search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.49k stars 491 forks source link

How to mitigate C or bash pinned dependencies? #3401

Open spencerschrock opened 1 year ago

spencerschrock commented 1 year ago

Discussed in https://github.com/ossf/scorecard/discussions/3270

Originally posted by **claudioandre-br** July 15, 2023 Hi, I'm receiving this warning: ``` "Warn: downloadThenRun not pinned by hash: deploy/snap/build.sh:43", ``` Remediation steps says: > For C/C++, check in the code from a trusted source and add a README on the specific version used (and the archive SHA hashes). * 1st, I tried to fix the issue by adding (inside build.sh): ``` echo "7a25fd926b9a7bc406dca6db5b2802a4a8a4625cc191b9ecdd1291bfcd1146ef ./package_version.sh" | sha256sum -c - || exit 1 ``` * 2nd, I tried to create some random README file(s) to _**mute**_ the warning: * Then run experiments [1]: `/host/scorecard --local [...] --checks Pinned-Dependencies --show-details` Nothing was able to fix, remediate, "correct", "make right". I'm asking: * Is it possible to fix the issue? * "add a README" (exactly where? name it as README, README.md?); * "and the archive SHA hashes" (exactly how?); [1] ``` $ /host/scorecard version __ ____ ____ ___ ____ _____ ____ _ ____ ____ / / / ___| / ___| / _ \ | _ \ | ____| / ___| / \ | _ \ | _ \ / / \___ \ | | | | | | | |_) | | _| | | / _ \ | |_) | | | | | _ / / ___) | | |___ | |_| | | _ < | |___ | |___ / ___ \ | _ < | |_| | (_) /_/ |____/ \____| \___/ |_| \_\ |_____| \____| /_/ \_\ |_| \_\ |____/ ./scorecard: OpenSSF Scorecard GitVersion: (devel) GitCommit: unknown GitTreeState: unknown BuildDate: unknown GoVersion: go1.18.1 Compiler: gc Platform: linux/amd64 ```
spencerschrock commented 1 year ago

Related to #3339

spencerschrock commented 1 year ago

1st, I tried to fix the issue by adding (inside build.sh):

I think that matches the spirit of the check, but isn't something we currently support.

2nd, I tried to create some random README file(s) to mute the warning:

cc @laurentsimon I think when the check gets converted to structured results, providing a way to locally ignore certain probes might be a good idea. @gabibguti this may also factor in to maintainer annotations?

github-actions[bot] commented 12 months ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 5 months ago

This issue has been marked stale because it has been open for 60 days with no activity.