best practices: ossf scorecard: Pinned Dependencies

pdxjohnny commented 3 months ago

TODO
- [x] https://github.com/intel/dffml/pull/1586
- [x] https://github.com/ossf/scorecard/issues/4189
- https://github.com/intel/dffml/actions/runs/9626878262/job/26553339797#step:6:1180
- - What is the new behavior (if this is a feature change)?
    - check for go install/get pkname where pkgname is not pinned
    - check for pip install where there's no -r requirements.txt
- [x] https://github.com/jazzband/pip-tools/pull/814
https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies

Pinned-Dependencies
MEDIUM
Determines if the project has declared and pinned the dependencies of its build process.
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
Info: Possibly incomplete results: error parsing shell code: word list can only contain words: scripts/consoletest.sh:5
Warn: containerImage not pinned by hash: scripts/gitpod.Dockerfile:1: pin your Docker image by updating gitpod/workspace-full to gitpod/workspace-full@sha256:8dd34e72ae5b9e6f60d267dd6287befc2cf5ad1a11c64e9d93daa60c952a2154
Warn: containerImage not pinned by hash: service/http/Dockerfile:1: pin your Docker image by updating intelotc/dffml to intelotc/dffml@sha256:ef8c9bae49e840fc6937ea149be8766936457d183647d8bd96bd223bde4edf70
Warn: pipCommand not pinned by hash: Dockerfile:35
Warn: pipCommand not pinned by hash: Dockerfile:36
Warn: pipCommand not pinned by hash: dffml/skel/operations/Dockerfile:27
Warn: pipCommand not pinned by hash: operations/binsec/Dockerfile:26
Warn: pipCommand not pinned by hash: operations/deploy/Dockerfile:26
Warn: pipCommand not pinned by hash: operations/image/Dockerfile:27
Warn: pipCommand not pinned by hash: operations/nlp/Dockerfile:27
Warn: pipCommand not pinned by hash: service/http/Dockerfile:3
Warn: pipCommand not pinned by hash: service/http/Dockerfile:10
Warn: pipCommand not pinned by hash: .ci/deps.sh:30
Warn: pipCommand not pinned by hash: .ci/deps.sh:33
Warn: pipCommand not pinned by hash: .ci/deps.sh:75
Warn: pipCommand not pinned by hash: .ci/deps.sh:78
Warn: pipCommand not pinned by hash: .ci/deps.sh:94
Warn: pipCommand not pinned by hash: .ci/deps.sh:98
Warn: pipCommand not pinned by hash: .ci/deps.sh:103
Warn: pipCommand not pinned by hash: .ci/deps.sh:104
Warn: pipCommand not pinned by hash: .ci/deps.sh:108
Warn: pipCommand not pinned by hash: .ci/deps.sh:112
Warn: pipCommand not pinned by hash: .ci/deps.sh:114
Warn: pipCommand not pinned by hash: .ci/deps.sh:118
Warn: pipCommand not pinned by hash: .ci/dffml-install.sh:5
Warn: pipCommand not pinned by hash: .ci/dffml-install.sh:8
Warn: pipCommand not pinned by hash: .ci/dffml-install.sh:10
Warn: downloadThenRun not pinned by hash: examples/quickstart/model_curl_http.sh:1
Warn: pipCommand not pinned by hash: .github/workflows/alice_async_comms.yml:44
Warn: pipCommand not pinned by hash: .github/workflows/alice_async_comms.yml:45
Warn: pipCommand not pinned by hash: .github/workflows/alice_please_contribute_recommended_community_standards.yml:47
Warn: pipCommand not pinned by hash: .github/workflows/alice_please_contribute_recommended_community_standards.yml:53
Warn: pipCommand not pinned by hash: .github/workflows/alice_shouldi_contribute.yml:47
Warn: pipCommand not pinned by hash: .github/workflows/alice_shouldi_contribute.yml:53
Warn: pipCommand not pinned by hash: .github/workflows/rfc.yml:53
Warn: pipCommand not pinned by hash: .github/workflows/rfc.yml:54
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:401
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:402
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:53
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:54
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:55
Warn: pipCommand not pinned by hash: .github/workflows/testing.yml:56
Info: 43 out of 43 GitHub-owned GitHubAction dependencies pinned
Info: 27 out of 27 third-party GitHubAction dependencies pinned
Info: 8 out of 10 containerImage dependencies pinned
Info: 13 out of 51 pipCommand dependencies pinned
Info: 0 out of 1 downloadThenRun dependencies pinned

pdxjohnny commented 3 months ago

https://github.com/intel/dffml/pull/1590

pdxjohnny commented 3 months ago

https://github.com/ossf/scorecard/issues/3763
- Okay we have to use --no-deps with -e

            {
               "ruleId": "PinnedDependenciesID",
               "ruleIndex": 4,
               "message": {
                  "text": "score is 5: pipCommand not pinned by hash\nClick Remediation section below to solve this issue"
               },
               "locations": [
                  {
                     "physicalLocation": {
                        "region": {
                           "startLine": 27,
                           "endLine": 27,
                           "snippet": {
                              "text": "python3 -m pip install -e .[dev]"
                           }
                        },
                        "artifactLocation": {
                           "uri": "operations/nlp/Dockerfile",
                           "uriBaseId": "%SRCROOT%"
                        }
                     },
                     "message": {
                        "text": "pipCommand not pinned by hash"
                     }
                  }
               ]
            }

intel / dffml

best practices: ossf scorecard: Pinned Dependencies #1583