Improve OpenSSF Scorecard Score

[tirerocket]

Hi Sean,

Great library. It took me a while to find a library that supported IPv6 CIDRs :)

I ran the scorecard security tool from https://securityscorecards.dev/ against this repo and it received a 3.8 out of 10. In case you're not familiar with the tool, it basically analyzes the metadata of a Github repository to determine its security maturity.

Do you have any interest in making changes to raise this score? I did an analysis of the tool output below:

Category	Risk	Score	Thoughts	Resources
Binary-Artifacts	High	8/10	I think this is an 8 because of the biz.aQute.bnd-5.0.1.jar file. Would you consider removing this?	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#binary-artifacts
Branch-Protection	High	6/10	This can be improved to an 8/10 if we include a status check on the branches (which I think we can configure if we add the codeql code scanning action which is listed in a row below)	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#branch-protection
Dependency-Update-Tool	High	0/10	Github has a built-in tool called dependabot that should be easy to add and is free :)	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#dependency-update-tool
Signed-Releases	High	0/10	This may take some work on your side. I'm not sure how you publish artifacts but maybe you can take a look at the resource to the right of this column if you have time.	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#signed-releases
Security-Policy	Medium	0/10	This is just adding a SECURITY.md file that details how to report vulnerabilities.	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#security-policy
Fuzzing	Medium	0/10	This is probably a longer term project but seems like it might help identify any bugs with the ip/host parsing (if any)	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#fuzzing
SAST	Medium	0/10	Would need to add a codeql github action. I think this one would be pretty straightforward	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#sast
CII-Best-Practices	Low	0/10	If we get the score up high enough, you could include a badge :) but I'll leave that up to you	https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#cii-best-practices

I'd be happy to assist with PRs for certain areas if you'd like.

Thanks

[seancfoley]

Binary artifacts: The biz.aQute.bnd-5.0.1.jar is needed to publish a manifest for OSGI users. It's only used by the build, so does not impact security of the library itself. Dependency-Update-Tool: the library has no real dependencies (other than the Java standard library) Signed-releases: The maven releases are signed. I only provide jars on github for convenience, but most people would use Maven.

Most of this stuff does not apply to the library.

[seancfoley]

After taking a look at this OpenSSF scorecard, I think it is generally not worth much.

As mentioned in the previous comment, a huge amount of this does not even apply to this library. The stuff that does apply, I don't see a whole lot of value in it.

I have no intention of fuzzing - as if you need to fuzz to be secure. Maybe I don't need fuzzing when I have a test suite with over 40,000 tests. But those tests don't fuzz, so I guess they're useless. But if a library has 10 tests, but they all fuzz, then wow, that library must be totally secure.

I am a single developer, I have no intention of finding another person to do code review just to pump up a fake score. Dozens of people are looking at the code every week. People have been hired to evaluate the code. But apparently that doesn't count.

I do not wish to invoke testing in a "standard" way, as if testing doesn't count unless you can invoke it in a so-called "standard" way, whatever that is supposed to mean. The tests are not standard, so I guess they're useless, so a zero score for me.

I get credit if I add a security.md file, as if that makes any real difference. This is all posturing that has nothing to do with the security of an application. The code is more secure if I add a markdown file to the repo with a specific file name? Are you kidding me?

The fact you are giving me 0 out of 10 in several categories for a library that has experienced zero security issues in nearly a decade while being downloaded half a million times monthly and used in countless popular libraries and apps... this is a joke. This code is in so many apps and libraries by now, for years, while having experienced zero security alerts, you should be giving me 11 out of 10 in every category.

This is not a meaningful use of my time, it's a waste of my time frankly to make me jump through hoops like this, most of them meaningless and worthless, to get some kind of arbitrary score completely unrelated to actual security. I'll bet you have repos getting wonderful scores, yet littered with security issues, considering how these scores are generated.

Sorry, I am not interested.