OpenSSF Scorecard Report Updated

[github-actions[bot]]

OpenSSF Scorecard Report Updated. cc: @nodejs/security-wg

closes: https://github.com/nodejs/security-wg/issues/1326

[UlisesGascon]

The biggest change is in the Node.js repo. Seems like the scoring is affected by "62 Vulnerabilities". See full report

Warn: Project is vulnerable to: CVE-2022-1292
Warn: Project is vulnerable to: CVE-2022-1343
Warn: Project is vulnerable to: CVE-2022-1434
Warn: Project is vulnerable to: CVE-2022-1473
Warn: Project is vulnerable to: CVE-2022-2068
Warn: Project is vulnerable to: CVE-2022-2097
Warn: Project is vulnerable to: CVE-2022-3358
Warn: Project is vulnerable to: CVE-2022-3602
Warn: Project is vulnerable to: CVE-2022-3786
Warn: Project is vulnerable to: CVE-2022-4203
Warn: Project is vulnerable to: CVE-2022-4304
Warn: Project is vulnerable to: CVE-2022-4450
Warn: Project is vulnerable to: CVE-2023-0215
Warn: Project is vulnerable to: CVE-2023-0217
Warn: Project is vulnerable to: CVE-2023-0286
Warn: Project is vulnerable to: CVE-2023-0464
Warn: Project is vulnerable to: CVE-2023-0465
Warn: Project is vulnerable to: CVE-2023-0466
Warn: Project is vulnerable to: CVE-2023-1255
Warn: Project is vulnerable to: CVE-2023-2650
Warn: Project is vulnerable to: CVE-2023-2975
Warn: Project is vulnerable to: CVE-2023-3817
Warn: Project is vulnerable to: CVE-2023-4807
Warn: Project is vulnerable to: CVE-2023-5363
Warn: Project is vulnerable to: CVE-2023-5678
Warn: Project is vulnerable to: CVE-2023-6129
Warn: Project is vulnerable to: CVE-2023-6237
Warn: Project is vulnerable to: CVE-2024-0727
Warn: Project is vulnerable to: CVE-2024-2511
Warn: Project is vulnerable to: CVE-2024-4603
Warn: Project is vulnerable to: GHSA-xqr8-7jwr-rhp7 / PYSEC-2023-135
Warn: Project is vulnerable to: GHSA-jjg7-2v4v-x38h
Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95
Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj
Warn: Project is vulnerable to: GHSA-mrwq-x4v8-fh7p / PYSEC-2023-117
Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56
Warn: Project is vulnerable to: GHSA-j8r2-6x86-q33q / PYSEC-2023-74
Warn: Project is vulnerable to: GHSA-qppv-j76h-2rpx
Warn: Project is vulnerable to: GHSA-g4mx-q9vg-27p4 / PYSEC-2023-212
Warn: Project is vulnerable to: GHSA-v845-jxx5-vc9f / PYSEC-2023-192
Warn: Project is vulnerable to: CVE-2023-45853
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-rq8g-5pc5-wrhr
Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
Warn: Project is vulnerable to: GHSA-qh2h-chj9-jffq
Warn: Project is vulnerable to: GHSA-44pw-h2cw-w3vq
Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-22r3-9w55-cj54
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-qxrj-hx23-xp82
Warn: Project is vulnerable to: GHSA-36jr-mh4h-2g58

It is the first time that the report is showing this data for Node :thinking:

[RafaelGSS]

Have we confirmed if these CVEs are valid for Node.js? If so it should have been reported via https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues somehow :confused:

[richardlau]

The last one in the list, https://github.com/advisories/GHSA-36jr-mh4h-2g58, is for d3-color which I don't think we include in Node.js or any of its dependencies.

[RafaelGSS]

I tried to checkout v16.x assuming this action is running in an outdated version of Node.js (v16.x for instance) and indeed we don't have d3-color as a dependency by any kind.