Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt Secure Software Development Best Practices of OpenSSF Scorecard #659

Open
gkunz opened this issue Nov 2, 2023 · 5 comments
Open

Adopt Secure Software Development Best Practices of OpenSSF Scorecard #659

gkunz opened this issue Nov 2, 2023 · 5 comments
Labels
Target: Developer environment Developer environment issues consist of CodeCompass or 3rd-party build tooling, configuration or CI.

Comments

@gkunz
Copy link
Contributor

gkunz commented Nov 2, 2023

I'd like to propose to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to adopt best practices to further mature CodeCompass.

The proposed steps include:

  • running Scorecards against the CodeCompass repo,
  • evaluation of the scan results of Scorecards in terms of applicability,
  • adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/
[2] https://github.com/ossf/scorecard/tree/main#scorecard-checks
@gkunz
Copy link
Contributor Author

gkunz commented Nov 2, 2023

Below is a scan result of the current state of the repo:

Low hanging fruits seem to be

  • addition of a SECURITY.MD file,
  • configuration of GITHUB_TOKEN permissions,
  • branch protection settings

Results:

{
  "date": "2023-10-30T14:03:03+01:00",
  "repo": {
    "name": "github.com/Ericsson/codecompass",
    "commit": "f8d2caf86d3adec69b535c9c6af204153441483e"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 4.3,
  "checks": [
    {
      "details": [
        "Warn: binary detected: lib/java/httpclient-4.5.6.jar:1",
        "Warn: binary detected: lib/java/httpcore-4.4.10.jar:1",
        "Warn: binary detected: lib/java/javax.annotation-api-1.3.2.jar:1",
        "Warn: binary detected: lib/java/libthrift-0.13.0.jar:1",
        "Warn: binary detected: lib/java/log4j-1.2.17.jar:1",
        "Warn: binary detected: lib/java/slf4j-api-1.7.25.jar:1",
        "Warn: binary detected: lib/java/slf4j-log4j12-1.7.25.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-analyzers-common-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-core-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-highlighter-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-memory-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-misc-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queries-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queryparser-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-suggest-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/simplemagic-1.6.jar:1"
      ],
      "score": 0,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Warn: branch protection not enabled for branch 'master'"
      ],
      "score": 0,
      "reason": "branch protection not enabled on development/release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "12 out of 12 merged PRs checked by a CI test -- score normalized to 10",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 3,
      "reason": "found 11 unreviewed changesets out of 18 -- score normalized to 3",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,GISLab-ELTE,contour-terminal,ericsson,ericsson hungary ltd.,llvm,llvm & @ericsson"
      ],
      "score": 10,
      "reason": "7 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Info: tool 'Dependabot' is used: :0"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.txt:1",
        "Info: FSF or OSI recognized license: LICENSE.txt:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) out of 30 and 19 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Warn: no GitHub/GitLab publishing workflow detected"
      ],
      "score": -1,
      "reason": "no published package detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/dev/Dockerfile:1: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:7",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:41: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:5",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:11: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:142",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:410",
        "Warn: pipCommand not pinned by hash: .gitlab/cc-env.sh:39",
        "Warn: npmCommand not pinned by hash: .github/workflows/linting.yml:35",
        "Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   1 npmCommand dependencies pinned",
        "Info:   0 out of   5 containerImage dependencies pinned",
        "Info:   0 out of   2 downloadThenRun dependencies pinned",
        "Info:   0 out of   1 pipCommand dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 23 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Warn: no security policy file detected: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.\nFor additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nProvide a point of contact in your SECURITY.md.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)"
      ],
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/docker.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/linting.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/tarball.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/tarball.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: no jobLevel write permissions found"
      ],
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

This was referenced Nov 6, 2023
Closed
Closed
Open
Closed
Closed
Closed
Closed
Closed
Closed
@wbqpk3
Copy link
Collaborator

wbqpk3 commented Nov 6, 2023
edited
Loading

Created issues for each scan with a lower score.

#660
#661
#662
#663
#664
#665
#667
#668
#669

@wbqpk3 wbqpk3 mentioned this issue Nov 6, 2023
Closed
@mcserep mcserep added the Target: Developer environment Developer environment issues consist of CodeCompass or 3rd-party build tooling, configuration or CI. label Nov 8, 2023
@mcserep
Copy link
Collaborator

mcserep commented Nov 8, 2023

Thanks @gkunz for the evaluation on CodeCompass!

