Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt Secure Software Development Best Practices of OpenSSF Scorecard #8922

Closed
gkunz opened this issue Oct 9, 2024 · 3 comments
Closed

Adopt Secure Software Development Best Practices of OpenSSF Scorecard #8922

gkunz opened this issue Oct 9, 2024 · 3 comments
Assignees
@kikofernandez
Labels
enhancement team:PS Assigned to OTP team PS team:VM Assigned to OTP team VM

Comments

@gkunz
Copy link

gkunz commented Oct 9, 2024

Is your feature request related to a problem? Please describe.
This feature request proposes to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to strengthen the (supply chain) security posture of the CodeChecker project.

Describe the solution you'd like
The proposed solution is:

  • running Scorecards against the CodeChecker repo,
  • evaluation of the scan results of Scorecards in terms of applicability,
  • adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/
[2] https://github.com/ossf/scorecard/tree/main#scorecard-checks
@gkunz
Copy link
Author

gkunz commented Oct 9, 2024

Below are the scan results showing the current state of the repository.

Low hanging fruits seem to be

  • addition of a SECURITY.MD file,
  • configuration of GITHUB_TOKEN permissions,
  • branch protection settings

Results:

{
  "date": "2024-10-09T21:46:11+02:00",
  "repo": {
    "name": "github.com/erlang/otp",
    "commit": "3b6ef27a06f07e5c24c52955618296a0f0ffab9d"
  },
  "scorecard": {
    "version": "5.0.0",
    "commit": "ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"
  },
  "score": 3.3,
  "checks": [
    {
      "details": [
        "Warn: binary detected: erts/etc/win32/nsis/custom_modern.exe:1",
        "Warn: binary detected: lib/kernel/test/os_SUITE_data/win32/abin/hello.exe:1",
        "Warn: binary detected: lib/stdlib/test/zip_SUITE_data/test.jar:1"
      ],
      "score": 7,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'allow deletion' disabled on branch 'master'",
        "Info: 'force pushes' disabled on branch 'master'",
        "Warn: branch 'master' does not require approvers",
        "Warn: codeowners review is not required on branch 'master'",
        "Warn: no status checks found to merge onto branch 'master'"
      ],
      "score": 3,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 8,
      "reason": "4 out of 5 merged PRs checked by a CI test -- score normalized to 8",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 1,
      "reason": "Found 4/30 approved changesets -- score normalized to 1",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: esl contributor org/company found, softlab-ntua contributor org/company found, parapluu contributor org/company found, whatwg contributor org/company found, ericsson ab contributor org/company found, erlang solutions contributor org/company found, ericsson contributor org/company found, PistonDevelopers contributor org/company found, SICS contributor org/company found, klarna contributor org/company found, release-project contributor org/company found, protocol-fuzzing contributor org/company found, html5lib contributor org/company found, erlang/otp ericsson ab. contributor org/company found, erlang contributor org/company found, ntua greece + uppsala university sweden contributor org/company found, "
      ],
      "score": 10,
      "reason": "project has 16 contributing companies or organizations",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": [
        "Warn: script injection with untrusted input ' github.event.pull_request.head.ref ': .github/workflows/main.yaml:411"
      ],
      "score": 0,
      "reason": "dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Warn: no dependency update tool configurations found"
      ],
      "score": 0,
      "reason": "no update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no fuzzer integrations found"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: project has a license file: LICENSE.txt:0",
        "Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Info: Project packages its releases by way of GitHub Actions.: .github/workflows/update-base.yaml:13"
      ],
      "score": 10,
      "reason": "packaging workflow detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/inets/examples/httpd_load_test/hdlt.sh.skel:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/meas.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/mstone1.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/mstone2.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: reached $ without matching (( with )): scripts/build-otp-tar:0",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:232: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:234: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:253: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:365: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:456: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:528: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:533: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:563: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:570: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:169: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:219: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:404: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:433: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:438: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:479: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:516: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:597: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:601: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:605: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:609: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:628: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:647: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:353: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:393: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-prs.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-prs.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-prs.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-prs.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-releases.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-releases.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-base.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/update-base.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-base.yaml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/update-base.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-windows-zip.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/upload-windows-zip.yaml/master?enable=pin",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.32-bit:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.64-bit:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.clang:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.cross-compile:5",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.cross-compile:55",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.debian-base:5",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.ubuntu-base:5",
        "Info:   0 out of  46 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   8 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   7 containerImage dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 5 are checked with a SAST tool"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Warn: no security policy file detected",
        "Warn: no security file to analyze",
        "Warn: no security file to analyze",
        "Warn: no security file to analyze"
      ],
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: release artifact OTP-26.2.5.4 not signed: https://api.github.com/repos/erlang/otp/releases/179073754",
        "Warn: release artifact OTP-27.1.1 not signed: https://api.github.com/repos/erlang/otp/releases/177594111",
        "Warn: release artifact OTP-25.3.2.14 not signed: https://api.github.com/repos/erlang/otp/releases/175810316",
        "Warn: release artifact OTP-27.1 not signed: https://api.github.com/repos/erlang/otp/releases/175607410",
        "Warn: release artifact OTP-26.2.5.3 not signed: https://api.github.com/repos/erlang/otp/releases/173577083",
        "Warn: release artifact OTP-26.2.5.4 does not have provenance: https://api.github.com/repos/erlang/otp/releases/179073754",
        "Warn: release artifact OTP-27.1.1 does not have provenance: https://api.github.com/repos/erlang/otp/releases/177594111",
        "Warn: release artifact OTP-25.3.2.14 does not have provenance: https://api.github.com/repos/erlang/otp/releases/175810316",
        "Warn: release artifact OTP-27.1 does not have provenance: https://api.github.com/repos/erlang/otp/releases/175607410",
        "Warn: release artifact OTP-26.2.5.3 does not have provenance: https://api.github.com/repos/erlang/otp/releases/173577083"
      ],
      "score": 0,
      "reason": "Project has not signed or included provenance with any releases.",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/main.yaml:584",
        "Info: jobLevel 'issues' permission set to 'read': .github/workflows/pr-comment.yaml:20",
        "Warn: jobLevel 'checks' permission set to 'write': .github/workflows/pr-comment.yaml:59",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/update-base.yaml:19",
        "Warn: no topLevel permission defined: .github/workflows/actions-updater.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/main.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/pr-comment.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/sync-github-prs.yaml:1",
        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/sync-github-releases.yaml:12",
        "Warn: topLevel 'actions' permission set to 'write': .github/workflows/sync-github-releases.yaml:13",
        "Warn: no topLevel permission defined: .github/workflows/update-base.yaml:1",
        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/upload-windows-zip.yaml:13"
      ],
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-9pf7-f47q-mwpq"
      ],
      "score": 9,
      "reason": "1 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

