Please consider adopting OpenSSF Scorecard

another-rex commented 1 month ago

Hello!

What is the feature you want to request?

OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of existing entrants.

We feel it helps boost the security credibility of the projects and products we're linking to.

Here's the results of a one-time run:

RESULTS
-------
Aggregate score: 6.6 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Branch-Protection      | internal error: error during   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#branch-protection      |
|         |                        | branchesHandler.setup:         |                                                                                                                       |
|         |                        | internal error:                |                                                                                                                       |
|         |                        | githubv4.Query: Resource not   |                                                                                                                       |
|         |                        | accessible by personal access  |                                                                                                                       |
|         |                        | token                          |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 20 out of 20 merged PRs        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: Passing        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | all changesets reviewed        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#code-review            |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 31 contributing    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected           | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 30 commit(s) and 24 issue      | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | SAST                   | SAST tool detected             | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#sast                   |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Signed-Releases        | 5 out of the last 5 releases   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#signed-releases        |
|         |                        | have a total of 5 signed       |                                                                                                                       |
|         |                        | artifacts.                     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Vulnerabilities        | 94 existing vulnerabilities    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

sschuberth commented 1 month ago

Hi @another-rex, could you please elaborate more what the exact ask is? Is the ask to improve the scores in those areas where ORT currently seems to perform low? If so, let me comment one some of these:

Branch-Protection: There's obviously some error in querying the API.
CII-Best-Practices: I've just made some edits to our entry that should improve the score.
Fuzzing: I believe fuzzing it not applicable for a JVM / locally running CLI application like ORT.
Pinned-Dependencies: We could think about locking dependency versions for Gradle, but in contrast to other ecosystem is a rather uncommon thing to do for JVM projects.
Security-Policy: Indeed we have to formal security policy file. Not sure if we intend to add one.
Signed-Releases: Releases are sign, and starting with the next release also build attestation should start working. Let's see if that gives us the full score.
Token-Permissions: We could investigate how to limit default permissions to the absolute minimum required.
Vulnerabilities: These vulnerabilities likely stem from test projects which deliberately contain vulnerabilities (for ORT itself to detect).

another-rex commented 1 month ago

could you please elaborate more what the exact ask is?

The ask is mostly to use the scorecard github action https://scorecard.dev/#using-the-github-action to keep track of the score, and potentially putting a scorecard badge with the score in your readme: https://github.com/ossf/scorecard/blob/main/README.md#scorecard-badges.

The idea is essentially letting potential users know whether the project roughly follows good practices, as a way to help users decide whether to make use of a project.

Is the ask to improve the scores in those areas where ORT currently seems to perform low

Thanks for the explanation! I think scorecard does a poor job of explaining the score range, but 6.6 is actually not bad! For example other popular ossf projects (e.g. Allstar) has 7.1. Scorecard tries to score for the general case, so scores like vulnerabilities don't really work for a project like this one with test vulnerabilities.

sschuberth commented 1 month ago

I'm adding both the action and badge in https://github.com/oss-review-toolkit/ort/pull/8860. @another-rex any idea why the badge shows a score of 6.1 when your manual run shows 6.6?

another-rex commented 1 month ago

The reason GitHub action score is a bit different is most likely because the scorecard-action has older dependencies compared to the main scorecard (the GitHub action last release is May 20). A new release should be out soon for scorecard action though.

oss-review-toolkit / ort

Please consider adopting OpenSSF Scorecard #8856

What is the feature you want to request?