[jira] [Created] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

Jacques Le Roux (Jira) Mon, 06 Jan 2025 02:30:54 -0800

Jacques Le Roux created OFBIZ-13200:
---------------------------------------


             Summary: Improve the OpenSSF ScoreCard badge
                 Key: OFBIZ-13200
                 URL: https://issues.apache.org/jira/browse/OFBIZ-13200
             Project: OFBiz
          Issue Type: Improvement
          Components: GitHub
    Affects Versions: Upcoming Branch
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux
             Fix For: Upcoming Branch


This could seems to be a toy, but it's really not. Here is the report I 
generated using Docker on Ubuntu 20.04:

jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
GITHUB_AUTH_TOKEN=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 
gcr.io/openssf/scorecard:stable 
--repo=[https://github.com/apache/ofbiz-framework]
Starting [Packaging]
Starting [Fuzzing]
Starting [License]
Starting [Signed-Releases]
Starting [Dangerous-Workflow]
Starting [Code-Review]
Starting [Contributors]
Starting [SAST]
Starting [Branch-Protection]
Starting [Maintained]
Starting [CI-Tests]
Starting [Token-Permissions]
Starting [Pinned-Dependencies]
Starting [CII-Best-Practices]
Starting [Binary-Artifacts]
Starting [Dependency-Update-Tool]
Starting [Vulnerabilities]
Starting [Security-Policy]
Aggregate score: 7.1 / 10

Check scores:
Finished [Branch-Protection]
Finished [Maintained]
Finished [Code-Review]
Finished [Contributors]
Finished [SAST]
Finished [Binary-Artifacts]
Finished [Dependency-Update-Tool]
Finished [CI-Tests]
Finished [Token-Permissions]
Finished [Pinned-Dependencies]
Finished [CII-Best-Practices]
Finished [Vulnerabilities]
Finished [Security-Policy]
Finished [Signed-Releases]
Finished [Dangerous-Workflow]
Finished [Packaging]
Finished [Fuzzing]
Finished [License]

RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|9 / 10|Binary-Artifacts|binaries present in 
source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
| | |code| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|3 / 10|Branch-Protection|branch protection is 
not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
| | |maximal on development and all| |
| | |release branches| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|CI-Tests|5 out of 5 merged 
PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
| | |checked by a CI test - score| |
| | |normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|2 / 10|CII-Best-Practices|badge detected: 
InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Code-Review|Found 1/29 approved 
changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
| | |- score normalized to 0| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Contributors|project has 20 
contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
| | |companies or organizations| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dangerous-Workflow|no dangerous workflow 
patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dependency-Update-Tool|update tool 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Fuzzing|project is not 
fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|License|license file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Maintained|30 commit(s) and 0 
issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
| | |activity found in the last 90| |
| | |days - score normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Packaging|packaging workflow 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Pinned-Dependencies|all dependencies are 
pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|SAST|SAST tool is run on 
all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
| | |commits| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Security-Policy|security policy file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|?|Signed-Releases|no releases 
found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Token-Permissions|detected GitHub 
workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
| | |tokens with excessive| |
| | |permissions| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Vulnerabilities|0 existing 
vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

jacques@jacques-VirtualBox:~/ofbiz-framework$

 

I'll create subtasks for at least each of the issue that concerns security



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

Reply via email to