[
https://issues.apache.org/jira/browse/OFBIZ-13200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916002#comment-17916002
]
Jacques Le Roux commented on OFBIZ-13200:
-----------------------------------------
bq. We can improve Code-Review. I'll later start a thread on dev ML about that.
Documentation:
{quote}This check determines whether the project requires human code review
before pull requests (merge requests) are merged.
[...]
The check determines whether the most recent changes (over the last ~30
commits) have an approval on GitHub or if the merger is different from the
committer (implicit review). It also performs a similar check for reviews using
Prow (labels "lgtm" or "approved") and Gerrit ("Reviewed-on" and
"Reviewed-by"). If recent changes are solely bot activity (e.g. Dependabot,
Renovate bot, or custom bots), the check returns inconclusively.
{quote}
So we need more "approval" (how ?) and preferably not commit our own pushes.
Not quite clear for the rest.
> Improve the OpenSSF ScoreCard badge
> -----------------------------------
>
> Key: OFBIZ-13200
> URL: https://issues.apache.org/jira/browse/OFBIZ-13200
> Project: OFBiz
> Issue Type: Improvement
> Components: GitHub
> Affects Versions: Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
>
> To be clear it's about:
> !https://api.securityscorecards.dev/projects/github.com/apache/ofbiz-framework/badge!
> Related to:
> !https://github.com/apache/ofbiz-framework/actions/workflows/scorecard.yml/badge.svg!
> !https://www.bestpractices.dev/projects/8708/badge!
> Used in [OFBiz
> README|https://github.com/apache/ofbiz-framework/blob/trunk/README.adoc]
> trunk, also for "next" and "stable"
> This could seems to be a toy, but it's really not. Here is the report I
> generated using Docker on Ubuntu 20.04:
> jacques@jacques-VirtualBox:~/ofbiz-framework$ sudo docker run -e
> GITHUB_AUTH_TOKEN=... gcr.io/openssf/scorecard:stable
> --repo=[https://github.com/apache/ofbiz-framework]
> RESULTS
> -------
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |SCORE|NAME|REASON|DOCUMENTATION/REMEDIATION|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |9 / 10|Binary-Artifacts|binaries present in
> source|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#binary-artifacts]|
> | | |code| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |3 / 10|Branch-Protection|branch protection is
> not|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#branch-protection]|
> | | |maximal on development and all| |
> | | |release branches| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|CI-Tests|5 out of 5 merged
> PRs|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#ci-tests]|
> | | |checked by a CI test - score| |
> | | |normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |2 / 10|CII-Best-Practices|badge detected:
> InProgress|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#cii-best-practices]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Code-Review|Found 1/29 approved
> changesets|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#code-review]|
> | | | - score normalized to 0| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Contributors|project has 20
> contributing|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#contributors]|
> | | |companies or organizations| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dangerous-Workflow|no dangerous workflow
> patterns|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dangerous-workflow]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Dependency-Update-Tool|update tool
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#dependency-update-tool]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Fuzzing|project is not
> fuzzed|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#fuzzing]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|License|license file
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#license]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Maintained|30 commit(s) and 0
> issue|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#maintained]|
> | | |activity found in the last 90| |
> | | |days - score normalized to 10| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Packaging|packaging workflow
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#packaging]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Pinned-Dependencies|all dependencies are
> pinned|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#pinned-dependencies]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|SAST|SAST tool is run on
> all|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#sast]|
> | | |commits| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Security-Policy|security policy file
> detected|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#security-policy]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |?|Signed-Releases|no releases
> found|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#signed-releases]|
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |0 / 10|Token-Permissions|detected GitHub
> workflow|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#token-permissions]|
> | | |tokens with excessive| |
> | | |permissions| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> |10 / 10|Vulnerabilities|0 existing
> vulnerabilities|[https://github.com/ossf/scorecard/blob/975ee2304ef7097c94a377fe95976604b4adcf22/docs/checks.md#vulnerabilities]|
> | | |detected| |
> |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
> jacques@jacques-VirtualBox:~/ofbiz-framework$
>
> I'll create subtasks for at least each of the issue that concerns security
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
