Adopt Secure Software Development Best Practices of OpenSSF Scorecard

[gkunz]

I'd like to propose to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to adopt best practices to further mature CodeCompass.

The proposed steps include:

• running Scorecards against the CodeCompass repo,
• evaluation of the scan results of Scorecards in terms of applicability,
• adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/
[2] https://github.com/ossf/scorecard/tree/main#scorecard-checks

[gkunz]

Below is a scan result of the current state of the repo:

Low hanging fruits seem to be

• addition of a SECURITY.MD file,
• configuration of GITHUB_TOKEN permissions,
• branch protection settings

Results:

{
  "date": "2023-10-30T14:03:03+01:00",
  "repo": {
    "name": "github.com/Ericsson/codecompass",
    "commit": "f8d2caf86d3adec69b535c9c6af204153441483e"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 4.3,
  "checks": [
    {
      "details": [
        "Warn: binary detected: lib/java/httpclient-4.5.6.jar:1",
        "Warn: binary detected: lib/java/httpcore-4.4.10.jar:1",
        "Warn: binary detected: lib/java/javax.annotation-api-1.3.2.jar:1",
        "Warn: binary detected: lib/java/libthrift-0.13.0.jar:1",
        "Warn: binary detected: lib/java/log4j-1.2.17.jar:1",
        "Warn: binary detected: lib/java/slf4j-api-1.7.25.jar:1",
        "Warn: binary detected: lib/java/slf4j-log4j12-1.7.25.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-analyzers-common-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-core-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-highlighter-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-memory-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-misc-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queries-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queryparser-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-suggest-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/simplemagic-1.6.jar:1"
      ],
      "score": 0,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Warn: branch protection not enabled for branch 'master'"
      ],
      "score": 0,
      "reason": "branch protection not enabled on development/release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "12 out of 12 merged PRs checked by a CI test -- score normalized to 10",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 3,
      "reason": "found 11 unreviewed changesets out of 18 -- score normalized to 3",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,GISLab-ELTE,contour-terminal,ericsson,ericsson hungary ltd.,llvm,llvm & @ericsson"
      ],
      "score": 10,
      "reason": "7 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Info: tool 'Dependabot' is used: :0"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.txt:1",
        "Info: FSF or OSI recognized license: LICENSE.txt:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) out of 30 and 19 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Warn: no GitHub/GitLab publishing workflow detected"
      ],
      "score": -1,
      "reason": "no published package detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/dev/Dockerfile:1: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:7",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:41: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:5",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:11: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:142",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:410",
        "Warn: pipCommand not pinned by hash: .gitlab/cc-env.sh:39",
        "Warn: npmCommand not pinned by hash: .github/workflows/linting.yml:35",
        "Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   1 npmCommand dependencies pinned",
        "Info:   0 out of   5 containerImage dependencies pinned",
        "Info:   0 out of   2 downloadThenRun dependencies pinned",
        "Info:   0 out of   1 pipCommand dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 23 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Warn: no security policy file detected: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.\nFor additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nProvide a point of contact in your SECURITY.md.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)",
        "Warn: no security file to analyze: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)"
      ],
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/docker.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/linting.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Warn: no topLevel permission defined: .github/workflows/tarball.yml:1: Visit https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/tarball.yml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)",
        "Info: no jobLevel write permissions found"
      ],
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

[barnabasdomozi]

Created issues for each scan with a lower score.

#660
#661
#662
#663
#664
#665
#667
#668
#669

[mcserep]

Thanks @gkunz for the evaluation on CodeCompass!

@wbqpk3: I made some remarks on the issues you created, to make a start on them.
Maybe we could also add the OpenSSF Scorecard to our CI pipeline later (https://github.com/ossf/scorecard-action#installation).

[gkunz]

Hi all,

thank you for evaluating the findings and recommendations by ScoreCard. As shown above, a three recommendations have been adopted in the meantime:

• adding a security policy file,
• setting GitHub workload token permissions, and
• enabling some branch protection settings.

