Comments (11)
Great idea!
I think we'd have to create a separate hook per language-package-manager that can parse out the dependency files and then call the scorecard tool.
It's probably going to be easier to do those hooks in whatever language we're handling.
Do we need a separate repo for each of those, or just one to hold them all?
from scorecard.
Great idea!
I think we'd have to create a separate hook per language-package-manager that can parse out the dependency files and then call the scorecard tool.
It's probably going to be easier to do those hooks in whatever language we're handling.
Do we need a separate repo for each of those, or just one to hold them all?
Probably one to hold them all.
By default, we run all the hooks in the CI run. If it does not find package lock file for a particular pkg manager, it bails out. Different hooks can be different jobs in the CI run.
from scorecard.
we need to make atleast one check run in cicd pipeline.
from scorecard.
I think I'd like to start work on this issue. Here are some of my thoughts:
- Snyk has multiple open source projects that parse dependency files. They are all written for node.js, so if we are willing to have a dependency on Node, we could support many languages without a great deal of work. Here's a partial list of dependency parsers:
- I would think most users would want to specify a minimum score necessary for dependencies. If so, this issue would be dependent on !346.
- I think users would also want a way to specify certain dependencies that can be allowed to be below the minimum score. This would be useful in an existing project where the goal would be to not add new dependencies below the minimum score.
- Users might also want to specify certain checks that must pass, e.g. enforcing that "Active" has a score of 10.
- Users can include a yaml file to specify options mentioned in previous bullets.
Thoughts on these points?
from scorecard.
Bullets 2 - 4 all make sense to me!
For bullet 1, maybe it can be built in such a way to be pluggable so if there are other projects that parse dependency files, users would have options?
from scorecard.
I do like the idea of a pluggable architecture. I think it would be good for our project to compile in parsers for at least the popular dependency files. That way the user can download a single binary, and it will work out of the box. We can then have an option for the user to configure their own parser.
I cloned one of the Snyk repos I mentioned, and I don't think that will be useful here. They are interested in constructing a graph of all dependencies which is not exactly useful to us.
I did find another project that looks more promising: https://github.com/aquasecurity/go-dep-parser. This can parse dependencies for go.mod, npm, pipenv, composer, and more. Since it's written in Go, we could could easily incorporate it. There are some dependency files that include include the git repo such as composer.lock. For these ones, we might want to write our own parser so it can read the repo directly and not have to look it up with a web call.
from scorecard.
Let's discuss this in our upcoming bi-weekly.
from scorecard.
did we forget to discuss this in the last meeting?
btw, there's also Google's deps.dev which offers a REST API and would do all the heavy lifting for us.
from scorecard.
did we forget to discuss this in the last meeting?
I saw it wasn't on the agenda, but I didn't bring it up because I'll be working on another issue first. Plus I'll be pretty busy the next few weeks getting our house ready to list.
btw, there's also Google's deps.dev which offers a REST API and would do all the heavy lifting for us.
I'll definitely give that look!
from scorecard.
Is this something that still needs to be discussed or can it be closed until it comes up again? Allowing 7 days for feedback.
from scorecard.
Going to point to ossf/scorecard-action#1070, as that seems to be relevant discussion. This can be re-opened here as needed.
from scorecard.
Related Issues (20)
- Security polices set at the organizational level in GitHub are not detected HOT 2
- BUG: scanning gitlab private repositories HOT 10
- enable the `nolintlint` linter (eventually)
- Feature: Revisit number of license probes
- SAST analyzer does not find CodeQL run via 'uses' directive HOT 3
- investigate linter issues HOT 1
- Differentiate between runtime vulns and devtime vulns
- BUG: Internal Error during "Branch-Protection" on GitHub Enterprise Server HOT 1
- BUG: Error during "Dependency-Update-Tools" on GitHub Enterprise Server HOT 2
- Fix URI in OSVVulnerability probe
- Feature: Document what languages the check supports
- BUG: CITest evaluation documentation inconsistent with implementation HOT 1
- Add more options for Pinned-Dependencies
- Why HOT 1
- Is there a way to influence a score by providing a proof of what's claimed as absent on a scorecard? HOT 2
- Feature: mis-configured OIDC HOT 9
- Feature: dangerous CI HOT 1
- findings: values should be exported consts owned by the probe HOT 2
- Not all checks returned for repo HOT 3
- revisit finding creation API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scorecard.