search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://owasp.org/www-project-dep-scan/
MIT License
1.01k stars 97 forks source link

Feature: Please consider adopting OpenSSF Scorecard #324

Open andrewpollock opened 4 months ago

andrewpollock commented 4 months ago

Request Description

OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of legacy entrants.

We feel it helps boost the security credibility of the projects and products we're linking to.

Additional Information

Here's the results of a one-time run:

Aggregate score: 4.1 / 10

RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10  | Branch-Protection      | branch protection is not       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                                                                       |
|         |                        | release branches               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | CI-Tests               | 23 out of 23 merged PRs        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                                       |
|         |                        | normalized to 10               |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no effort to earn an OpenSSF   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#cii-best-practices     |
|         |                        | best practices badge detected  |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10  | Code-Review            | Found 6/30 approved changesets | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#code-review            |
|         |                        | -- score normalized to 2       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors           | project has 11 contributing    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#contributors           |
|         |                        | companies or organizations     |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow     | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dangerous-workflow     |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected        | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#fuzzing                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License                | license file detected          | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#license                |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained             | 9 commit(s) and 14 issue       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#maintained             |
|         |                        | activity found in the last 90  |                                                                                                                       |
|         |                        | days -- score normalized to 10 |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging              | packaging workflow detected    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Pinned-Dependencies    | dependency not pinned by hash  | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#pinned-dependencies    |
|         |                        | detected -- score normalized   |                                                                                                                       |
|         |                        | to 0                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | SAST                   | SAST tool is not run on all    | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#sast                   |
|         |                        | commits -- score normalized to |                                                                                                                       |
|         |                        | 0                              |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Token-Permissions      | detected GitHub workflow       | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#token-permissions      |
|         |                        | tokens with excessive          |                                                                                                                       |
|         |                        | permissions                    |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10  | Vulnerabilities        | 131 existing vulnerabilities   | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#vulnerabilities        |
|         |                        | detected                       |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
prabhu commented 3 months ago

@andrewpollock Thank you for this suggestion. depscan has its own implementation for risk audit, which can be triggered by running it for a single purl --purl or with --risk-audit argument. We are in the process of enhancing it for v6 and adding a self risk audit to the workflow, along with a self depscan.

Over time, we will make depscan more aligned with OWASP SCVS. This way the community might benefit from multiple styles of risk evaluation rather than relying on a single scoring project.