Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ossf/scorecard vulnerabilities fix tracking issue #593

Open
developer-guy opened this issue Oct 26, 2021 · 3 comments
Open

ossf/scorecard vulnerabilities fix tracking issue #593

developer-guy opened this issue Oct 26, 2021 · 3 comments
Labels
enhancement New feature or request

Comments

@developer-guy
Copy link
Contributor

developer-guy commented Oct 26, 2021
edited
Loading

What would you like to be added:

We recently ran the ossf/scorecard1 over the Syft project, found some vulnerabilities, here is the output of the scan:

$ docker run -e GITHUB_AUTH_TOKEN=$GITHUB_TOKEN gcr.io/openssf/scorecard:stable --repo https://github.com/developer-guy/syft

Screen Shot 2021-10-26 at 16 12 12
Screen Shot 2021-10-26 at 16 11 56

Why is this needed:

To make Syft more secure.

Additional context:

cc: @wagoodman @luhring @Dentrax

Footnotes

  1. https://github.com/ossf/scorecard

@developer-guy developer-guy added the enhancement New feature or request label Oct 26, 2021
@developer-guy
Copy link
Contributor Author

developer-guy commented Oct 26, 2021
edited
Loading

similar one for Grype 👀 anchore/grype#482

@westonsteimel
Copy link
Contributor

Both syft and grype are failing the Binary-Artifacts check due to files in the test-fixtures directories. Based on ossf/scorecard#1256 (comment) in ossf/scorecard#1256, these would automatically be discarded if they were in a directory called testdata, so may need some enhancements to scorecard itself to consider other names for test directories (or have some sort of project-level configuration that gets taken into account)

@Dentrax Dentrax mentioned this issue Dec 21, 2021
Open
@wagoodman
Copy link
Contributor

A huge +1 for a project-level configuration!

@Dentrax Dentrax mentioned this issue Dec 22, 2021
Closed
2 tasks
@spiffcs spiffcs added this to OSS May 31, 2022
@spiffcs spiffcs moved this to Triage (Comments or Progress Made) in OSS May 31, 2022
@tgerla tgerla removed the status in OSS Jan 31, 2023
@tgerla tgerla moved this to Backlog in OSS Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wagoodman @westonsteimel @developer-guy