Comments (5)
gkunz
commented on July 28, 2024
Below is a scan result of the current state of the repo:
Low hanging fruits seem to be
- addition of a SECURITY.MD file,
- configuration of GITHUB_TOKEN permissions,
- branch protection settings
Results:
{
"date": "2023-10-30T13:37:49+01:00",
"repo": {
"name": "github.com/Ericsson/ecchronos",
"commit": "cc17727477141847b4769d663ef58307135032b1"
},
"scorecard": {
"version": "(devel)",
"commit": "unknown"
},
"score": 5.5,
"checks": [
{
"details": null,
"score": 10,
"reason": "no binaries found in the repo",
"name": "Binary-Artifacts",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
"short": "Determines if the project has generated executable (binary) artifacts in the source repository."
}
},
{
"details": [
"Warn: branch protection not enabled for branch 'master'",
"Warn: branch protection not enabled for branch 'ecchronos-1.0'"
],
"score": 0,
"reason": "branch protection not enabled on development/release branches",
"name": "Branch-Protection",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
}
},
{
"details": null,
"score": 8,
"reason": "17 out of 21 merged PRs checked by a CI test -- score normalized to 8",
"name": "CI-Tests",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
"short": "Determines if the project runs tests before pull requests are merged."
}
},
{
"details": null,
"score": 0,
"reason": "no effort to earn an OpenSSF best practices badge detected",
"name": "CII-Best-Practices",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
}
},
{
"details": null,
"score": 7,
"reason": "found 9 unreviewed changesets out of 30 -- score normalized to 7",
"name": "Code-Review",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
"short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
}
},
{
"details": [
"Info: contributors work for ericsson"
],
"score": 3,
"reason": "1 different organizations found -- score normalized to 3",
"name": "Contributors",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
}
},
{
"details": null,
"score": 10,
"reason": "no dangerous workflow patterns detected",
"name": "Dangerous-Workflow",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
}
},
{
"details": [
"Info: tool 'Dependabot' is used: :0"
],
"score": 10,
"reason": "update tool detected",
"name": "Dependency-Update-Tool",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
"short": "Determines if the project uses a dependency update tool."
}
},
{
"details": [
"Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
"Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
"Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
"Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
],
"score": 0,
"reason": "project is not fuzzed",
"name": "Fuzzing",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
"short": "Determines if the project uses fuzzing."
}
},
{
"details": [
"Info: License file found in expected location: LICENSE.md:1",
"Info: FSF or OSI recognized license: LICENSE.md:1"
],
"score": 10,
"reason": "license file detected",
"name": "License",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
"short": "Determines if the project has defined a license."
}
},
{
"details": null,
"score": 10,
"reason": "30 commit(s) out of 30 and 27 issue activity out of 30 found in the last 90 days -- score normalized to 10",
"name": "Maintained",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
"short": "Determines if the project is \"actively maintained\"."
}
},
{
"details": [
"Warn: no GitHub/GitLab publishing workflow detected"
],
"score": -1,
"reason": "no published package detected",
"name": "Packaging",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
}
},
{
"details": [
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/actions.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=pin",
"Warn: containerImage not pinned by hash: cassandra-test-image/src/main/docker/Dockerfile:1",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:22",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:27",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:28",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:29",
"Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned",
"Info: 0 out of 1 third-party GitHubAction dependencies pinned",
"Info: 0 out of 1 containerImage dependencies pinned",
"Info: 0 out of 4 pipCommand dependencies pinned"
],
"score": 0,
"reason": "dependency not pinned by hash detected -- score normalized to 0",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
},
{
"details": [
"Warn: 0 commits out of 21 are checked with a SAST tool",
"Warn: CodeQL tool not detected"
],
"score": 0,
"reason": "SAST tool is not run on all commits -- score normalized to 0",
"name": "SAST",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
"short": "Determines if the project uses static code analysis."
}
},
{
"details": [
"Warn: no security policy file detected: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.\nFor additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nProvide a point of contact in your SECURITY.md.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
"Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)"
],
"score": 0,
"reason": "security policy file not detected",
"name": "Security-Policy",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
"short": "Determines if the project has published a security policy."
}
},
{
"details": [
"Warn: release artifact ecchronos-4.0.5 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/117989757",
"Info: signed release artifact: ecchronos-binary-4.0.5.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/122435764",
"Warn: release artifact ecchronos-4.0.4 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/113624663",
"Info: signed release artifact: ecchronos-binary-4.0.4.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/118688336",
"Warn: release artifact ecchronos-4.0.3 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/98172371",
"Info: signed release artifact: ecchronos-binary-4.0.3.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/102400601",
"Warn: release artifact ecchronos-4.0.2 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/86272519",
"Info: signed release artifact: ecchronos-binary-4.0.2.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/88423952",
"Warn: release artifact ecchronos-3.0.0 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/70948619",
"Info: signed release artifact: ecchronos-binary-3.0.0.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/70126545"
],
"score": 8,
"reason": "5 out of 5 artifacts are signed or have provenance",
"name": "Signed-Releases",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
"short": "Determines if the project cryptographically signs release artifacts."
