Scorecard of Spoon - Githubissues

INRIA / spoon

Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

http://spoon.gforge.inria.fr/

Other

1.76k stars 352 forks source link

Scorecard of Spoon #5216

Open monperrus opened 1 year ago

monperrus commented 1 year ago

Google's Deps.Dev supports Open Source Security Foundation scorecard

https://deps.dev/maven/fr.inria.gforge.spoon%3Aspoon-core/10.3.0

Good news:

Maintained 10/10
License 9/10
Dangerous-Workflow 10/10
Security-Policy 10/10
Binary-Artifacts 9/10

Bad news:

CII-Best-Practices 0/10
Signed-Releases 0/10
Token-Permissions 0/10
Fuzzing 0/10
Pinned-Dependencies 0/10
Vulnerabilities 0/10

How to fix that?

monperrus commented 1 year ago

In particular, we should already have Signed-Releases and Pinned-Dependencies?

What's wrong here?

monperrus commented 1 year ago

"Signed-Releases": we have old releases with unsigned commits.

Possible solutions:

we remove them :-1:
we sign commits a posteriori (doable? would require to contact past contributors who released)
we upload a GPG signature for them: is that supported by Deps.dev? what's the expected format? naming convention?

MartinWitt commented 1 year ago

On the list, an interesting point is https://google.github.io/clusterfuzzlite/. I always hear good feedback about fuzzing, maybe it is time to try it for spoon?

MartinWitt commented 1 year ago

@monperrus you as the owner have to apply here: https://bestpractices.coreinfrastructure.org/en. Then we should get 10 instead of 2 points in the category.

monperrus commented 1 year ago

you as the owner have to apply here: bestpractices.coreinfrastructure.org/en.

done.

should we add the badge to the README?

MartinWitt commented 1 year ago

Hey, I updated our scorecode, and now we have 94% see https://bestpractices.coreinfrastructure.org/en/projects/7377/edit. If you have a different opinion on some fields, feel free to change them.

should we add the badge to the README?

We can include it yes.

monperrus commented 7 months ago

Trusty score computed by trustypkg.dev, from stacklok https://www.trustypkg.dev/maven/fr.inria.gforge.spoon%3Aspoon-core

Score 6.8, green, seems good

monperrus commented 2 months ago

OpenSSF Best Practices: https://www.bestpractices.dev/en/projects/7377

We are almost perfect.

There is a still a bug with https, and we would need some accepted dynamic analysis.

monperrus commented 2 weeks ago

FYI, WIP Software Supply Chain Report of INRIA/spoon by dirty-waters

https://gist.github.com/monperrus/34663084981de3c56f3120f932e0a4b7

cc/ @randomicecube @Stamp9

MartinWitt commented 2 weeks ago

Without invoking maven dependency tree, our supply chain is most likely large then 17

Total packages in the supply chain: 17

I don't even understand how these urls are guessed(?). There is some potential. And a small QoL improvement. Only show what is wrong, don't show my what is correct. You can show the rest later on the page but not so upfront with warning emojis.

monperrus commented 1 week ago

Thanks for the feedback @MartinWitt , the conversation happens at https://github.com/chains-project/dirty-waters/issues/37