@okeuday
Copy link
Contributor

okeuday commented Oct 9, 2024

The opaque ex_doc escript binary executable external to this repository that is downloaded and executed when building the documentation in Erlang/OTP >= 27.0 (as described at #8295 ) is something the OpenSSF scan may never catch, but it would be good to mention as a newer security problem that was added recently to the repository.

@rickard-green rickard-green added team:VM Assigned to OTP team VM team:PS Assigned to OTP team PS labels Oct 14, 2024
@kikofernandez
Copy link
Contributor

kikofernandez commented Nov 25, 2024
edited
Loading

@okeuday I understand from #8295 that downloading a binary is problematic. That binary has a sha256 and a sha1, so they are fixed.

That verification could easily break in the future, or the ex_doc source code could have a new problem that is never part of testing due to its separate release process. Using a binary blob in a repository can always lead to problems in new and interesting ways.

I do not think we have the resources to port ex_doc from Elixir to Erlang.

Alternatively, the documentation can also be inspected from the emulator, h(lists, all).. I understand it is not ideal to navigate the documentation using the emulator, but the option to use ex_doc relies exclusively on the user. We have also dependencies to C/C++ libraries that depend on the user: if they choose an openssl version that is not up-to-date, suddenly Erlang may be vulnerable to certain kind of attacks.

I am going to close this issue as we have improved the main issues in this ticket, and there are some other issues that are hardly fixable, like our ways of merging maint into master.

@okeuday feel free to submit a PR with your suggestion, and we can take it into account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kikofernandez kikofernandez

Labels
enhancement team:PS Assigned to OTP team PS team:VM Assigned to OTP team VM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@okeuday @rickard-green @kikofernandez @gkunz