Add OSSF Scorecard

[gabibguti]

What is the problem this feature will solve?

Improve the project's security against supply-chain attacks.

What are supply-chain attacks?
Attacks that add malicious code to your project through build, release and other phases of development. E.g. A hacker may hijack your GH account and add a script to your project that steals user's personal information 'cause you had push-force access to main.

Supply-chain attacks have been increasing over the years according to the sonatype State of the Software Supply-Chain report and given node's popularity it's a reasonable target.

What is the feature you are proposing to solve the problem?

Adding the OSSF Scorecard tool to identify supply-chain security improvements.

Scorecard checks for best practices such as if main branch is protected, if code is being reviewed in PRs and if binaries are being avoided. Below, you can see that sonatype uses Scorecard to check how projects are most vulnerable.

What alternatives have you considered?

None.

Additional Context

I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[RafaelGSS]

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

[mcollina]

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

This being said, compiling to WASM is hard and they require quite a few more dependencies. I'm not 100% sure what we should do about this in practice.

[mhdawson]

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

I think as a first step we can automate the generation of the wasm modules and better manage the dependencies that we use as part of the build for the wasm. I know that won't solve the concern about binary artifacts but will be some help.

[gabibguti]

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

Hello @RafaelGSS! Nice! According to node's calendar the next meeting will be December 22 10AM in Brazil. Is that correct? If so, either me or my team colleagues can attend.

[RafaelGSS]

@gabibguti I think we'll postpone this week's meeting to next year. Due to the holidays, most of our team won't be able to attend. Anyway, stay tuned at: #853

[gabibguti]

About the WASM binaries.

Hi @mcollina! You've raised a very interesting point. We will not always be able to remove the binaries. If we do need the binaries, which seems the case, we can try make their generation and update more trustable. For example, by automating the generation as @mhdawson said.

Further explanation...
The problem with binaries is that you don't know what's inside them. If a binary is generated manually, we are trusting the person is following the documented process. However, if the person generates it differently and opens a PR updating the binary, you probably wouldn't be able to tell if there is malicious code in there.

I will make sure we comment on this topic on the meeting.

[mhdawson]

@gabibguti - not sure which context you are looking at this from but as an FYI this PR is related in that it allows distros to externalize the WASM and re-build them on their own. That of course does not address the issue for those using the community binaries and as you mentioned making the generation/update more trustable helps. I think it will also help the distro's as the better we document/manage the generation of these components the easier the rebuilds would be as well.

[RafaelGSS]

@gabibguti I think you missed today's meeting. Could you join the next one? It will be Jan 19th

[gabibguti]

@RafaelGSS Oh sorry! I didn't see the new issue regarding the meeting. Yes! I'll join the next one along with my team mates.

[gabibguti]

As discussed in the Security WG's latest meeting, here are the steps to add Scorecard to node:

How to add Scorecard GHA

On the repository page, you can open Actions tab, click "New workflow", search for "Scorecard" and click "Configure" to add the action.
or
Add through Security tab following https://github.com/ossf/scorecard-action#installation

Configuring Scorecard to run on PRs

You can replace the workflow triggers by pull_request trigger.

[mhdawson]

Adding to TSC agenda as an FYI. I think enabling this makes sense. Even if we enable per PR it won't block landing but should give us additional info in terms of any security implecations.

[mcollina]

Could we add this to Undici as well?

[pnacht]

Hey everyone, thanks for your time in yesterday's meeting.

Unfortunately, I must issue a correction: at one point I said that Scorecard can monitor the main branch and release branches. This is unfortunately not the case. Scorecard only runs on the main ("default") branch.

I was thinking of a single check which runs on all branches, but all others only scan the main branch.

My apologies.

[mhdawson]

@mcollina I've not looked but it sounds like it is per repo versus per org and in that case I think we should plan to enable for the repo's where it makes sense including undici.

[RafaelGSS]

PRs on core:

• tools: use actions pinned by commit hash on coverage-linux.yml node#46294

Note: please update the list

[RafaelGSS]

Based on today's discussion (#872) the next steps would be:

• Create a workflow to use ossf/scorecard-action
• Evaluate the score in the next meeting
• Enable CodeScanning on an MVP (Security-WG/Undici) (optional?)

@fraxken will be championing it

[fraxken]

@RafaelGSS PR opened: #873

[UlisesGascon]

As agreed in last meeting, I was working in this little script that can automate the process for collecting the scores from several repos and trigger alerts via issues. Here is the Github Action in the marketplace that I created. I can do a little demo (60 sec) in our next meeting #877 and discuss the next steps ;-)

[fraxken]

@mcollina We added the scorecard workflow on that repository. You can take a look at the result (alerts) in the Security tab.

If you'r ok I can open a pull request on undici to add the OSSF scorecard workflow?

[RafaelGSS]

First, I think undici needs to enable "Code Scanning", right?

[mcollina]

What should I do exactly?

[fraxken]

First, I think undici needs to enable "Code Scanning", right?

It will be enabled by adding the OSSF scorecard workflow. I was going to say I could do it but I don't have the access.

---

Here is the official instructions.

Just the first time when clicking on Set up code scanning, you need to look for "Explore workflows". Then you enter scorecard in the searchbar.

[UlisesGascon]

The code scanning is working fine! I can see fresh results for undici and security-wg repos, See reporting

[RafaelGSS]

Closing this issue as completed. Further updates in the Node.js organization will be made through #859.