ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-07-14 11:30:25 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

📖 Update bestpractices links (#3448)

Browse Source 
Signed-off-by: Fred Gan <ganshaolong@vip.qq.com>
This commit is contained in:
Fred Gan 2023-09-13 06:47:53 +08:00 committed by GitHub
parent ac6ea1101c
commit 146f0eb1e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -1,7 +1,7 @@
# OpenSSF Scorecard
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621)
![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
[![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4)
@ -472,7 +472,7 @@ Name | Description | Risk Level | Token Req
[Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported |
[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT
[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |
[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating |
[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating |
[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported |

2
clients/cii_client.go
View File

@ -34,7 +34,7 @@ const (
)
// BadgeLevel corresponds to CII-Best-Practices badge levels.
// https://bestpractices.coreinfrastructure.org/en
// https://www.bestpractices.dev/en
type BadgeLevel uint
// String returns a string value for BadgeLevel enum.

2
clients/cii_http_client.go
View File

@ -49,7 +49,7 @@ func (transport *expBackoffTransport) RoundTrip(req *http.Request) (*http.Respon
// GetBadgeLevel implements CIIBestPracticesClient.GetBadgeLevel.
func (client *httpClientCIIBestPractices) GetBadgeLevel(ctx context.Context, uri string) (BadgeLevel, error) {
repoURI := fmt.Sprintf("https://%s", uri)
url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURI)
url := fmt.Sprintf("https://www.bestpractices.dev/projects.json?url=%s", repoURI)
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
if err != nil {
return Unknown, fmt.Errorf("error during http.NewRequestWithContext: %w", err)

2
cron/internal/cii/main.go
View File

@ -29,7 +29,7 @@ import (
"github.com/ossf/scorecard/v4/cron/data"
)
const ciiBaseURL = "https://bestpractices.coreinfrastructure.org/projects.json"
const ciiBaseURL = "https://www.bestpractices.dev/projects.json"
type ciiPageResp struct {
RepoURL string `json:"repo_url"`

12
docs/checks.md
View File

@ -165,17 +165,17 @@ If a project's system was not detected and you think it should be, please
Risk: `Low` (possibly not following security best practices)
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level.
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level.
The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open
source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API.
The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give
full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement.
- [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10
- [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7
- [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5
- [gold badge](https://www.bestpractices.dev/criteria/2): 10
- [silver badge](https://www.bestpractices.dev/criteria/1): 7
- [passing badge](https://www.bestpractices.dev/criteria/0): 5
- in progress badge: 2
Some of these criteria overlap with other Scorecard checks.
@ -183,7 +183,7 @@ However, note that in those overlapping cases, Scorecard can only report what it
**Remediation steps**
- Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/).
- Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/).
## Code-Review

12
docs/checks/internal/checks.yaml
View File

@ -263,24 +263,24 @@ checks:
description: |
Risk: `Low` (possibly not following security best practices)
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org/) at the passing, silver, or gold level.
This check determines whether the project has earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev/) at the passing, silver, or gold level.
The OpenSSF Best Practices badge indicates whether or not that the project uses a set of security-focused best development practices for open
source software. The check uses the URL for the Git repo and the OpenSSF Best Practices badge API.
The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give
full credit to projects that meet the [gold criteria](https://bestpractices.coreinfrastructure.org/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
full credit to projects that meet the [gold criteria](https://www.bestpractices.dev/criteria/2), which is a significant achievement for projects and requires multiple developers in the project.
Lower scores represent a project that has met the silver criteria, met the passing criteria, or is working to achieve the passing badge, with increasingly more points awarded as more criteria are met. Note that even meeting the passing criteria is a significant achievement.
- [gold badge](https://bestpractices.coreinfrastructure.org/criteria/2): 10
- [silver badge](https://bestpractices.coreinfrastructure.org/criteria/1): 7
- [passing badge](https://bestpractices.coreinfrastructure.org/criteria/0): 5
- [gold badge](https://www.bestpractices.dev/criteria/2): 10
- [silver badge](https://www.bestpractices.dev/criteria/1): 7
- [passing badge](https://www.bestpractices.dev/criteria/0): 5
- in progress badge: 2
Some of these criteria overlap with other Scorecard checks.
However, note that in those overlapping cases, Scorecard can only report what it can automatically detect, while the OpenSSF Best Practices badge can report on claims and claim justifications from people (this counters false negatives and positives but has the challenge of requiring additional work from people).
remediation:
- >-
Sign up for the [OpenSSF Best Practices program](https://bestpractices.coreinfrastructure.org/).
Sign up for the [OpenSSF Best Practices program](https://www.bestpractices.dev/).
Code-Review:
risk: High
tags: supply-chain, security, source-code, code-reviews