[question] Check why packages are downloaded from a private source

[Ioana37]

When exploring JSON score we see that pinned dependencies score is 0.

When going over the repo we see that:

• it is not using RestoreLockedMode
• it is not using CPM
• nuget.config is set to download all dependencies from internal repositories

What should we make of these findings?

[JonDouglas]

Here are some thoughts.

I reached out to the .NET team to see if someone familiar with dotnet/runtime could validate whether .yml files have pinned dependencies and dockerfiles have sha hashes. Will get back to people later.

I looked at the original implementation for download validation and it seems okay for checking pinned versions in old and new nuget pkg mgmt styles (packages.configs / dotnet CLI version flag).

[JonDouglas]

I have a couple people looking into it. here is the error they see so far.

Pinned-Dependencies internal error: error parsing shell code: eng/docker/libraries-sdk.windows.Dockerfile:1:1: & can only immediately follow a statement

About this check Determines if the project has declared and pinned the dependencies of its build process.

We can also use this to double check things:

https://repos.opensource.microsoft.com/orgs/dotnet/repos/runtime/metrics/openssf

[JonDouglas]

Here's a follow up answer:

I think no, we generally use floating tags for docker to get sec patches. And some of the actions are pinned, but only a light fraction of them

[balteravishay]

Thanks @JonDouglas. We looked into the parsing issue, and it seems as though this relates to powershell not being supported by Scorecard. the failing dockerfiles are windows containers that use powershell scripts, hence the parsing errors. We should probably open an issue for scorecard to support windows containers.

[balteravishay]

But still, the question about pinning the .net/nuget projects in this repo remains. These projects do not pin their nuget dependencies, correct? we couldn't find any trace for this repo to pin their nuget dependency, can you? @JonDouglas

[aortiz-msft]

FWIW, we encourage all production repositories to use CPM, so I think it's okay for the scoring system to reflect that.

[aortiz-msft]

Also, it's really hard for anyone to make a determination on the security of private sources compared to NuGet.org. So, private vs public shouldn't matter.