Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OSSF Scorecard #851

Closed
gabibguti opened this issue Dec 8, 2022 · 24 comments
Closed

Add OSSF Scorecard #851

gabibguti opened this issue Dec 8, 2022 · 24 comments

Comments

@gabibguti
Copy link

What is the problem this feature will solve?

Improve the project's security against supply-chain attacks.

What are supply-chain attacks?
Attacks that add malicious code to your project through build, release and other phases of development. E.g. A hacker may hijack your GH account and add a script to your project that steals user's personal information 'cause you had push-force access to main.

Supply-chain attacks have been increasing over the years according to the sonatype State of the Software Supply-Chain report and given node's popularity it's a reasonable target.

Chart title: FIGURE 1.6. NEXT GENERATION SOFTWARE SUPPLY CHAIN ATTACKS, 2019–2022. Chart information: 742% Average Growth Rate Year over Year.

What is the feature you are proposing to solve the problem?

Adding the OSSF Scorecard tool to identify supply-chain security improvements.

Scorecard checks for best practices such as if main branch is protected, if code is being reviewed in PRs and if binaries are being avoided. Below, you can see that sonatype uses Scorecard to check how projects are most vulnerable.

Chart title: Figure 2.2. Elements most useful for identifying vulnerable projects. Chart information: Shows that Code Review, Dependencies Pinned, Binaries and Branch Protection are the most important checks.

What alternatives have you considered?

None.

Additional Context

I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

@RafaelGSS
Copy link
Member

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

@RafaelGSS RafaelGSS transferred this issue from nodejs/node Dec 15, 2022
@mcollina
Copy link
Member

mcollina commented Dec 16, 2022

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

This being said, compiling to WASM is hard and they require quite a few more dependencies. I'm not 100% sure what we should do about this in practice.

@mhdawson
Copy link
Member

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

I think as a first step we can automate the generation of the wasm modules and better manage the dependencies that we use as part of the build for the wasm. I know that won't solve the concern about binary artifacts but will be some help.

@gabibguti
Copy link
Author

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

Hello @RafaelGSS! Nice! According to node's calendar the next meeting will be December 22 10AM in Brazil. Is that correct? If so, either me or my team colleagues can attend.

@RafaelGSS
Copy link
Member

@gabibguti I think we'll postpone this week's meeting to next year. Due to the holidays, most of our team won't be able to attend. Anyway, stay tuned at: #853

@gabibguti
Copy link
Author

gabibguti commented Dec 19, 2022

About the WASM binaries.

Hi @mcollina! You've raised a very interesting point. We will not always be able to remove the binaries. If we do need the binaries, which seems the case, we can try make their generation and update more trustable. For example, by automating the generation as @mhdawson said.

Further explanation...
The problem with binaries is that you don't know what's inside them. If a binary is generated manually, we are trusting the person is following the documented process. However, if the person generates it differently and opens a PR updating the binary, you probably wouldn't be able to tell if there is malicious code in there.

I will make sure we comment on this topic on the meeting.

@mhdawson
Copy link
Member

@gabibguti - not sure which context you are looking at this from but as an FYI this PR is related in that it allows distros to externalize the WASM and re-build them on their own. That of course does not address the issue for those using the community binaries and as you mentioned making the generation/update more trustable helps. I think it will also help the distro's as the better we document/manage the generation of these components the easier the rebuilds would be as well.

@RafaelGSS
Copy link
Member

RafaelGSS commented Jan 5, 2023

@gabibguti I think you missed today's meeting. Could you join the next one? It will be Jan 19th

@gabibguti
Copy link
Author

@RafaelGSS Oh sorry! I didn't see the new issue regarding the meeting. Yes! I'll join the next one along with my team mates.

@gabibguti
Copy link
Author

gabibguti commented Jan 19, 2023

As discussed in the Security WG's latest meeting, here are the steps to add Scorecard to node:

How to add Scorecard GHA

On the repository page, you can open Actions tab, click "New workflow", search for "Scorecard" and click "Configure" to add the action.
or
Add through Security tab following https://github.com/ossf/scorecard-action#installation

Configuring Scorecard to run on PRs

You can replace the workflow triggers by pull_request trigger.

@mhdawson
Copy link
Member

Adding to TSC agenda as an FYI. I think enabling this makes sense. Even if we enable per PR it won't block landing but should give us additional info in terms of any security implecations.

@mcollina
Copy link
Member

Could we add this to Undici as well?

@pnacht
Copy link

pnacht commented Jan 20, 2023

Hey everyone, thanks for your time in yesterday's meeting.

Unfortunately, I must issue a correction: at one point I said that Scorecard can monitor the main branch and release branches. This is unfortunately not the case. Scorecard only runs on the main ("default") branch.

I was thinking of a single check which runs on all branches, but all others only scan the main branch.

My apologies.

@mhdawson
Copy link
Member

@mcollina I've not looked but it sounds like it is per repo versus per org and in that case I think we should plan to enable for the repo's where it makes sense including undici.

@RafaelGSS
Copy link
Member

RafaelGSS commented Jan 24, 2023

PRs on core:

Note: please update the list

@RafaelGSS
Copy link
Member

RafaelGSS commented Feb 2, 2023

Based on today's discussion (#872) the next steps would be:

  • Create a workflow to use ossf/scorecard-action
  • Evaluate the score in the next meeting
  • Enable CodeScanning on an MVP (Security-WG/Undici) (optional?)

@fraxken will be championing it

@fraxken
Copy link
Member

fraxken commented Feb 2, 2023

@RafaelGSS PR opened: #873

@UlisesGascon
Copy link
Member

As agreed in last meeting, I was working in this little script that can automate the process for collecting the scores from several repos and trigger alerts via issues. Here is the Github Action in the marketplace that I created. I can do a little demo (60 sec) in our next meeting #877 and discuss the next steps ;-)

@fraxken
Copy link
Member

fraxken commented Feb 18, 2023

@mcollina We added the scorecard workflow on that repository. You can take a look at the result (alerts) in the Security tab.

If you'r ok I can open a pull request on undici to add the OSSF scorecard workflow?

@RafaelGSS
Copy link
Member

RafaelGSS commented Feb 18, 2023

First, I think undici needs to enable "Code Scanning", right?

@mcollina
Copy link
Member

What should I do exactly?

@fraxken
Copy link
Member

fraxken commented Feb 19, 2023

First, I think undici needs to enable "Code Scanning", right?

It will be enabled by adding the OSSF scorecard workflow. I was going to say I could do it but I don't have the access.


Here is the official instructions.

Just the first time when clicking on Set up code scanning, you need to look for "Explore workflows". Then you enter scorecard in the searchbar.

image

@UlisesGascon
Copy link
Member

The code scanning is working fine! I can see fresh results for undici and security-wg repos, See reporting

@RafaelGSS
Copy link
Member

Closing this issue as completed. Further updates in the Node.js organization will be made through #859.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants