DISCUSSION: improvements needed by tools scorecard uses or recommends

[laurentsimon]

This thread is a collection of issues and improvements we'd like to see in the tools scorecard uses or recommends. It was suggested by @evverx

[laurentsimon]

SARIF dashboard: Display vulnerabilities that are ignored in pull requests github/codeql-action#811
Dependabot: Pinning by hash upgrade dependabot/dependabot-core#3699
Dependabot: Support for dependencies for more CICDs dependabot/dependabot-core#3675

[evverx]

I think I mentioned this elsewhere but since this issue is supposed to track issues in tools scorecard recommends I'd add a link to a couple of Dependabot issues that have been open for a long time and are unlikely to be fixed anytime soon in hopes it could maybe affect anything: systemd/systemd#21343 (comment)

[laurentsimon]

Make CodeQl or scanning results publicly available, maybe via an opt-in option #1427 (comment)

[laurentsimon]

Add pinning variable to GitHub starter workflows actions/starter-workflows#1301

[evverx]

It's a long shot but it would be great if LGTM could be used to analyze projects that aren't hosted on GitHub. From https://sourceware.org/bugzilla/show_bug.cgi?id=28659:

At first I thought this was pretty useful to add to our own buildbot CI setup. But it comes with a horribly proprietary license :{ "CodeQL can’t be used for automated analysis, continuous integration or continuous delivery" Sigh.

I'm not sure if it helps but that was the "elfutils" project, which I think is pretty critical since it's one of those dependencies that's basically everywhere (including systemd as it turned out :-))

[laurentsimon]

actions/starter-workflows#1299, which may be on the way to be fixed by @varunsh-coder

[evverx]

If it still isn't possible to figure out whether the workflow permissions are set to "Read repository contents permission" using GH API I think it should be added to the list so that scorecard wouldn't penalize projects without explicit permissions but with that flag on much.

[evverx]

@justaugustus I'm not sure why it was moved to the discussions since most of the "ideas" outlined here are real issues either producing false positives or preventing scorecard from being used in really collaborative projects. It's true they can't be fixed by the scorecard project but issues in the dependencies are issues in scorecard as well so I don't think they should be hidden here.

[evverx]

Anyway, it would have been nice to discuss that before moving issues.

[evverx]

@justaugustus on an absolutely unrelated note, it seems you actively participate in CNCF projects and apparently they put people on public lists without their consent: https://github.com/cncf/gitdm/pull/932. I wonder if there is anything else I can do there to remove myself from that list? I understand it has nothing to do with scorecard but it seems that particular project isn't responsive so I don't know where else to go (I apologize for bringing this up here)

[laurentsimon]

another relevant issue (for the action) for SARIF github/codeql-action#986