-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Scorecard on OSS-Fuzz #7425
Comments
@laurentsimon
It's not really practical to compile these binaries during tests, we don't want compilers as dependencies for OSS-Fuzz. I can file an issue about this. |
Branch-Protection: 2/10 Other complaints:
Stale approvals not dismissed seems somewhat important to me, but enforcing this would increase maintainers' workloads and make things harder for users. |
SAST: 0/10
Do we need to use codeql to get the full score? |
Pinned-Dependencies: 0/10 This one has too many false positives/mismatches to list. |
Dependency-Update-Tool: 0/10
|
Fuzzing: 0/10
Ironic :-) |
Packaging: -1
I'm not sure we want packages for this repo, the repo is basically an interface for a service, not really a package people want to use. |
Signed-Releases: ?
Don't think we need releases either |
Token-Permissions: 0/10
|
Thanks @jonathanmetzman I agree with most of your conclusions. For binary data: agreed this is false positive, and we're aware of this. You have the choice to "Won't Fix" in the scanning dashboard to get rid of the alert. Is that sufficient in practice or do you think we should provide a config file (this issue is also asking for something similar ossf/scorecard-action#143) for files to ignore in the action For Pinned-Dependencies: you say it has too many false positives: can you explain? CodeQl: you can enable that, yes. Is there another tool you're using? I have a pending ossf/scorecard#1487 to support more tools so I can add other tools if necessary Branch-Protection: Signed-Release: we've removed this from the GitHub action https://github.com/ossf/scorecard-action/blob/main/policies/template.yml#L52 so you should not receive this alert anymore. |
Eh...I was sort of incorrect. They aren't false positives, scorecard was right that we weren't pinning. But I meant that most of the instances flagged (there were so many that I didn't look through all of them) can't really be fixed by us. I'll elaborate more in a bit |
Related: google#7425
We want to use the action.
We can start this process by running scorecard manually on OSS-Fuzz and fixing the issues/fixing scorecard.
The text was updated successfully, but these errors were encountered: