-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup OpenSSF scorecards and fix issues #530
Comments
These are not vulnerabilities in taskcluster. The report is also older than #1935 getting merged, as far as I can tell. |
Yeah, no. The file |
mozilla/neqo#1935 deletes that file... |
You're right. The OSSF score was taken when that file was still present. Still, it was created by |
I think Julien meant that this repo is not theTaskcluster repo, and any vulnerabilities here do not represent vulnerabilities in the CI system itself. The scope of this repo is more or less limited to the decision task. That said I've been meaning to setup openssf here already and I don't see why we wouldn't want to fix these. Also fwiw openssf was a requirement in the recent fxci-config rra I did, so seems prudent to get it going in general |
I think there's some investigation required too. I think last time I looked openssf didn't know about pip-compile-multi, so thought our dependencies weren't locked and gave us a bogus score. This might block on switching to poetry |
Pulling in Taskcluster via mozilla/neqo#1935 made neqo's OSSF score drop because of unpatched vulnerabilities in taskcluster:
Reason
7 existing vulnerabilities detected
Details
Warn: Project is vulnerable to: GHSA-jjg7-2v4v-x38h
Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95
Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj
Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56
Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf
Warn: Project is vulnerable to: GHSA-g4mx-q9vg-27p4 / PYSEC-2023-212
Warn: Project is vulnerable to: GHSA-v845-jxx5-vc9f / PYSEC-2023-192
The text was updated successfully, but these errors were encountered: