Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementing OSSF Scorecard #2

Open
1 of 3 tasks
UlisesGascon opened this issue Feb 1, 2024 · 14 comments
Open
1 of 3 tasks

Implementing OSSF Scorecard #2

UlisesGascon opened this issue Feb 1, 2024 · 14 comments

Comments

@UlisesGascon
Copy link
Member

UlisesGascon commented Feb 1, 2024

Some time ago, we implemented the monitoring and review of the OSSF scorecard in the Node.js org, and it significantly contributed to the improvement of many repositories. I believe adopting a similar approach for Express would be highly beneficial. We've developed tools, such as the OpenSSF Scorecard Monitor and OpenSSF Scorecard Visualizer, along with processes that make handling the evolution of scoring straightforward. Despite initial appearances, the process is quite simple.

Context

The goal of Scorecards is to auto-generate a “security score” for open source projects to help users as they decide the trust, risk, and security posture for their use case. This data can also be used to augment any decision making in an automated fashion when new open source dependencies are introduced inside projects or at organizations. For example, organizations may decide that any new dependency with low scores has to go through additional evaluation. These checks could help mitigate malicious dependencies from getting deployed to production systems like we’ve seen recently with malicious NPM packages.
source: openssf Blog

Resources

Next Steps:

I'm enthusiastic about leading these changes in the repos. While we may not be familiar with the OSSF Scorecard, we already have scores for most of our projects. Here is a simple dashboard that I auto-generated. The OSSF team is already tracking our projects using a CRON job, but we can easily enrich them and make some simple patches to increase the scoring.

Most of these changes won't require significant alterations and can be performed in isolated PRs, making them easy to review. If we're in agreement, I can start with the Express project to showcase the process. 👍

@dougwilson
Copy link

If we're in agreement, I can start with the Express project to showcase the process. 👍

Go for it. And if it makes it amy easier you are always welcome to start with any of the smaller, simplier middleware repos.

@inigomarquinez
Copy link
Member

Good afternoon!

I've had a chat with @UlisesGascon to tell him that I am interested in contributing to this initiative, as the OpenSSF Scorecard is something that I like and that I have also helped to implement in the Open Source community of the company where I work.

@UlisesGascon
Copy link
Member Author

Yeah! Welcome aboard @inigomarquinez 🎉

@carpasse
Copy link
Contributor

carpasse commented Mar 7, 2024

Good Morning!

I've also had a chat with @UlisesGascon and I am interested in contributing to this initiative too.

@UlisesGascon
Copy link
Member Author

UlisesGascon commented Mar 7, 2024

As discussed with @inigomarquinez, he will champion this initiative 🎉

@inigomarquinez
Copy link
Member

Thanks for the opportunity @UlisesGascon !

@inigomarquinez
Copy link
Member

We can say that the implementation of the scorecard has been completed in most of the organisations' repositories expressjs, pillarjs and jshttp. The implementation has been the same in all cases, adding a github action in each repository called scorecard.yml (see example here). This action is executed both with each push to master and weekly via a cronjob.

Some repositories of the 3 organisations have been discarded and the scorecard has not been integrated in them for several reasons: they have been deprecated, they have not been updated for a long time (more than 10 years), they are not applicable (documentation repositories) or they have a very low level of downloads and it is more than likely that in the near future they will be archived.

After finalising the integration, the next step is to analyse the scores in the individual repositories and take suggested actions to improve these scores.

@UlisesGascon , should we mark this issue as closed?

@UlisesGascon
Copy link
Member Author

Thanks for all the hard work @inigomarquinez and @carpasse!

@UlisesGascon , should we mark this issue as closed?

I prefer to keep it open until the PRs related to the Express repo are merged, so we can have a clear policy on how to patch the other repositories.

@wesleytodd
Copy link
Member

wesleytodd commented Nov 12, 2024

@carpasse
Copy link
Contributor

@wesleytodd I will try to take a look at the broken ones this week.

@carpasse
Copy link
Contributor

carpasse commented Dec 18, 2024

I've run a bash script to identify repositories with a failed Scorecard Workflow Action. Below is the list of affected repositories organized by organization.

I plan to address them over the next month, but if anyone can take on any of these, please mark it in the checklist below to avoid duplication of effort.

Organization: expressjs

Organization: pillarjs

Organization: jshttp

Feel free to tackle any of these. Just check the box to indicate you're working on it. Thanks!

@carpasse
Copy link
Contributor

carpasse commented Dec 20, 2024

@wesleytodd , could you please review the PR for HTTP Errors and merged if you are ok with it? I looked into the issue with @UlisesGascon , and it’s not failing due to a problem with the code itself but because it can’t obtain the certificate needed to publish the results (link). This issue seems to be outside the control of the GitHub Actions. I was hoping that updating the scorecard action dependency might "fix" it.

@carpasse
Copy link
Contributor

@expressjs/express-tc As @jonkoops mentioned in this comment, we should decide on which tool to use—Dependabot or Renovate—so that we don’t have to perform these version updates manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants