search

microsoft / fluentui-blazor

Microsoft Fluent UI Blazor components library. For use with ASP.NET Core Blazor applications
https://www.fluentui-blazor.net
MIT License
3.89k stars 377 forks source link

Score OpenSSF #2958

Open AClerbois opened 5 days ago

AClerbois commented 5 days ago

Hello Boys,

I've just run the tool OpenSSF on my machine.

My objectif was to evaluate the product and share the result with you.

More information about OpenSSF on the Microsoft DevBlogs article

This is the final result :

RESULTS

Aggregate score: 6.9 / 10

Check scores :

SCORE NAME REASON DETAILS DOCUMENTATION/REMEDIATION
10 / 10 Binary-Artifacts no binaries found in the repo Binary Artifacts Check
8 / 10 Branch-Protection branch protection is not maximal on development and all release branches Info: 'allow deletion' disabled on branch 'dev'; Info: 'force pushes' disabled on branch 'dev'; Info: required approving review count is 1 on branch 'dev' Branch Protection Check
10 / 10 CI-Tests 16 out of 16 merged PRs checked by a CI test -- score normalized to 10 CI Tests Check
0 / 10 CII-Best-Practices no effort to earn an OpenSSF best practices badge detected CII Best Practices Check
5 / 10 Code-Review Found 15/30 approved changesets -- score normalized to 5 Code Review Check
10 / 10 Contributors project has 28 contributing companies or organizations Contributors Check
10 / 10 Dangerous-Workflow no dangerous workflow patterns detected Dangerous Workflow Check
10 / 10 Dependency-Update-Tool update tool detected Info: detected update tool: Dependabot Dependency Update Tool Check
0 / 10 Fuzzing project is not fuzzed Warn: no fuzzer integrations found Fuzzing Check
10 / 10 License license file detected Info: project has a license file: LICENSE:0 Info: FSF or OSI recognized license: MIT License License Check
10 / 10 Maintained 30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10 Maintained Check
? Packaging packaging workflow not detected Warn: no GitHub/GitLab publishing workflow detected Packaging Check
0 / 10 Pinned-Dependencies dependency not pinned by hash Warn: GitHub-owned GitHubAction not pinned by hash Pinned Dependencies Check
7 / 10 SAST SAST tool detected but not run on all commits Info: SAST configuration detected: CodeQL Warn: 0 commits out of 16 are checked with a SAST tool SAST Check
10 / 10 Security-Policy security policy file detected Info: security policy file detected: SECURITY.md:1 Security Policy Check
? Signed-Releases no releases found Signed Releases Check
0 / 10 Token-Permissions detected GitHub workflow tokens with excessive permissions Warn: jobLevel 'checks' permission set to 'write' Token Permissions Check
8 / 10 Vulnerabilities 2 existing vulnerabilities detected Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275, GHSA-952p-6rrq-rcjv Vulnerabilities Check

In my point of view, this result is really interesting to be displayed, we can plan to integrate the badge and try to improve the score with best Open Source practises proposed : https://scorecard.dev/#run-the-checks

Br,

Adrien C.

vnbaaij commented 5 days ago

Interesting indeed... but yet another thing we would need to maintain.

Not sure if we have bandwidth for that. Might be that some are low hanging fruit.