[jira] [Updated] (OFBIZ-13200) Improve the OpenSSF ScoreCard badge

Wed, 08 Jan 2025 03:03:05 -0800 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-13200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-13200:
------------------------------------
    Description: 
To be clear it's about:  
!https://api.securityscorecards.dev/projects/github.com/apache/ofbiz-framework/badge!

Related to:  
!https://github.com/apache/ofbiz-framework/actions/workflows/scorecard.yml/badge.svg!
 !https://www.bestpractices.dev/projects/8708/badge!

Used in [OFBiz 
README|https://github.com/apache/ofbiz-framework/blob/trunk/README.adoc] trunk, 
also for "next" and "stable"

This could seems to be a toy, but it's really not. Here is the report I 
generated using Docker on Ubuntu 20.04:

jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable 
--repo=[https://github.com/apache/ofbiz-framework]
RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|9 / 10|Binary-Artifacts|binaries present in 
source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
| | |code| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|3 / 10|Branch-Protection|branch protection is 
not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
| | |maximal on development and all| |
| | |release branches| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|CI-Tests|5 out of 5 merged 
PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
| | |checked by a CI test - score| |
| | |normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|2 / 10|CII-Best-Practices|badge detected: 
InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Code-Review|Found 1/29 approved 
changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
| | | - score normalized to 0| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Contributors|project has 20 
contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
| | |companies or organizations| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dangerous-Workflow|no dangerous workflow 
patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dependency-Update-Tool|update tool 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Fuzzing|project is not 
fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|License|license file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Maintained|30 commit(s) and 0 
issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
| | |activity found in the last 90| |
| | |days - score normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Packaging|packaging workflow 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Pinned-Dependencies|all dependencies are 
pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|SAST|SAST tool is run on 
all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
| | |commits| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Security-Policy|security policy file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|?|Signed-Releases|no releases 
found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Token-Permissions|detected GitHub 
workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
| | |tokens with excessive| |
| | |permissions| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Vulnerabilities|0 existing 
vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

jacques@jacques-VirtualBox:~/ofbiz-framework$

 

I'll create subtasks for at least each of the issue that concerns security

  was:
This could seems to be a toy, but it's really not. Here is the report I 
generated using Docker on Ubuntu 20.04:

jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable 
--repo=[https://github.com/apache/ofbiz-framework]
Starting [Packaging]
Starting [Fuzzing]
Starting [License]
Starting [Signed-Releases]
Starting [Dangerous-Workflow]
Starting [Code-Review]
Starting [Contributors]
Starting [SAST]
Starting [Branch-Protection]
Starting [Maintained]
Starting [CI-Tests]
Starting [Token-Permissions]
Starting [Pinned-Dependencies]
Starting [CII-Best-Practices]
Starting [Binary-Artifacts]
Starting [Dependency-Update-Tool]
Starting [Vulnerabilities]
Starting [Security-Policy]
Aggregate score: 7.1 / 10

Check scores:
Finished [Branch-Protection]
Finished [Maintained]
Finished [Code-Review]
Finished [Contributors]
Finished [SAST]
Finished [Binary-Artifacts]
Finished [Dependency-Update-Tool]
Finished [CI-Tests]
Finished [Token-Permissions]
Finished [Pinned-Dependencies]
Finished [CII-Best-Practices]
Finished [Vulnerabilities]
Finished [Security-Policy]
Finished [Signed-Releases]
Finished [Dangerous-Workflow]
Finished [Packaging]
Finished [Fuzzing]
Finished [License]

RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|9 / 10|Binary-Artifacts|binaries present in 
source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
| | |code| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|3 / 10|Branch-Protection|branch protection is 
not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
| | |maximal on development and all| |
| | |release branches| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|CI-Tests|5 out of 5 merged 
PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
| | |checked by a CI test - score| |
| | |normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|2 / 10|CII-Best-Practices|badge detected: 
InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Code-Review|Found 1/29 approved 
changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
| | | - score normalized to 0| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Contributors|project has 20 
contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
| | |companies or organizations| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dangerous-Workflow|no dangerous workflow 
patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Dependency-Update-Tool|update tool 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Fuzzing|project is not 
fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|License|license file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Maintained|30 commit(s) and 0 
issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
| | |activity found in the last 90| |
| | |days - score normalized to 10| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Packaging|packaging workflow 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Pinned-Dependencies|all dependencies are 
pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|SAST|SAST tool is run on 
all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
| | |commits| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Security-Policy|security policy file 
detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|?|Signed-Releases|no releases 
found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|0 / 10|Token-Permissions|detected GitHub 
workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
| | |tokens with excessive| |
| | |permissions| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|10 / 10|Vulnerabilities|0 existing 
vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
| | |detected| |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

jacques@jacques-VirtualBox:~/ofbiz-framework$

 

I'll create subtasks for at least each of the issue that concerns security


> Improve the OpenSSF ScoreCard badge
> -----------------------------------
>
>                 Key: OFBIZ-13200
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13200
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: GitHub
>    Affects Versions: Upcoming Branch
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: Upcoming Branch
>
>
> To be clear it's about:  
> !https://api.securityscorecards.dev/projects/github.com/apache/ofbiz-framework/badge!
> Related to:  
> !https://github.com/apache/ofbiz-framework/actions/workflows/scorecard.yml/badge.svg!
>  !https://www.bestpractices.dev/projects/8708/badge!
> Used in [OFBiz 
> README|https://github.com/apache/ofbiz-framework/blob/trunk/README.adoc] 
> trunk, also for "next" and "stable"
> This could seems to be a toy, but it's really not. Here is the report I 
> generated using Docker on Ubuntu 20.04:
> jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e 
> GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable 
> --repo=[https://github.com/apache/ofbiz-framework]
> RESULTS
> -------
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |9 / 10|Binary-Artifacts|binaries present in 
> source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
> | | |code| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |3 / 10|Branch-Protection|branch protection is 
> not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
> | | |maximal on development and all| |
> | | |release branches| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|CI-Tests|5 out of 5 merged 
> PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
> | | |checked by a CI test - score| |
> | | |normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |2 / 10|CII-Best-Practices|badge detected: 
> InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Code-Review|Found 1/29 approved 
> changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
> | | | - score normalized to 0| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Contributors|project has 20 
> contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
> | | |companies or organizations| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dangerous-Workflow|no dangerous workflow 
> patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dependency-Update-Tool|update tool 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Fuzzing|project is not 
> fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|License|license file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Maintained|30 commit(s) and 0 
> issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
> | | |activity found in the last 90| |
> | | |days - score normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Packaging|packaging workflow 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Pinned-Dependencies|all dependencies are 
> pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|SAST|SAST tool is run on 
> all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
> | | |commits| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Security-Policy|security policy file 
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |?|Signed-Releases|no releases 
> found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Token-Permissions|detected GitHub 
> workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
> | | |tokens with excessive| |
> | | |permissions| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Vulnerabilities|0 existing 
> vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> jacques@jacques-VirtualBox:~/ofbiz-framework$
>  
> I'll create subtasks for at least each of the issue that concerns security



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to