curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Discussions on Security Enhancements

From: Diogo Sant'Anna via curl-users <curl-users_at_lists.haxx.se>
Date: Mon, 7 Nov 2022 17:04:02 -0300

>
> I'm confused. That video shows how you enable code scanning alerts for the
> repo, which we have had enabled already for ages.
>
> And for the record: that level of code scanning is not adding a lot of
> value
> to us.
>

 Hello Daniel,

So, there are different tools that work as code scanners, with different
purposes and you can read about managing them here
<https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository>
.

With a look up the repo, I saw that you have added the CodeQL code scanner,
so it's probably this one that you are seeing. CodeQL is a scanner that
mostly looks for bugs in the code. On the other hand, the Scorecards
Scanner has an evaluation on a higher level, it does not evaluate the code
itself. It looks for vulnerabilities affecting different parts of the
software supply chain including source code, build, dependencies, testing,
and project maintenance. As an example, one of the Scorecards checks are
actually verifying if the repo has any Static Code Analyser, such as the
CodeQL.

For a better view on what the Scorecards evaluates, I'm sending at the end
of this email the result of an evaluation of curl using Scorecards command
line CLI, which analyzes the public portion of any public repo, and also
carry the documentation that describes what the check is verifying and why.
The suggested Scorecard GitHub Actions would get those information to your
security tab, keeping them always updated, and also considering some
private setting information.

In any case, you are definitely more able to say if this tool would be
useful or not for your project. If you think it's not worth it, we can
approach any other security solution, or consider any of the possible
security enhancements detected by the checks of Scorecards CLI. One
possible approach would be the enhancements related to
the Pinned-Dependencies check, that could be improved by reviewing the
workflow's dependencies and give preference to use pinned-dependencies.

Best,
Diogo


Check scores:

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| SCORE | NAME | REASON |
                                        DOCUMENTATION/REMEDIATION
                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Binary-Artifacts | no binaries found in the repo |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#binary-artifacts
    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 3 / 10 | Branch-Protection | branch protection is not |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#branch-protection
    |

| | | maximal on development and all |

                                    |

| | | release branches |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| ? | CI-Tests | no pull request found |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#ci-tests
            |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | CII-Best-Practices | badge detected: gold |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#cii-best-practices
  |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 0 / 10 | Code-Review | no reviews found |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#code-review
          |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Contributors | 40 different organizations |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#contributors
        |

| | | found -- score normalized to |

                                    |

| | | 10 |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#dangerous-workflow
  |

| | | detected |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 0 / 10 | Dependency-Update-Tool | no update tool detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#dependency-update-tool
|

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Fuzzing | project is fuzzed with |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#fuzzing
              |

| | | [OSSFuzz] |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | License | license file detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#license
              |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Maintained | 30 commit(s) out of 30 and 25 |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#maintained
          |

| | | issue activity out of 30 found |

                                    |

| | | in the last 90 days -- score |

                                    |

| | | normalized to 10 |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| ? | Packaging | no published package detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#packaging
            |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 2 / 10 | Pinned-Dependencies | dependency not pinned by hash |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#pinned-dependencies
  |

| | | detected -- score normalized |

                                    |

| | | to 2 |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | SAST | SAST tool detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#sast
                |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Security-Policy | security policy file detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#security-policy
      |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 8 / 10 | Signed-Releases | 5 out of 5 artifacts are |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#signed-releases
      |

| | | signed or have provenance |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 0 / 10 | Token-Permissions | non read-only tokens detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#token-permissions
    |

| | | in GitHub workflows |

                                    |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|

| 10 / 10 | Vulnerabilities | no vulnerabilities detected |
https://github.com/ossf/scorecard/blob/2cbf5afd5460b51fd40939f8c44b32543b1a0bcb/docs/checks.md#vulnerabilities
      |

|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|


-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-users
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2022-11-07