Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Security policy at the organization level is not picked up #2552

Closed
rajbos opened this issue Dec 19, 2022 · 2 comments
Closed

BUG: Security policy at the organization level is not picked up #2552

rajbos opened this issue Dec 19, 2022 · 2 comments
Labels
kind/bug Something isn't working

Comments

@rajbos
Copy link

rajbos commented Dec 19, 2022

Describe the bug
Security policy at the organization level is not picked up. I have one on the org level here, but in my repository I have an alert that there is no security policy.

From the changes described in this PR I would expect that the org level setup would also be taken into account.

Expected behavior
The check should also validate the org level configuration.

Additional context
Using the ossf/scorecard-action for running the checks.

@rajbos rajbos added the kind/bug Something isn't working label Dec 19, 2022
@spencerschrock
Copy link
Member

I'm seeing this output here:
https://github.com/devops-actions/load-used-actions/actions/runs/3733073037/jobs/6333373413#step:4:1116

               "ruleId": "SecurityPolicyID",
               "ruleIndex": 8,
               "message": {
                  "text": "score is 9: security policy file detected:\nWarn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: github.com/devops-actions/.github/.github/SECURITY.md\nClick Remediation section below to solve this issue"
               },

It's picking up the file, and scoring it a 9/10. The message in your SARIF output is talking about the missing 1/10 due to a heuristic introduced in #2195 which is looking for:

	// pattern for 1 to 4 digit numbers
	// or
	// strings 'disclos' as in "disclosure" or 'vuln' as in "vulnerability"
	reDIG := regexp.MustCompile(`(?i)(\b*[0-9]{1,4}\b|(Disclos|Vuln))`)

The easiest fix would be to tweak your security policy to satisfy the heuristic. For example:

Please disclose any issues or vulnerabilities responsibly by emailing

The other option is to discuss relax/remove the heuristic, which was brought up in #2195, but was left in at the time.

@rajbos
Copy link
Author

rajbos commented Dec 23, 2022

Ah, that is indeed extra information that I missed when looking at the alert, because of the text rendering in the alerts it's rather hidden at the bottom. That will be improved by #125 so that will definitely help. The rest was me not reading the whole text :-).

Closing this, as it will be improved.

@rajbos rajbos closed this as completed Dec 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants