Google On-line Safety Weblog: Measuring Safety Dangers in Open Supply Software program: Scorecards Launches V2



Posted by Kim Lewandowski, Azeem Shaikh, Laurent Simon, Google Open Supply Safety TeamContributors to the Scorecards undertaking, an automatic safety instrument that produces a “danger rating” for open supply initiatives, have achieved lots since our launch final fall. Immediately, in collaboration with the Open Supply Safety Basis group, we’re saying Scorecards v2. We’ve got added new safety checks, scaled up the variety of initiatives being scored, and made this information simply accessible for evaluation.With a lot software program right now counting on open-source initiatives, customers want a simple solution to choose whether or not their dependencies are protected. Scorecards helps scale back the toil and guide effort required to repeatedly consider altering packages when sustaining a undertaking’s provide chain. Shoppers can routinely assess the dangers that dependencies introduce and use this information to make knowledgeable selections about accepting these dangers, evaluating different options, or working with the maintainers to make enhancements.Figuring out RisksSince final fall, Scorecards’ protection has grown; we have added a number of new checks, following the Know, Stop, Repair framework proposed by Google earlier this yr, to prioritize our additions:Malicious contributorsContributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code critiques assist mitigate towards such assaults. With the brand new Department-Safety test, builders can confirm that the undertaking enforces obligatory code assessment from one other developer earlier than code is dedicated. At the moment, this test can solely be run by a repository admin resulting from GitHub API limitations. For a third-party repository, use the much less informative Code-Evaluation test as an alternative.Weak codeDespite greatest efforts by builders and peer critiques, weak code can enter supply management and stay undetected. That’s why it is necessary to allow steady fuzzing and static code evaluation to catch bugs early within the growth lifecycle. We’ve got added checks to detect if a undertaking makes use of Fuzzing and SAST instruments as a part of their CI/CD system.Construct system compromiseA widespread CI/CD answer utilized by GitHub initiatives is GitHub Actions. A hazard with these motion workflows is that they might deal with untrusted person enter. That means, an attacker can craft a malicious pull request to achieve entry to the privileged GitHub token, and with it the flexibility to push malicious code to the repo with out assessment. To mitigate this danger, Scorecard’s Token-Permissions prevention test now verifies that the GitHub workflows observe the precept of least privilege by making GitHub tokens read-only by default.Unhealthy dependenciesAny software program is as safe as its weakest dependency. This will likely sound apparent, however step one to realizing our dependencies is solely to declare them… and have our dependencies declare them too. As soon as we’ve got this provenance data, we are able to assess the dangers of our software program and mitigate these dangers. Sadly, there are a number of widely-used anti-patterns that break this provenance precept. The primary of those anti-patterns is checked-in binaries — as there is not any solution to simply confirm or test the contents of the binary within the undertaking. Scorecards offers Binary-Artifacts test for testing this.One other anti-pattern is using curl | bash in scripts which dynamically pulls dependencies. Cryptographic hashes allow us to pin our dependencies to a identified worth: if this worth ever adjustments, the construct system will detect it and refuse to construct. Pinning dependencies is helpful in every single place we’ve got dependencies: not simply throughout compilation, but in addition in Dockerfiles, CI/CD workflows, and so forth. Scorecards checks for these anti-patterns with the Frozen-Deps test. This test is useful for mitigating towards malicious dependency assaults such because the latest CodeCov assault.Even with hash-pinning, hashes have to be up to date from time to time when dependencies patch vulnerabilities. Instruments like dependabot or renovatebot give us the chance to assessment and replace the hashes. The Scorecards Automated-Dependency-Replace test verifies that builders depend on such instruments to replace their dependencies.It is very important know vulnerabilities in a undertaking earlier than uptaking it as a dependency. Scorecards can present this data through the brand new Vulnerabilities test, with out the necessity to subscribe to a vulnerability alert system.Scaling the impactTo date, the Scorecards undertaking has scaled as much as consider safety standards for over 50,000 open supply initiatives. To be able to scale this undertaking, we undertook a large redesign of our structure and used a PubSub mannequin which achieved horizontal scalability and better throughput. This absolutely automated instrument periodically evaluates essential open supply initiatives and exposes the Scorecards test data by way of a public BigQuery dataset which is refreshed weekly.This information could be retrieved utilizing the bq command line instrument. The next instance exhibits how you can export information for the Kubernetes undertaking. Substitute the url for the repo to export information from a distinct undertaking:$ bq question –nouse_legacy_sql ‘SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo=””‘To export the newest information on all analyzed initiatives, see directions right here.How does the web measure up?Scorecards information for accessible initiatives is now included within the lately introduced Google Open Supply Insights undertaking and in addition showcased in OpenSSF Safety Metrics undertaking. The information on these websites exhibits that there are nonetheless necessary safety gaps to fill, even in extensively used packages like Kubernetes.We additionally analyzed Scorecards information by way of Google Information Studio — certainly one of our information evaluation and visualization instruments.The diagram under exhibits a breakdown of the checks that had been run and the go/fail final result for the 50,000 repositories: As we are able to see, lots must be executed to enhance the safety of those essential initiatives. Numerous these initiatives aren’t repeatedly fuzzed, don’t outline a safety coverage for reporting vulnerabilities, and don’t pin dependencies, to call only a few widespread issues. All of us want to come back collectively as an trade to drive consciousness of those widespread safety dangers, and to make enhancements that may profit everybody. Scorecards in ActionSeveral massive initiatives have adopted Scorecards and are maintaining us up to date on their experiences with it. Beneath are some examples of Scorecards in motion:EnvoyEarly on we talked about how the Envoy maintainers adopted Scorecards for his or her undertaking and built-in it inside their coverage on introducing new dependencies. Since then, pull requests introducing new dependencies to Envoy should get approval from a dependency maintainer who makes use of Scorecards to judge the dependency towards a set of standards. As well as, Envoy additionally received proper to work in enhancing its personal safety well being metrics in response to its personal Scorecards analysis, and is now pinning C++ dependencies and requiring pip hashes for python dependencies. Github actions are additionally pinned within the steady integration circulation.Beforehand, Envoy had created a instrument that outputs Scorecards information on its dependencies as a CSV that can be utilized to generate a desk of outcomes:Now with extra undertaking information, Envoy is ready to routinely generate up-to-date Scorecard details about its dependencies and publish it in documentation, like the next:ScorecardsWe improved our personal rating for the Scorecards! For instance, we are actually pinning our personal dependencies by hash (e.g. docker dependencies, workflow dependencies) to forestall CodeCov model assaults. We’ve additionally included a Safety Coverage based mostly on this advisable template.Get involvedWe look ahead to persevering with to develop the Scorecards group. The undertaking now has contributions from 23 builders. Thanks to Azeem, Naveen, Laurent, Asra and Chris for his or her work constructing these new options and scaling Scorecards. If you want to affix the enjoyable, take a look at these good first timer points. If you want us that will help you run Scorecards on particular initiatives, please submit a GitHub pull request so as to add these initiatives right here.Final however not least, we’ve got plenty of concepts and lots of extra checks we’d like so as to add, however we wish to hear from you. Inform us which checks you want to see within the subsequent model of Scorecards.What’s subsequent?There are a few large enhancements we’re particularly enthusiastic about:Thanks once more to the whole Scorecards group and the OpenSSF for making this undertaking profitable. When you’re adopting and enhancing the rating of the initiatives you keep, inform us about it. Till subsequent time, carry on enhancing these scores!