The overall score increased from 5.5 to 6.2

{
  "date": "2023-11-15T15:19:58+01:00",
  "repo": {
    "name": "github.com/Ericsson/CodeCompass",
    "commit": "e23b1dc7af4895ca6823a6d7b1e190eedcf04c8f"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 6.2,
  "checks": [
    {
      "details": [
        "Warn: binary detected: lib/java/httpclient-4.5.6.jar:1",
        "Warn: binary detected: lib/java/httpcore-4.4.10.jar:1",
        "Warn: binary detected: lib/java/javax.annotation-api-1.3.2.jar:1",
        "Warn: binary detected: lib/java/libthrift-0.16.0.jar:1",
        "Warn: binary detected: lib/java/log4j-1.2.17.jar:1",
        "Warn: binary detected: lib/java/slf4j-api-1.7.25.jar:1",
        "Warn: binary detected: lib/java/slf4j-log4j12-1.7.25.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-analyzers-common-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-core-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-highlighter-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-memory-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-misc-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queries-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-queryparser-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/lucene-suggest-4.9.0.jar:1",
        "Warn: binary detected: plugins/search/lib/java/simplemagic-1.6.jar:1"
      ],
      "score": 0,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'force pushes' disabled on branch 'master'",
        "Info: 'allow deletion' disabled on branch 'master'",
        "Warn: status checks do not require up-to-date branches for 'master'",
        "Warn: 'last push approval' disabled on branch 'master'",
        "Warn: no status checks found to merge onto branch 'master'",
        "Warn: number of required reviewers is only 1 on branch 'master'",
        "Warn: stale review dismissal disabled on branch 'master'",
        "Warn: settings do not apply to administrators on branch 'master'",
        "Warn: codeowner review is not required on branch 'master'"
      ],
      "score": 4,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "16 out of 16 merged PRs checked by a CI test -- score normalized to 10",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 6,
      "reason": "found 7 unreviewed changesets out of 22 -- score normalized to 6",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: contributors work for Ericsson,GISLab-ELTE,contour-terminal,ericsson,ericsson hungary ltd.,llvm,llvm & @ericsson"
      ],
      "score": 10,
      "reason": "7 different organizations found -- score normalized to 10",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "no dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Info: tool 'Dependabot' is used: :0"
      ],
      "score": 10,
      "reason": "update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)",
        "Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)",
        "Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)",
        "Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)",
        "Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: License file found in expected location: LICENSE.txt:1",
        "Info: FSF or OSI recognized license: LICENSE.txt:1"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "28 commit(s) out of 30 and 28 issue activity out of 30 found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Warn: no GitHub/GitLab publishing workflow detected"
      ],
      "score": -1,
      "reason": "no published package detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:172: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:178: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:213: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:228: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:242: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/ci.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/docker.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/linting.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Ericsson/CodeCompass/linting.yml/master?enable=pin",
        "Warn: containerImage not pinned by hash: docker/dev/Dockerfile:1: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:7",
        "Warn: containerImage not pinned by hash: docker/runtime/Dockerfile:41: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:5",
        "Warn: containerImage not pinned by hash: docker/web/Dockerfile:11: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2",
        "Warn: downloadThenRun not pinned by hash: .gitlab/build-deps.sh:406",
        "Warn: pipCommand not pinned by hash: .gitlab/cc-env.sh:39",
        "Warn: npmCommand not pinned by hash: .github/workflows/linting.yml:37",
        "Info:   0 out of  13 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   3 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   5 containerImage dependencies pinned",
        "Info:   0 out of   1 downloadThenRun dependencies pinned",
        "Info:   0 out of   1 pipCommand dependencies pinned",
        "Info:   0 out of   1 npmCommand dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 24 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Info: security policy file detected: SECURITY.md:1",
        "Info: Found linked content: SECURITY.md:1",
        "Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1",
        "Info: Found text in security policy: SECURITY.md:1"
      ],
      "score": 10,
      "reason": "security policy file detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: no GitHub releases found"
      ],
      "score": -1,
      "reason": "no releases found",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Info: topLevel permissions set to 'read-all': .github/workflows/ci.yml:12",
        "Info: topLevel permissions set to 'read-all': .github/workflows/docker.yml:18",
        "Info: topLevel permissions set to 'read-all': .github/workflows/linting.yml:5",
        "Info: topLevel permissions set to 'read-all': .github/workflows/tarball.yml:10",
        "Info: no jobLevel write permissions found"
      ],
      "score": 10,
      "reason": "GitHub workflow tokens follow principle of least privilege",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}