Skip to content

naveensrinivasan/scorecarddata

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits

.github

.github

 
 

cmd

cmd

 
 

pkg

pkg

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

exclusions

exclusions

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

http.json

http.json

 
 

main.go

main.go

 
 

Repository files navigation

Scorecarddata

Overview

Using Scorecardsdata

Miscellaneous

Overview

what is scorecards?

We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.

Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

https://github.com/ossf/scorecard#what-is-scorecards

what is scorecarddata?

Scorecardsdata is a tool that will parse the go.mod/go.sum project dependencies and fetches the scorecard data for its dependencies. It uses the Google Bigquery data https://github.com/ossf/scorecard#public-data`openssf:scorecardcron.scorecard-v2_latest` to fetch the results.

Why should I use this over running the scorecard CLI?

The scorecard CLI would take time to fetch hundreds of repositories, and the GitHub's API will be throttled. This project helps solve the problem by bringing the data from the BigQuery table, which scorecard runs as part of a weekly cron job.

what does scorecarddata do?

- parses go.mod/go.sum for your project
- get the dependecies github URL's
- use the above dependencies to filter the data from Bigquery which scorecard cron jobs updates every week.
- export the results as json

Using Scorecardsdata

How do I run scorecarddata?

scorecarddata go -m /home/sammy/go/src/github.com/naveensrinivasan/kubernetes --GOOGLE_CLOUD_PROJECT openssf| jq

What are the prerequisites to run?

Can I get additional checks other than the default?

Yes, these are options within command line.

./scorecarddata --help
scorecarddata uses the scorecard bigquery to fetch results for dependecies.

Usage:
  scorecarddata [flags]
  scorecarddata [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  go          Parses go.mod dependecies and fetches the data from scorecard bigquery for those repositories.
  help        Help about any command
  server      A brief description of your command

Flags:
      --GOOGLE_CLOUD_PROJECT string    The ENV variable that will be used in the BigQuery for querying.
      --config string                  config file (default is $HOME/.scorecarddata.yaml)
      --exclusions-file string         A file with exclusions comma separated by check and value. Example Code-Review,github.com/ossf/scorecard
  -h, --help                           help for scorecarddata
      --scorecard_checks stringArray   The scorecard checks to filter by.Example CI-Tests,Binary-Artifacts etc.https://github.com/ossf/scorecard/blob/main/docs/checks.md (default [Code-Review,Branch-Protection,Pinned-Dependencies,Dependency-Update-Tool,Fuzzing])
  -t, --toggle                         Help message for toggle

Use "scorecarddata [command] --help" for more information about a command.

What are the results from the tool look like?

[
 {
    "Name": "github.com/containerd/ttrpc",
    "Check": "Pinned-Dependencies",
    "Score": 7,
    "Details": "Warn: dependency not pinned by hash (job 'Run Protobuild'): .github/workflows/ci.yml:98",
    "Reason": "dependency not pinned by hash detected -- score normalized to 7"
  },
  {
    "Name": "github.com/kisielk/errcheck",
    "Check": "Pinned-Dependencies",
    "Score": 7,
    "Details": "Info: Third-party actions are pinned",
    "Reason": "dependency not pinned by hash detected -- score normalized to 7"
  }
]

Can I use this in CI and exclude results that I think are false positives?

Yes, results can be excluded by providing an --exclusions-file with check and repository

Pinned-Dependencies,github.com/godbus/dbus
Pinned-Dependencies,github.com/kisielk/errcheck

scorecarddata go -m . --GOOGLE_CLOUD_PROJECT openssf --exclusions-file ./exclusions --scorecard_checks Pinned-Dependencies

Using it as a server

The Scorecarddata can be used as a server to serve request for checks and repositories.

./scorecarddata server --GOOGLE_CLOUD_PROJECT openssf

This will start a HTTP server in port 8080.

This can be posted to the server to get results.

{
  "repositories": [
    "github.com/stretchr/objx"
  ],
  "checks": [
    "Pinned-Dependencies"
    ]
}

Miscellaneous

How are the go dependencies parsed?

It is bash goo :face_palm: More on this explainshell

How about support for other languages?

If you know how to parse the deps for other languages please do a PR. The interface that needs to be implemented is

scorecarddata/pkg/deps/deps.go

Line 3 in 70e7880

type Deps interface {

About

No description or website provided.

Topics

golang security scorecard supply-chain-security ossf

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages