Add OSSF Scorecard

[gabibguti]

What is the problem this feature will solve?

Improve the project's security against supply-chain attacks.

What are supply-chain attacks?
Attacks that add malicious code to your project through build, release and other phases of development. E.g. A hacker may hijack your GH account and add a script to your project that steals user's personal information 'cause you had push-force access to main.

Supply-chain attacks have been increasing over the years according to the sonatype State of the Software Supply-Chain report and given node's popularity it's a reasonable target.

What is the feature you are proposing to solve the problem?

Adding the OSSF Scorecard tool to identify supply-chain security improvements.

Scorecard checks for best practices such as if main branch is protected, if code is being reviewed in PRs and if binaries are being avoided. Below, you can see that sonatype uses Scorecard to check how projects are most vulnerable.

What alternatives have you considered?

None.

Additional Context

I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[RafaelGSS]

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

[mcollina]

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

This being said, compiling to WASM is hard and they require quite a few more dependencies. I'm not 100% sure what we should do about this in practice.

[mhdawson]

Something to note on this: currently we include several compiled wasm modules. This is against the concept of "binary artifacts".

I think as a first step we can automate the generation of the wasm modules and better manage the dependencies that we use as part of the build for the wasm. I know that won't solve the concern about binary artifacts but will be some help.

[gabibguti]

Hi @gabibguti we're evaluating it in the Security-WG . See the next initiatives: #846.

Also, feel free to join our call to share your point of view.

Hello @RafaelGSS! Nice! According to node's calendar the next meeting will be December 22 10AM in Brazil. Is that correct? If so, either me or my team colleagues can attend.

[RafaelGSS]

@gabibguti I think we'll postpone this week's meeting to next year. Due to the holidays, most of our team won't be able to attend. Anyway, stay tuned at: #853

[gabibguti]

About the WASM binaries.

Hi @mcollina! You've raised a very interesting point. We will not always be able to remove the binaries. If we do need the binaries, which seems the case, we can try make their generation and update more trustable. For example, by automating the generation as @mhdawson said.

Further explanation...
The problem with binaries is that you don't know what's inside them. If a binary is generated manually, we are trusting the person is following the documented process. However, if the person generates it differently and opens a PR updating the binary, you probably wouldn't be able to tell if there is malicious code in there.

I will make sure we comment on this topic on the meeting.

[mhdawson]

@gabibguti - not sure which context you are looking at this from but as an FYI this PR is related in that it allows distros to externalize the WASM and re-build them on their own. That of course does not address the issue for those using the community binaries and as you mentioned making the generation/update more trustable helps. I think it will also help the distro's as the better we document/manage the generation of these components the easier the rebuilds would be as well.

[RafaelGSS]

@gabibguti I think you missed today's meeting. Could you join the next one? It will be Jan 19th

[gabibguti]

@RafaelGSS Oh sorry! I didn't see the new issue regarding the meeting. Yes! I'll join the next one along with my team mates.