Feature: add check for vulnerability alerts

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source

https://scorecard.dev

Apache License 2.0

4.39k stars 482 forks source link

Feature: add check for vulnerability alerts #1371

Open laurentsimon opened 2 years ago

laurentsimon commented 2 years ago

Most package managers have a *-audit tool: pip-audit, cargo-audit, npm-audit, etc. that pull security advisories from public databases (OSV, CVEs, package-specific databases, etc) Dependabot and renovabot also have options to alerts uses when vulnerabilities in their dependencies are disclosed.

It would be useful to capture this in scorecard. This could live under Dependency-Update-Tool (which we could rename to Dependency-Management-Tool).

For commands, we may need to parse commands in run field of GH workflows, as suggested in https://github.com/ossf/scorecard/issues/1031#issuecomment-967352430, unless there is a GitHub action for it.

Note that we already parse commands for the Pinned-Dependency check but we have not yet separated out command parsing https://github.com/ossf/scorecard/issues/1220

laurentsimon commented 2 years ago

cc @di

laurentsimon commented 2 years ago

filed https://github.com/trailofbits/pip-audit/issues/198 to ask whether they are interested in creating a GitHub action for it.

laurentsimon commented 2 years ago

cc @naveensrinivasan @azeemsgoogle @oliverchang @chrismcgehee

laurentsimon commented 2 years ago

I found an API to check for it for dependabot https://github.com/google/go-github/blob/85425ec5f1e4118be4b578e5b6ad07f9ea32cf5f/github/repos.go#L601

naveensrinivasan commented 2 years ago

I found an API to check for it for dependabot https://github.com/google/go-github/blob/85425ec5f1e4118be4b578e5b6ad07f9ea32cf5f/github/repos.go#L601

That is cool!

laurentsimon commented 2 years ago

should this be its own check or inside Dependency-Update-Tool?

naveensrinivasan commented 2 years ago

IMO no. Probably good for discussion.

laurentsimon commented 2 years ago

@rarkins what do we need to do to detect that dep security alerts are enabled in renovatebot?

rarkins commented 2 years ago

Dependency security alerts don't need explicit enabling in Renovate Bot repository config. If the bot's token has been granted access to the vulnerabilities feed then they'll be automatically used. This is currently the case for renovate[bot] but has been accidentally missing for forking-renovate[bot] until now but has now been requested to all org admins.

laurentsimon commented 2 years ago

Thanks. So we'll assume renovatebot has this enabled by default.

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 60 days with no activity.