}
},
{
"details": [
"Warn: no topLevel permission defined: .github/workflows/actions.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/ecchronos/actions.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
"Info: no jobLevel write permissions found"
],
"score": 0,
"reason": "detected GitHub workflow tokens with excessive permissions",
"name": "Token-Permissions",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
"short": "Determines if the project's workflows follow the principle of least privilege."
}
},
{
"details": [
"Warn: Project is vulnerable to: GHSA-57m8-f3v5-hm5m",
"Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2"
],
"score": 8,
"reason": "2 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}
from ecchronos.
tommystendahl
commented on July 28, 2024
@gkunz I think fixed what we plan to do at the moment, could you rerun the scan so we can see what it looks like now.
from ecchronos.
gkunz
commented on July 28, 2024
@tommystendahl: These are the current results. Looks good!
{
"date": "2024-01-16T23:37:02+01:00",
"repo": {
"name": "github.com/Ericsson/ecchronos",
"commit": "82579668f49afca499daf4443dc28ce82a8873bc"
},
"scorecard": {
"version": "(devel)",
"commit": "unknown"
},
"score": 7.0,
"checks": [
{
"details": null,
"score": 10,
"reason": "no binaries found in the repo",
"name": "Binary-Artifacts",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
"short": "Determines if the project has generated executable (binary) artifacts in the source repository."
}
},
{
"details": [
"Info: 'force pushes' disabled on branch 'master'",
"Info: 'allow deletion' disabled on branch 'master'",
"Info: status checks require up-to-date branches for 'master'",
"Info: 'last push approval' enabled on branch 'master'",
"Info: status check found to merge onto on branch 'master'",
"Warn: number of required reviewers is only 1 on branch 'master'",
"Info: stale review dismissal enabled on branch 'master'",
"Warn: settings do not apply to administrators on branch 'master'",
"Info: codeowner review is required on branch 'master'",
"Info: 'force pushes' disabled on branch 'ecchronos-1.0'",
"Info: 'allow deletion' disabled on branch 'ecchronos-1.0'",
"Warn: status checks do not require up-to-date branches for 'ecchronos-1.0'",
"Info: 'last push approval' enabled on branch 'ecchronos-1.0'",
"Warn: no status checks found to merge onto branch 'ecchronos-1.0'",
"Warn: number of required reviewers is only 1 on branch 'ecchronos-1.0'",
"Info: stale review dismissal enabled on branch 'ecchronos-1.0'",
"Warn: settings do not apply to administrators on branch 'ecchronos-1.0'",
"Info: codeowner review is required on branch 'ecchronos-1.0'"
],
"score": 5,
"reason": "branch protection is not maximal on development and all release branches",
"name": "Branch-Protection",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
}
},
{
"details": null,
"score": 7,
"reason": "9 out of 12 merged PRs checked by a CI test -- score normalized to 7",
"name": "CI-Tests",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
"short": "Determines if the project runs tests before pull requests are merged."
}
},
{
"details": null,
"score": 0,
"reason": "no effort to earn an OpenSSF best practices badge detected",
"name": "CII-Best-Practices",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
}
},
{
"details": null,
"score": 4,
"reason": "found 15 unreviewed changesets out of 26 -- score normalized to 4",
"name": "Code-Review",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
"short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
}
},
{
"details": [
"Info: contributors work for ericsson"
],
"score": 3,
"reason": "1 different organizations found -- score normalized to 3",
"name": "Contributors",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
}
},
{
"details": null,
"score": 10,
"reason": "no dangerous workflow patterns detected",
"name": "Dangerous-Workflow",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
}
},
{
"details": [
"Info: tool 'Dependabot' is used: :0"
],
"score": 10,
"reason": "update tool detected",
"name": "Dependency-Update-Tool",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
"short": "Determines if the project uses a dependency update tool."
}
},
{
"details": [
"Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
"Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
"Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
"Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
"Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
],
"score": 0,
"reason": "project is not fuzzed",
"name": "Fuzzing",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
"short": "Determines if the project uses fuzzing."
}
},
{
"details": [
"Info: License file found in expected location: LICENSE.md:1",
"Info: FSF or OSI recognized license: LICENSE.md:1"
],
"score": 10,
"reason": "license file detected",
"name": "License",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
"short": "Determines if the project has defined a license."
