search

mm2 / Little-CMS

A free, open source, CMM engine. It provides fast transforms between ICC profiles.
https://www.littlecms.com
MIT License
549 stars 174 forks source link

Suggest Adoption of Scorecard GitHub Action #393

Closed diogoteles08 closed 1 year ago

diogoteles08 commented 1 year ago

Hey, I'm Diogo and I've raised the issues #366 and #383 contributing with some security enhancements. I'll happily continue contributing with such improvements (it's literally my job, see my profile), but this time I come to suggest the tool that I used myself to find those security issues.

I'd like to suggest that the project add the OpenSSF Scorecard Action. The OpenSSF Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The Action then populates the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted 😄.

Additionally, the tool integrates with the OSV Scanner, which evaluates a project's transitive dependencies looking for known vulnerabilities.

When working on the Security enhancements pointed by Scorecard, you're also able to apply for the OpenSSF's Secure Open Source Rewards program, which financially rewards developers for improving the security of important open source projects

This tool is developed by the OpenSSF in partnership with GitHub and it's already been adopted by 1800+ projects, including TensorflowPyTorchAngular, and Flutter.

If you're interested, let me know and I'll send a PR!

mm2 commented 1 year ago

Hi Diogo, thanks for your contribution.

Just a couple of quick questions:

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

Thanks Marti

diogoteles08 commented 1 year ago

Hi Marti,

  • Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
  • Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
  • Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)

  1. No. The OSV Scanner will work as part of the Scorecard Action, analysing your repo through public GitHub APIs and showing the results at your Security Panel.

  2. No, Scorecards won't require any kind of annotation -- although there is an issue with this idea. After using Scorecard Action, you'll be able to dismiss any false-positives directly on the Security Panel. Then they would not bother you anymore.

  3. Don't worry, the action wouldn't send you any emails haha All the notifications are intended to be shown directly on GitHub

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

I'm Sorry for that, Marti. I have some contact with the SOS team and have already contacted them. I'll get back to you as soon as I have any information.

mm2 commented 1 year ago

Hello Diogo,

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality. Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now. Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

diogoteles08 commented 1 year ago

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality.

Awesome, I'll raise the PR shortly.

Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.

Absolutely, Marti! Your points are totally valid and I really appreciate your patience and time to consider the tool and talk to me about your concerns. Even after adopting the tool, please feel free to reach me for any questions or feedback and I'll be more than happy to help =)

Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

For this I'm afraid I won't be able to help much, though. I've contacted the SOS team and they said they'll look into your email, but they also confessed that there is a long backlog of requests. So unfortunately might not be a short reply.

mm2 commented 1 year ago

Hello @diogoteles08 Sorry to bother you, but after activating the scorecard all commits fail. I traced the scorecard parsing is failing with following error:

2023/07/27 10:41:17 error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/mm2/Little-CMS": context deadline exceeded

Is anything I can do aside disabling scorecard? Thanks!

mm2 commented 1 year ago

Oh, it was github's fault. Re-running the job solved the issue, sorry, just ignore the comment. Thanks!

diogoteles08 commented 1 year ago

Hey @mm2! You're not bothering at all -- I'd be happy to get any feedback. Anyways, I'm also happy to know it worked out 😄

Also, I'm honestly not sure it has any relation with your issue, but you might want to take a look on the possibility of running Scorecard with an specific fine grained token. Although it shouldn't change much how it's already working, I forgot to mention in this issue that this PAT is required to completely evaluating checks such Branch-Protection and (experimental) Webhooks.