[jira] [Commented] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

[Jacques Le Roux (Jira)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-13200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910731#comment-17910731
 ] 

Jacques Le Roux commented on OFBIZ-13200:
-----------------------------------------

Branch-Protection is in progress for now with only 2/10. We will see next 
Saturday when the the Scorecard will be updated if we need to do more.

> Improve the OpenSSF ScoreCard badge
> -----------------------------------
>
>                 Key: OFBIZ-13200
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13200
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: GitHub
>    Affects Versions: Upcoming Branch
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: Upcoming Branch
>
>
> This could seems to be a toy, but it's really not. Here is the report I 
> generated using Docker on Ubuntu 20.04:
> jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
> GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable 
> --repo=[https://github.com/apache/ofbiz-framework]
> Starting [Packaging]
> Starting [Fuzzing]
> Starting [License]
> Starting [Signed-Releases]
> Starting [Dangerous-Workflow]
> Starting [Code-Review]
> Starting [Contributors]
> Starting [SAST]
> Starting [Branch-Protection]
> Starting [Maintained]
> Starting [CI-Tests]
> Starting [Token-Permissions]
> Starting [Pinned-Dependencies]
> Starting [CII-Best-Practices]
> Starting [Binary-Artifacts]
> Starting [Dependency-Update-Tool]
> Starting [Vulnerabilities]
> Starting [Security-Policy]
> Aggregate score: 7.1 / 10
> Check scores:
> Finished [Branch-Protection]
> Finished [Maintained]
> Finished [Code-Review]
> Finished [Contributors]
> Finished [SAST]
> Finished [Binary-Artifacts]
> Finished [Dependency-Update-Tool]
> Finished [CI-Tests]
> Finished [Token-Permissions]
> Finished [Pinned-Dependencies]
> Finished [CII-Best-Practices]
> Finished [Vulnerabilities]
> Finished [Security-Policy]
> Finished [Signed-Releases]
> Finished [Dangerous-Workflow]
> Finished [Packaging]
> Finished [Fuzzing]
> Finished [License]
> RESULTS
> -------
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |9 / 10|Binary-Artifacts|binaries present in 
> source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
> | | |code| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |3 / 10|Branch-Protection|branch protection is 
> not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
> | | |maximal on development and all| |
> | | |release branches| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|CI-Tests|5 out of 5 merged 
> PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
> | | |checked by a CI test - score| |
> | | |normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |2 / 10|CII-Best-Practices|badge detected: 
> InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Code-Review|Found 1/29 approved 
> changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
> | | | - score normalized to 0| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Contributors|project has 20 
> contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
> | | |companies or organizations| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dangerous-Workflow|no dangerous workflow 
> patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dependency-Update-Tool|update tool 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Fuzzing|project is not 
> fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|License|license file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Maintained|30 commit(s) and 0 
> issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
> | | |activity found in the last 90| |
> | | |days - score normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Packaging|packaging workflow 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Pinned-Dependencies|all dependencies are 
> pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|SAST|SAST tool is run on 
> all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
> | | |commits| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Security-Policy|security policy file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |?|Signed-Releases|no releases 
> found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Token-Permissions|detected GitHub 
> workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
> | | |tokens with excessive| |
> | | |permissions| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Vulnerabilities|0 existing 
> vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> jacques@jacques-VirtualBox:~/ofbiz-framework$
>  
> I'll create subtasks for at least each of the issue that concerns security



--
This message was sent by Atlassian Jira
(v8.20.10#820010)