}
},
{
"details": null,
"score": 10,
"reason": "30 commit(s) out of 30 and 4 issue activity out of 30 found in the last 90 days -- score normalized to 10",
"name": "Maintained",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
"short": "Determines if the project is \"actively maintained\"."
}
},
{
"details": [
"Warn: no GitHub/GitLab publishing workflow detected"
],
"score": -1,
"reason": "no published package detected",
"name": "Packaging",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
}
},
{
"details": [
"Warn: containerImage not pinned by hash: cassandra-test-image/src/main/docker/Dockerfile:1",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:22",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:27",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:28",
"Warn: pipCommand not pinned by hash: ecchronos-binary/generate-ecctool-doc.sh:29",
"Info: 6 out of 6 GitHub-owned GitHubAction dependencies pinned",
"Info: 1 out of 1 third-party GitHubAction dependencies pinned",
"Info: 0 out of 1 containerImage dependencies pinned",
"Info: 0 out of 4 pipCommand dependencies pinned"
],
"score": 2,
"reason": "dependency not pinned by hash detected -- score normalized to 2",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
},
{
"details": [
"Warn: 0 commits out of 16 are checked with a SAST tool",
"Warn: CodeQL tool not detected"
],
"score": 0,
"reason": "SAST tool is not run on all commits -- score normalized to 0",
"name": "SAST",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
"short": "Determines if the project uses static code analysis."
}
},
{
"details": [
"Info: security policy file detected: SECURITY.md:1",
"Info: Found linked content: SECURITY.md:1",
"Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1",
"Info: Found text in security policy: SECURITY.md:1"
],
"score": 10,
"reason": "security policy file detected",
"name": "Security-Policy",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
"short": "Determines if the project has published a security policy."
}
},
{
"details": [
"Warn: release artifact ecchronos-5.0.0 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/132844476",
"Info: signed release artifact: ecchronos-binary-5.0.0.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/139256318",
"Warn: release artifact ecchronos-4.0.5 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/117989757",
"Info: signed release artifact: ecchronos-binary-4.0.5.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/122435764",
"Warn: release artifact ecchronos-4.0.4 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/113624663",
"Info: signed release artifact: ecchronos-binary-4.0.4.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/118688336",
"Warn: release artifact ecchronos-4.0.3 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/98172371",
"Info: signed release artifact: ecchronos-binary-4.0.3.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/102400601",
"Warn: release artifact ecchronos-4.0.2 does not have provenance: https://api.github.com/repos/Ericsson/ecchronos/releases/86272519",
"Info: signed release artifact: ecchronos-binary-4.0.2.tar.gz.asc: https://api.github.com/repos/Ericsson/ecchronos/releases/assets/88423952"
],
"score": 8,
"reason": "5 out of 5 artifacts are signed or have provenance",
"name": "Signed-Releases",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
"short": "Determines if the project cryptographically signs release artifacts."
}
},
{
"details": [
"Info: topLevel permissions set to 'read-all': .github/workflows/actions.yml:17",
"Info: no jobLevel write permissions found"
],
"score": 10,
"reason": "GitHub workflow tokens follow principle of least privilege",
"name": "Token-Permissions",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
"short": "Determines if the project's workflows follow the principle of least privilege."
}
},
{
"details": [
"Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2"
],
"score": 9,
"reason": "1 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}
from ecchronos.
tommystendahl
commented on July 28, 2024
Yes, that looks ok. I think we can close the issue for now. @gkunz, thanks for your help in this area.
from ecchronos.
gkunz
commented on July 28, 2024
Thank you @tommystendahl for adopting this.
from ecchronos.
Related Issues (20)
- Deprecate and eventually drop the Karaf/OSGI support in ecChronos
- State what versions are maintained
- Spring Framework URL Parsing with Host Validation is vulnerable
- Define logging levels formally HOT 14
- ecChronos will break if repair interval is shorter than the initial delay
- Create DatacenterAwareConfig to add Hosts in CQL Session Through ecc.yml HOT 1
- Create EccNodesSync Object to Represent Table nodes_sync HOT 2
- Expose AgentNativeConnectionProvider on Connection and Application Module
- Specify Interval for Next Connection
- Create JMXAgentConfig to add Hosts in JMX Session Through ecc.yml HOT 2
- Expose AgentJMXConnectionProvider on Connection and Application Module
- Investigate Creation of Repairs Queue
- Generate Unique EcChronos ID
- Investigate How to Calculate Priority by Datacenters and Nodes
- Create "status" Command on EccTool
- Investigate How to Improve datacenterAware Configs for CQL and JMX
- Investigate Introduction of testContainers
- Updata Mockito and JUnit versions
- Investigate CVE-2022-1471 in ecChronos HOT 1
- Upgrade ecChronos to use Spring 6 and Java 17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecchronos.