Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Discussions on Security Enhancements
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 9 Nov 2022 10:28:50 +0100 (CET)
On Mon, 7 Nov 2022, Diogo Sant'Anna via curl-users wrote:
(I'm moving this reply over to the libcurl mailing list, which I think is more
suitable for project/development related discussions.)
> One first suggestion I can give, is the adoption of the GitHub Action of
> Scorecards <https://securityscorecards.dev/#using-the-github-action>.
I just tried it. It does not help us, and I can't see how it helps any of our
users either.
It reports 46 "issues". Let's see what they are:
1 - "Code-Review High"
It says "score is 0: 0 out of last 30 changesets reviewed before merge". This
is simply not true and just shows that the job has some assumptions that
failed. Useless alert.
2 - "Token-Permissions High"
13 issues filed because I don't want to bother with setting up a token for the
job. Useless alerts.
3 - "Dependency-Update-Tool High"
"score is 0: no update tool detected". Bad assumptions again. Useless alert.
4 - "Pinned-Dependencies Medium"
31 issues. As I already mentioned on the curl-users list: this seems like an
overly aggressive warning. We use CI jobs to verify that our code is fine. If
we install vulnerable or infected dependencides as part of that, all we risk
is that we run bad CI jobs. They cannot infect or modify code or anything
else. They can only provide bad/wrong info in CI jobs.
Conclusion: lots of noise, very little signal.
I am going to disable this CI job again.
Date: Wed, 9 Nov 2022 10:28:50 +0100 (CET)
On Mon, 7 Nov 2022, Diogo Sant'Anna via curl-users wrote:
(I'm moving this reply over to the libcurl mailing list, which I think is more
suitable for project/development related discussions.)
> One first suggestion I can give, is the adoption of the GitHub Action of
> Scorecards <https://securityscorecards.dev/#using-the-github-action>.
I just tried it. It does not help us, and I can't see how it helps any of our
users either.
It reports 46 "issues". Let's see what they are:
1 - "Code-Review High"
It says "score is 0: 0 out of last 30 changesets reviewed before merge". This
is simply not true and just shows that the job has some assumptions that
failed. Useless alert.
2 - "Token-Permissions High"
13 issues filed because I don't want to bother with setting up a token for the
job. Useless alerts.
3 - "Dependency-Update-Tool High"
"score is 0: no update tool detected". Bad assumptions again. Useless alert.
4 - "Pinned-Dependencies Medium"
31 issues. As I already mentioned on the curl-users list: this seems like an
overly aggressive warning. We use CI jobs to verify that our code is fine. If
we install vulnerable or infected dependencides as part of that, all we risk
is that we run bad CI jobs. They cannot infect or modify code or anything
else. They can only provide bad/wrong info in CI jobs.
Conclusion: lots of noise, very little signal.
I am going to disable this CI job again.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-11-09