices badge detected",
"name": "CII-Best-Practices",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
}
},
{
"details": null,
"score": 7,
"reason": "found 9 unreviewed changesets out of 30 -- score normalized to 7",
"name": "Code-Review",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
"short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
}
},
{
"details": [
"Info: contributors work for ericsson"
],
"score": 3,
"reason": "1 different organizations found -- score normalized to 3",
"name": "Contributors",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
}
},
{
"details": null,
"score": 10,
"reason": "no dangerous workflow patterns detected",
"name": "Dangerous-Workflow",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
}
},
{
"details": [
"Info: tool 'Dependabot' is used: :0"
],
"score": 10,
"reason": "update tool detected",
"name": "Dependency-Update-Tool",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
"short": "Determines if the project uses a dependency update tool."
}
},
{
"details": [
"Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
"Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
"Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
"Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
],
"score": 0,
"reason": "project is not fuzzed",
"name": "Fuzzing",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
"short": "Determines if the project uses fuzzing."
}
},
{
"details": [
"Info: License file found in expected location: LICENSE.md:1",
"Info: FSF or OSI recognized license: LICENSE.md:1"
],
"score": 10,
"reason": "license file detected",
"name": "License",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
"short": "Determines if the project has defined a license."
}
},
{
"details": null,
"score": 10,
"reason": "30 commit(s) out of 30 and 27 issue activity out of 30 found in the last 90 days -- score normalized to 10",
"name": "Maintained",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
"short": "Determines if the project is \"actively maintained\"."
}
},
{
"details": [
"Warn: no GitHub/GitLab publishing workflow detected"
],
"score": -1,
"reason": "no published package detected",
"name": "Packaging",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
}
},
{
"details": [
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/actions.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: containerImage not pinned by hash: cassandra-test-image/src/main/docker/Dockerfile:1",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:22",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:27",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:28",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:29",
"Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned",
"Info: 0 out of 1 third-party GitHubAction dependencies pinned",
"Info: 0 out of 1 containerImage dependencies pinned",
"Info: 0 out of 4 pipCommand dependencies pinned"
],
"score": 0,
"reason": "dependency not pinned by hash detected -- score normalized to 0",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
},
{
"details": [
"Warn: 0 commits out of 21 are checked with a SAST tool",
"Warn: CodeQL tool not detected"
],
"score": 0,
"reason": "SAST tool is not run on all commits -- score normalized to 0",
"name": "SAST",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
"short": "Determines if the project uses static code analysis."
}
},
{
"details": [
"Warn: no security policy file detected: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.\nFor additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nProvide a point of contact in your SECURITY.md.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)"
],
"score": 0,
"reason": "security policy file not detected",
"name": "Security-Policy",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
"short": "Determines if the project has published a security policy."
}
},
{
"details": [
"Warn: release artifact ecchronos-4.0.5 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/117989757",
"Info: signed release artifact: ecchronos-binary-4.0.5.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/122435764",
"Warn: release artifact ecchronos-4.0.4 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/113624663",
"Info: signed release artifact: ecchronos-binary-4.0.4.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/118688336",
"Warn: release artifact ecchronos-4.0.3 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/98172371",
"Info: signed release artifact: ecchronos-binary-4.0.3.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/102400601",
"Warn: release artifact ecchronos-4.0.2 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/86272519",
"Info: signed release artifact: ecchronos-binary-4.0.2.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/88423952",
"Warn: release artifact ecchronos-3.0.0 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/70948619",
"Info: signed release artifact: ecchronos-binary-3.0.0.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/70126545"
],
"score": 8,
"reason": "5 out of 5 artifacts are signed or have provenance",
"name": "Signed-Releases",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
"short": "Determines if the project cryptographically signs release artifacts."
}
},
{
"details": [
"Warn: no topLevel permission defined: .github/workflows/actions.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
"Info: no jobLevel write permissions found"
],
"score": 0,
"reason": "detected GitHub workflow tokens with excessive permissions",
"name": "Token-Permissions",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
"short": "Determines if the project's workflows follow the principle of least privilege."
}
},
{
"details": [
"Warn: Project is vulnerable to: GHSA-57m8-f3v5-hm5m",
"Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2"
],
"score": 8,
"reason": "2 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}
tommystendahl
I'd like to propose to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to adopt best practices to further mature the project.
The proposed steps include:
[1] https://openssf.org/ [2] https://github.com/ossf/scorecard/tree/main#scorecard-checks