Suggest Adoption of Scorecard GitHub Action about little-cms HOT 7 CLOSED

Oh, it was github's fault. Re-running the job solved the issue, sorry, just ignore the comment. Thanks!

from little-cms.

Hi Diogo, thanks for your contribution.

Just a couple of quick questions:

• Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
• Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
• Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

Thanks
Marti

from little-cms.

Hi Marti,

• Does this OSV Scanner need any modification on sources or additional files other than in the .github directory?
• Am I assumed to annotate the code to hint the compiler than those integer overflows are correct and are there because a reason? (is just an example)
• Would the use of this tool represent to receive many mails about so called "vulnerabilities" that at the end were in test code? (I was hit badly by fuzzers)

1. No. The OSV Scanner will work as part of the Scorecard Action, analysing your repo through public GitHub APIs and showing the results at your Security Panel.

2. No, Scorecards won't require any kind of annotation -- although there is an issue with this idea. After using Scorecard Action, you'll be able to dismiss any false-positives directly on the Security Panel. Then they would not bother you anymore.

3. Don't worry, the action wouldn't send you any emails haha All the notifications are intended to be shown directly on GitHub

Otherwise I sent a mail to sos.dev about my open source project but never got any answer. Is any way to contact those guys?

I'm Sorry for that, Marti. I have some contact with the SOS team and have already contacted them. I'll get back to you as soon as I have any information.

from little-cms.

Hello Diogo,

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality. Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.
Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

from little-cms.

That's great. Sounds incredible powerful and non-intrusive. If you can manage to outline a quick PR I will gladly integrate this functionality.

Awesome, I'll raise the PR shortly.

Don't get me wrong, I take security very seriously and any good measure to improve this is very welcome. What I want to avoid is to change code or add spurious files just to find the whole system is deprecated few years after. That already happened with Travis CI, so I'm just being a little bit more careful right now.

Absolutely, Marti! Your points are totally valid and I really appreciate your patience and time to consider the tool and talk to me about your concerns. Even after adopting the tool, please feel free to reach me for any questions or feedback and I'll be more than happy to help =)

Thank you so much for contacting google about the SOS team. If they are responsive, is quite probably I would hire somebody to add a decent fuzzing or just to increase overall security.

For this I'm afraid I won't be able to help much, though. I've contacted the SOS team and they said they'll look into your email, but they also confessed that there is a long backlog of requests. So unfortunately might not be a short reply.

from little-cms.

Hello @diogoteles08
Sorry to bother you, but after activating the scorecard all commits fail. I traced the scorecard parsing is failing with following error:

2023/07/27 10:41:17 error processing signature: executing scorecard-api call: Post "https://api.securityscorecards.dev/projects/github.com/mm2/Little-CMS": context deadline exceeded

Is anything I can do aside disabling scorecard? Thanks!

from little-cms.

Hey @mm2! You're not bothering at all -- I'd be happy to get any feedback. Anyways, I'm also happy to know it worked out 😄

Also, I'm honestly not sure it has any relation with your issue, but you might want to take a look on the possibility of running Scorecard with an specific fine grained token. Although it shouldn't change much how it's already working, I forgot to mention in this issue that this PAT is required to completely evaluating checks such Branch-Protection and (experimental) Webhooks.

from little-cms.