[jira] [Commented] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

Jacques Le Roux (Jira) Wed, 22 Jan 2025 02:11:07 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916005#comment-17916005
 ]


Jacques Le Roux commented on OFBIZ-13200:
-----------------------------------------

bq. Not sure about Signed-Releases (even the analysis is unsure).

Documentation:
bq. This check looks for the following filenames in the project's last five 
release assets: *.minisig, *.asc (pgp), *.sig, *.sign, *.sigstore, 
*.intoto.jsonl.
We should follow that 
https://wiki.debian.org/Creating%20signed%20GitHub%20releases

> Improve the OpenSSF ScoreCard badge
> -----------------------------------
>
>                 Key: OFBIZ-13200
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13200
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: GitHub
>    Affects Versions: Upcoming Branch
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: Upcoming Branch
>
>
> To be clear it's about:  
> !https://api.securityscorecards.dev/projects/github.com/apache/ofbiz-framework/badge!
> Related to:  
> !https://github.com/apache/ofbiz-framework/actions/workflows/scorecard.yml/badge.svg!
>  !https://www.bestpractices.dev/projects/8708/badge!
> Used in [OFBiz 
> README|https://github.com/apache/ofbiz-framework/blob/trunk/README.adoc] 
> trunk, also for "next" and "stable"
> This could seems to be a toy, but it's really not. Here is the report I 
> generated using Docker on Ubuntu 20.04:
> jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
> GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable 
> --repo=[https://github.com/apache/ofbiz-framework]
> RESULTS
> -------
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |9 / 10|Binary-Artifacts|binaries present in 
> source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
> | | |code| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |3 / 10|Branch-Protection|branch protection is 
> not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
> | | |maximal on development and all| |
> | | |release branches| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|CI-Tests|5 out of 5 merged 
> PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
> | | |checked by a CI test - score| |
> | | |normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |2 / 10|CII-Best-Practices|badge detected: 
> InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Code-Review|Found 1/29 approved 
> changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
> | | | - score normalized to 0| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Contributors|project has 20 
> contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
> | | |companies or organizations| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dangerous-Workflow|no dangerous workflow 
> patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dependency-Update-Tool|update tool 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Fuzzing|project is not 
> fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|License|license file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Maintained|30 commit(s) and 0 
> issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
> | | |activity found in the last 90| |
> | | |days - score normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Packaging|packaging workflow 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Pinned-Dependencies|all dependencies are 
> pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|SAST|SAST tool is run on 
> all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
> | | |commits| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Security-Policy|security policy file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |?|Signed-Releases|no releases 
> found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Token-Permissions|detected GitHub 
> workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
> | | |tokens with excessive| |
> | | |permissions| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Vulnerabilities|0 existing 
> vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> jacques@jacques-VirtualBox:~/ofbiz-framework$
>  
> I'll create subtasks for at least each of the issue that concerns security



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

Reply via email to