From 753e4162804160633e29556a91213542299d61b1 Mon Sep 17 00:00:00 2001 From: omahs <73983677+omahs@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:44:31 +0200 Subject: [PATCH 1/5] fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e3a1af9ca40..32ca96f3d66 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ metrics. Prominent projects that use Scorecard include: ### View a Project's Score -To see scores for projects regually scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: +To see scores for projects reguarly scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: https://securityscorecards.dev/viewer/?uri=.com//. For example: From 331186acbdf0ef33d5eaf43bac7af62b37d0dc48 Mon Sep 17 00:00:00 2001 From: omahs <73983677+omahs@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:46:03 +0200 Subject: [PATCH 2/5] fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --- docs/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 2ae17986580..18deacf659c 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -43,7 +43,7 @@ Most code scanning tools are focused on detecting specific vulnerabilities alrea ### Wasn't this project called "Scorecards" (plural)? -Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsitency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short. +Yes, kind of. The project was initially called "Security Scorecards" but that form wasn't used consistently. In particular, the repo was named "scorecard" and so was the program. Over time people started referring to either form (singular and plural) and the inconsistency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the "Security" part and use "OpenSSF" instead to ensure uniqueness. One should therefore refer to this project as "OpenSSF Scorecard" or "Scorecard" for short. ## Check-specific Questions @@ -55,7 +55,7 @@ While it isn't currently possible to allowlist such binaries, the Scorecard team ### Code-Review: Can it ignore bot commits? -This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons on allowing users to set up an ignore-list for bots. +This is quite a complex question. Right now, there is no way to do that. Here are some pros and cons of allowing users to set up an ignore-list for bots. - Pros: Some bots run very frequently; for some projects, reviewing every change is therefore not feasible or reasonable. - Cons: Bots can be compromised (their credentials can be compromised, for example). Or if commits are not signed, an attacker could easily send a commit spoofing the bot. This means that a bot having unsupervised write access to the repository could be a security risk. From 39403bd14c8881ba55cae6eb3f3088e9ea6ac21f Mon Sep 17 00:00:00 2001 From: omahs <73983677+omahs@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:49:24 +0200 Subject: [PATCH 3/5] fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --- docs/checks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/checks.md b/docs/checks.md index a7a130e03a6..2b1fc60d972 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -83,7 +83,7 @@ Different types of branch protection protect against different risks: - requiring two or more reviewers protects even more from the insider risk whereby a compromised contributor can be used by an attacker to LGTM - the attacker PR and inject a malicious code as if it was legitm. + the attacker PR and inject a malicious code as if it was legit. - Prevent force push: prevents use of the `--force` command on public branches, which overwrites code irrevocably. This protection prevents the @@ -329,7 +329,7 @@ low score is therefore not a definitive indication that the project is at risk. **Remediation steps** - Signup for automatic dependency updates with one of the previously listed dependency update tools and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on. -- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without aditional manual effort. +- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without additional manual effort. ## Fuzzing From b81382d1ad06dcd5ca39b2673336bf16e0b328e2 Mon Sep 17 00:00:00 2001 From: omahs <73983677+omahs@users.noreply.github.com> Date: Thu, 21 Sep 2023 19:46:39 +0200 Subject: [PATCH 4/5] fix typo Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 32ca96f3d66..bda6efed521 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ metrics. Prominent projects that use Scorecard include: ### View a Project's Score -To see scores for projects reguarly scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: +To see scores for projects regularly scanned by Scorecard, navigate to the webviewer, replacing the placeholder text with the platform, user/org, and repository name: https://securityscorecards.dev/viewer/?uri=.com//. For example: From 1e663332866956f277cb809a29362b1a3ff3371e Mon Sep 17 00:00:00 2001 From: omahs <73983677+omahs@users.noreply.github.com> Date: Wed, 27 Sep 2023 19:27:05 +0200 Subject: [PATCH 5/5] fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --- docs/checks/internal/checks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 352cc1ad107..e4df33440f5 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -87,7 +87,7 @@ checks: - >- Unlike Dependabot, Renovate bot has support to migrate dockerfiles' dependencies from version pinning to hash pinning via the [pinDigests setting](https://docs.renovatebot.com/configuration-options/#pindigests) without - aditional manual effort. + additional manual effort. Binary-Artifacts: risk: High tags: supply-chain, security, dependencies @@ -172,7 +172,7 @@ checks: - requiring two or more reviewers protects even more from the insider risk whereby a compromised contributor can be used by an attacker to LGTM - the attacker PR and inject a malicious code as if it was legitm. + the attacker PR and inject a malicious code as if it was legit. - Prevent force push: prevents use of the `--force` command on public branches, which overwrites code irrevocably. This protection prevents the