Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New check: Include info about the ratio of memory-unsafe to memory-safe code #200

Open
noncombatant opened this issue Feb 19, 2021 · 5 comments
Labels
kind/new-check New check for scorecard

Comments

@noncombatant
Copy link

Something like 2/3rds of vulnerabilities in common software are due to memory unsafety. (See e.g. https://alexgaynor.net/2020/may/27/science-on-memory-unsafety-and-security/)

It'd be cool if Scorecard would score dependencies on how much safe/unsafe code they have.

For example, https://github.com/rust-secure-code/cargo-geiger does this for Rust.

@inferno-chromium inferno-chromium changed the title Include info about the ratio of memory-unsafe to memory-safe code New check: Include info about the ratio of memory-unsafe to memory-safe code Feb 19, 2021
@inferno-chromium
Copy link
Contributor

Maybe also need to add [can open a new bug if needed], how much unsafe code is called from memory safe code. E.g. native c extensions from python, JNI from java, unsafe rust, cgo in golang [came from @oliverchang discussion]

@inferno-chromium inferno-chromium added this to the milestone-q2 milestone May 26, 2021
@laurentsimon laurentsimon removed this from the milestone-q2 milestone Oct 7, 2021
@oliverchang
Copy link
Contributor

The current thinking with https://github.com/ossf/package-analysis is that this should be implemented there instead. Perhaps then scorecards can then read from that results of that.

@naveensrinivasan
Copy link
Member

The current thinking with https://github.com/ossf/package-analysis is that this should be implemented there instead. Perhaps then scorecards can then read from that results of that.

I concur with that.

@afmarcum
Copy link
Contributor

Is this something that is still important to implement (read from package-analysis)?
If there is no feedback in the next 7 days on whether this remains important for the project, then this issue will be closed.

@noncombatant
Copy link
Author

Especially for software that has easy-to-reach attack surface, its arguably the single most important consideration. A scorecard rating for (for example) a web server that doesn't mention that the product is written in C++ would be be eliding a super important fact about the product's security.

So, I'd still like to see this implemented.

@afmarcum afmarcum added the kind/new-check New check for scorecard label Mar 5, 2024
@afmarcum afmarcum moved this to Backlog - Checks in Scorecard - NEW Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/new-check New check for scorecard
Projects
Status: Backlog - New Checks
Development

No branches or pull requests

6 participants