Improvement of OpenSSF Scorecard Score

[harshitasao]

What would you like to be added?

Hi, I'm Harshita. I’m working with CNCF and the Google Open Source Security Team for the GSoC 2024 term. We are collaborating to enhance security practices across various CNCF projects. The goal is to improve security for all CNCF projects by both using OpenSSF Scorecards and implementing its security improvements.

As this project already has scorecard action, I'm here to increase the final score by going over each check. I've listed all of the checks where work needs to be done, in order of its criticality. I plan to submit each PR for each fix. Please let me know what you think and for which ones a PR is welcome that I will submit it ASAP.

Current Score: 8.7 Improved Score: 8.9 Scorecard report: https://scorecard.dev/viewer/?uri=github.com/etcd-io/etcd

Here's a few checks we can work on to improve the project's security posture:

• [X] Signed-Releases: Score = 0

  • SLSA provenance needs to be added, which can be done using this, increasing the overall score to 10.
  • Issue: https://github.com/etcd-io/etcd/issues/17873

• [x] Token-Permissions: Score = 9

  • The issue here is that this workflow doesn’t have a top-level read-only permissions block like present in the other workflows.

• [x] Vulnerabilities: Score = 9

  • Affected package:
    1. google.golang.org/grpc
    2. golang.org/x/image
  • Open vulnerabilities are easily exploited by attackers and should be fixed as soon as possible.

• [x] Pinned-Dependencies: Score = 7

  • Some github actions are not pinned by hash, which results in a low score.
  • Pinning dependencies to a specific hash rather than allowing mutable versions or ranges of versions improves supply chain security.

Why is this needed?

Enhances the security posture, increasing user trust and reducing the risk of security exploits.

/cc @joycebrum @diogoteles08 @pnacht @nate-double-u

[ahrtr]

Thanks @harshitasao for raise this enhancement request.

High level makes sense to me, but we need to evaluate the effort & impact of each change. cc @ivanvc @jmhbnz @serathius

[ivanvc]

Token-Permissions, Vulnerabilities, and Pinned-Dependencies are trivial. However, enabling Signed-Releases is a change to the release scripts, which I'm still not very familiar with, maybe someone else can weigh in.

@harshitasao, in Vulnerabilities you mention google.golang.org/grpc. However, the scorecard report only reports golang.org/x/image. Am I missing something?

Our ci check identified the golang.org/x/image vulnerability. But govulncheck has a clean exit (0) https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/etcd-io_etcd/18365/pull-etcd-govulncheck/1816510574830292992#. Because:

=== Module Results ===

No other vulnerabilities found.

Your code is affected by 0 vulnerabilities. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities.

[jmhbnz]

Thanks @harshitasao for raising this. I would suggest starting with one of the smaller items like pinning actions versions.

We actually have https://github.com/etcd-io/etcd/issues/17873 open to track adding provenance to our release artifacts however this will be complicated by our custom release scripts which will need updates.

[ivanvc]

As I had some free time (and needed a change of gears), I already addressed the smaller items.

[harshitasao]

Closing this issue as all the task are done and a seperate issue is there for adding SLSA provenance #17873