Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Scorecard badges #271

Closed
naveensrinivasan opened this issue Mar 12, 2021 · 14 comments
Closed

Feature Scorecard badges #271

naveensrinivasan opened this issue Mar 12, 2021 · 14 comments
Assignees
@asraa
Milestone
v5

Comments

@naveensrinivasan
Copy link
Member

Is your feature request related to a problem? Please describe.
Scorecard should provide a badge for repositories to include in their README to display their compliance.

Scorecard badges

The scorecard should provide badges similar to other https://github.com/badges/shields OSS badges for compliance.

Goals

  • Scorecard should provide badge results based on scorecard runs on the (cron)server to ensure compliance and validation. Similar to Codecov.
  • Scorecard should provide a predictable API to fetch the badges. An example could be https://somefqdn/github/ossf/scorecard/badge
  • Scorecard results calculation - TBD - The discussion of calculation should be a separate issue.

Implementaion

  • Scorecard would create a separate HTTP application (within the scorecard repository) which would generate the badge.
  • Scorecard would use the Results from the scheduled cron run to generate the badge. The results of the cron are stored within the GCS bucket as latest.json
  • The HTTP application would be stateless.
  • The application would be hosted on Google Cloud Run which will scalability with less maintenance.

In this example

  • The k8s repository README.md would request the scorecard badge service for the badge
  • The badge service would fetch the results from the GC bucket which has the latest.json results from the cron job
  • The badge service calculates the score and returns the SVG.
@naveensrinivasan naveensrinivasan added the kind/enhancement New feature or request label Mar 12, 2021
@naveensrinivasan
Copy link
Member Author

@inferno-chromium What are your thoughts on this?

@inferno-chromium inferno-chromium added core feature priority/must-do Upcoming release and removed kind/enhancement New feature or request labels Mar 22, 2021
@inferno-chromium inferno-chromium mentioned this issue Mar 22, 2021
Closed
@naveensrinivasan naveensrinivasan mentioned this issue Mar 22, 2021
Closed
1 task
@naveensrinivasan naveensrinivasan mentioned this issue Apr 16, 2021
Closed
2 tasks
@azeemshaikh38 azeemshaikh38 mentioned this issue May 26, 2021
Closed
@inferno-chromium inferno-chromium added this to the milestone-q2 milestone May 26, 2021
@azeemshaikh38 azeemshaikh38 mentioned this issue Jul 4, 2021
Closed
@laurentsimon
Copy link
Contributor

Is there going to be a single badge/score, or one for each check?

@naveensrinivasan
Copy link
Member Author

I would think of a single badge with different levels like CII https://bestpractices.coreinfrastructure.org/en/projects/569

@laurentsimon
Copy link
Contributor

laurentsimon commented Jul 7, 2021
edited
Loading

sounds like a good idea. SLSA levels would be great, but I'm not 100% sure they directly map to the scorecard checks.

@naveensrinivasan
Copy link
Member Author

naveensrinivasan commented Jul 8, 2021
edited
Loading

sounds like a good idea. SLSA levels would be great, but I'm not 100% sure they directly map to the scorecard checks.

That is even better IMO. We have to just agree on what check constitutes to the levels.

@laurentsimon
Copy link
Contributor

@mmaraya is driving remediation efforts and working on the definition of 'tiers', aka levels for oss. @mmaraya, feel free to provide some insights/feedback.

@inferno-chromium
Copy link
Contributor

SLSA is wip, and only a set of checks will apply to SLSA not all. So, this needs more thought.

@mmaraya
Copy link
Contributor

mmaraya commented Jul 9, 2021

I like the idea of a single badge with different levels expressed by the number of checks passed. We'll need to list the applicable checks, some of which could come from SLSA requirements but maybe not the levels themselves.

@naveensrinivasan
Copy link
Member Author

I like the idea of a single badge with different levels expressed by the number of checks passed. We'll need to list the applicable checks, some of which could come from SLSA requirements but maybe not the levels themselves.

I disagree with having checks passed as a number in the badge. It could be sending a wrong message to the consumer of any of the repositories/packages. Also, it would discourage from repositories adopting the badge.

For example, https://deps.dev/go/k8s.io%2Fkubernetes has 9/16of 16 checks only 9 passes. So if I as a user would like to consume the k8s package I would be cautious because the percentage of failure is more than 40%.

But in reality, some of the checks aren't applicable to k8s like signed-releases, SAST, Automatic-Dependency-Update.

Having a tiered approach to badges would be helpful similar to CII/SLSA.

Thoughts?

@laurentsimon
Copy link
Contributor

I also prefer qualitative information. In addition to what Naveen said, it empowers consumers of the dependency to make informed decisions about the risks they are comfortable taking. Some users may weight different checks differently so it's hard for us (scorecard) to make that decision on behalf of everyone.

Let's discuss this more in an upcoming meeting.

@mmaraya
Copy link
Contributor

mmaraya commented Jul 9, 2021

Agree that this needs more discussion. We'll need to find a balance across badge adoption, check applicability, and giving package users easily-digestible information to make a risk-based decision. Note that I wasn't proposing a percentage as not all checks will be applicable to all packages, so the denominator could vary from package to package.

@laurentsimon laurentsimon modified the milestones: milestone-q2, milestone-q3 Jul 9, 2021
@laurentsimon laurentsimon removed this from the milestone-q3 milestone Nov 15, 2021
@laurentsimon laurentsimon added needs discussion and removed priority/must-do Upcoming release labels Nov 18, 2021
@laurentsimon laurentsimon mentioned this issue Nov 18, 2021
Closed
@azeemshaikh38
Copy link
Contributor

This is now on our roadmap. @laurentsimon @asraa could one of you update this issue with a high-level overview of the design?

@laurentsimon laurentsimon added this to the milestone v5 milestone Jan 18, 2022
@azeemshaikh38
Copy link
Contributor

@rohankh532 fyi.

@azeemshaikh38 azeemshaikh38 mentioned this issue Feb 13, 2022
Open
@JonasPammer JonasPammer mentioned this issue Aug 2, 2022
Merged
5 tasks
@azeemshaikh38
Copy link
Contributor

ossf/scorecard-action#133 fixes this. Closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asraa asraa

Labels
None yet
Projects
None yet
Milestone
v5
Development

Successfully merging a pull request may close this issue.

✨ scorecard badges ossf/scorecard
6 participants
@naveensrinivasan @azeemshaikh38 @asraa @mmaraya @inferno-chromium @laurentsimon