@wbqpk3: I made some remarks on the issues you created, to make a start on them.
Maybe we could also add the OpenSSF Scorecard to our CI pipeline later (https://github.com/ossf/scorecard-action#installation).

@gkunz
Copy link
Contributor Author

gkunz commented Nov 15, 2023

Hi all,

thank you for evaluating the findings and recommendations by ScoreCard. As shown above, a three recommendations have been adopted in the meantime:

  • adding a security policy file,
  • setting GitHub workload token permissions, and
  • enabling some branch protection settings.

The overall score increased from 5.5 to 6.2

{
  "date": "2023-11-15T15:19:58+01:00",
  "repo": {
    "name": "github.com/Ericsson/CodeCompass",
    "commit": "e23b1dc7af4895ca6823a6d7b1e190eedcf04c8f"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 6.2,
  "checks": [
    {
      "details": [
        "Warn: binary detected: lib/java/httpclient-4.5.6.jar:1",
        "Warn: binary detected: lib/java/httpcore-4.4.10.jar:1",
        "Warn: binary detected: lib/java/javax.annotation-api-1.3.2.jar:1",
        "Warn: binary detected: lib/java/libthrift-0.16.0.jar:1",
        "Warn: binary detected: lib/java/log4j-1.2.17.jar:1",
        "Warn: binary detected: lib/java/slf4j-api-1.7.25.jar:1",
        "Warn: binary detected: lib/java/slf4j-log4j12-1.7.25.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-analyzers-common-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-core-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-highlighter-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-memory-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-misc-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queries-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queryparser-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-suggest-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/simplemagic-1.6.jar:1"
      ],
      "score": 0,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'force pushes' disabled on branch 'master'",
        "Info: 'allow deletion' disabled on branch 'master'",
        "Warn: status checks do not require up-to-date branches for 'master'",
        "Warn: 'last push approval' disabled on branch 'master'",
        "Warn: no status checks found to merge onto branch 'master'",
        "Warn: number of required reviewers is only 1 on branch 'master'",
        "Warn: stale review dismissal disabled on branch 'master'",
        "Warn: settings do not apply to administrators on branch 'master'",
        "Warn: codeowner review is not required on branch 'master'"
      ],
      "score": 4,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "16 out of 16 merged PRs checked by a CI test -- score normalized to 10",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 6,
      "reason": "found 7 unreviewed changesets out of 22 -- score normalized to 6",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,GISLab-ELTE,contour-terminal,ericsson,ericsson hungary ltd.,llvm,llvm & @ericsson"
      ],
      "score": 10,
      "reason": "7 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Info: tool 'Dependabot' is used: :0"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.txt:1",
        "Info: FSF or OSI recognized license: LICENSE.txt:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "28 commit(s) out of 30 and 28 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Warn: no GitHub/GitLab publishing workflow detected"
      ],
      "score": -1,
      "reason": "no published package detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:172: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:178: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:213: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:228: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:242: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/dev/Dockerfile:1: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:7",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:41: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:5",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:11: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:406",
        "Warn: pipCommand not pinned by hash: .gitlab/cc-env.sh:39",
        "Warn: npmCommand not pinned by hash: .github/workflows/linting.yml:37",
        "Info:   0 out of  13 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   5 containerImage dependencies pinned",
        "Info:   0 out of   1 downloadThenRun dependencies pinned",
        "Info:   0 out of   1 pipCommand dependencies pinned",
        "Info:   0 out of   1 npmCommand dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 24 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Info: security policy file detected: SECURITY.md:1",
        "Info: Found linked content: SECURITY.md:1",
        "Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1",
        "Info: Found text in security policy: SECURITY.md:1"
      ],
      "score": 10,
      "reason": "security policy file detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Info: topLevel permissions set to 'read-all': .github/workflows/ci.yml:12",
        "Info: topLevel permissions set to 'read-all': .github/workflows/docker.yml:18",
        "Info: topLevel permissions set to 'read-all': .github/workflows/linting.yml:5",
        "Info: topLevel permissions set to 'read-all': .github/workflows/tarball.yml:10",
        "Info: no jobLevel write permissions found"
      ],
      "score": 10,
      "reason": "GitHub workflow tokens follow principle of least privilege",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

@mcserep
Copy link
Collaborator

mcserep commented Nov 17, 2023

Thanks for the revaluation @gkunz! It is nice to see the increase in the achieved score.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Target: Developer environment Developer environment issues consist of CodeCompass or 3rd-party build tooling, configuration or CI.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcserep @gkunz @wbqpk3