Giter Club home page Giter Club logo

scorecarddata's Introduction

Scorecarddata

Overview

Using Scorecardsdata

Miscellaneous

Overview

what is scorecards?

We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.

Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

https://github.com/ossf/scorecard#what-is-scorecards

what is scorecarddata?

Scorecardsdata is a tool that will parse the go.mod/go.sum project dependencies and fetches the scorecard data for its dependencies. It uses the Google Bigquery data https://github.com/ossf/scorecard#public-data`openssf:scorecardcron.scorecard-v2_latest` to fetch the results.

Why should I use this over running the scorecard CLI?

The scorecard CLI would take time to fetch hundreds of repositories, and the GitHub's API will be throttled. This project helps solve the problem by bringing the data from the BigQuery table, which scorecard runs as part of a weekly cron job.

what does scorecarddata do?

- parses go.mod/go.sum for your project
- get the dependecies github URL's
- use the above dependencies to filter the data from Bigquery which scorecard cron jobs updates every week.
- export the results as json

Using Scorecardsdata

How do I run scorecarddata?

scorecarddata go -m /home/sammy/go/src/github.com/naveensrinivasan/kubernetes --GOOGLE_CLOUD_PROJECT openssf| jq

What are the prerequisites to run?

Can I get additional checks other than the default?

Yes, these are options within command line.

./scorecarddata --help
scorecarddata uses the scorecard bigquery to fetch results for dependecies.

Usage:
  scorecarddata [flags]
  scorecarddata [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  go          Parses go.mod dependecies and fetches the data from scorecard bigquery for those repositories.
  help        Help about any command
  server      A brief description of your command

Flags:
      --GOOGLE_CLOUD_PROJECT string    The ENV variable that will be used in the BigQuery for querying.
      --config string                  config file (default is $HOME/.scorecarddata.yaml)
      --exclusions-file string         A file with exclusions comma separated by check and value. Example Code-Review,github.com/ossf/scorecard
  -h, --help                           help for scorecarddata
      --scorecard_checks stringArray   The scorecard checks to filter by.Example CI-Tests,Binary-Artifacts etc.https://github.com/ossf/scorecard/blob/main/docs/checks.md (default [Code-Review,Branch-Protection,Pinned-Dependencies,Dependency-Update-Tool,Fuzzing])
  -t, --toggle                         Help message for toggle

Use "scorecarddata [command] --help" for more information about a command.

What are the results from the tool look like?

[
 {
    "Name": "github.com/containerd/ttrpc",
    "Check": "Pinned-Dependencies",
    "Score": 7,
    "Details": "Warn: dependency not pinned by hash (job 'Run Protobuild'): .github/workflows/ci.yml:98",
    "Reason": "dependency not pinned by hash detected -- score normalized to 7"
  },
  {
    "Name": "github.com/kisielk/errcheck",
    "Check": "Pinned-Dependencies",
    "Score": 7,
    "Details": "Info: Third-party actions are pinned",
    "Reason": "dependency not pinned by hash detected -- score normalized to 7"
  }
]

Can I use this in CI and exclude results that I think are false positives?

Yes, results can be excluded by providing an --exclusions-file with check and repository

Pinned-Dependencies,github.com/godbus/dbus
Pinned-Dependencies,github.com/kisielk/errcheck

scorecarddata go -m . --GOOGLE_CLOUD_PROJECT openssf --exclusions-file ./exclusions --scorecard_checks Pinned-Dependencies

Using it as a server

The Scorecarddata can be used as a server to serve request for checks and repositories.

./scorecarddata server --GOOGLE_CLOUD_PROJECT openssf

This will start a HTTP server in port 8080.

This can be posted to the server to get results.

{
  "repositories": [
    "github.com/stretchr/objx"
  ],
  "checks": [
    "Pinned-Dependencies"
    ]
}

Miscellaneous

How are the go dependencies parsed?

It is bash goo :face_palm: More on this explainshell

How about support for other languages?

If you know how to parse the deps for other languages please do a PR. The interface that needs to be implemented is

type Deps interface {

scorecarddata's People

Contributors

dependabot[bot] avatar naveensrinivasan avatar

Stargazers

 avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.