Address errors raised by OpenSSF's Scorecard

[gregorywaynepower]

Description

Endeavoring to make this repository score better on the OpenSSF's Scorecard metrics and make security less of a pain. The reason I'm submitting is due to the results I got from the OpenSSF's Scorecard CLI Tool--the writeup is attached to #55733. I can see what I can do to test and update these dependencies. From the conversation I've had with maintainers so far that some of these are centered around the qgis server landing page.

• GHSA-8jmw-wjr8-2x66 – No Fix Available
• GHSA-pfrx-2q88-qq97 – Fix Available
• GHSA-rc47-6667-2j5j – Fix Available
• GHSA-9c47-m6qq-7p4h – Fix Available
• GHSA-7fh5-64p2-3v2j – Fix Available
• GHSA-776f-qx25-q3cc – Fix Available

If the above are false positives, I can go ahead with making a osv-scanner.toml as listed so y'all aren't peppered with never-ending alerts if these issues have been addressed. If y'all want more information on OSV-Scanner, which is what is used under the hood you can look to the Google's Website for OSV-Scanner or GitHub Repo.

[elpaso]

About the NPM issues, they are all false positives related to the use of javascript as a backend language, we are using javascript to build a frontend web application based on vue js.

[elpaso]

About the NPM issues, they are all false positives related to the use of javascript as a backend language, we are using javascript to build a frontend web application based on vue js.

... forgot to mention that the JS application is not built nor shipped anymore, see: #55462 if not action is taken by the package maintainers I will probably remove the landing page functionality altogether.

[gregorywaynepower]

About the NPM issues, they are all false positives related to the use of javascript as a backend language, we are using javascript to build a frontend web application based on vue js.

... forgot to mention that the JS application is not built nor shipped anymore, see: #55462 if not action is taken by the package maintainers I will probably remove the landing page functionality altogether.

I appreciate the context! This doesn't relate to QGIS-Server, right? Is this related to just the Catalog feature? Apologies, I'm not terribly familiar with this side of the project.

[haubourg]

I appreciate the context! This doesn't relate to QGIS-Server, right? Is this related to just the Catalog feature? Apologies, I'm not terribly familiar with this side of the project.

The server landing page is part of the OGC API new specifications, so yes, it belongs to QGIS server. See http://opengeospatial.github.io/e-learning/ogcapi-features/text/operations.html#landing-page

Thanks a lot for your PR , it will be excellent to have scanner results in PR's artifacts.

[gregorywaynepower]

@elpaso So were you planning on axing QGIS Server in its entirety or just the Catalog feature?

@haubourg I appreciate you all being open towards the PR, usually folks bristle at the thought of dealing with security patches and the added work it entails.

We do have a two options available for implementing the Scorecard.

1. GitHub Action - lets you add multiple tokens and appears to be easier to configure (this is what I've implemented in my fork)
2. GitHub App Installation - has higher rate-limit quotas (not sure what limits the GitHub Action has vs GitHub App), lets you add multiple tokens, is a bit more involved.

[gregorywaynepower]

I've added the OpenSSF Best Practices Badge as well.

@NathanW2 By the looks of it I have reason to believe that this repo would get a much higher score than what the audit 2018 and I'd be more than willing to do the audit if you give me the ability to update your prior audit.

[gregorywaynepower]

@elpaso All right, feel free to review the reasons listed under my most recent commit. Feel free provide additional context as to why these are being ignored if my paraphrasing of your statement and reference to this PR isn't enough.

You score 10/10 for the Vulnerabilities check because of these changes, along with adding the OpenSSF Scorecard and the OpenSSF Best Practices badge has been added to the README.md.

[elpaso]

@elpaso So were you planning on axing QGIS Server in its entirety or just the Catalog feature?

Just the catalog.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[gregorywaynepower]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

This has been reverted in 4967b29.

[gregorywaynepower]

@haubourg & @elpaso :

I've held off from adding the following recommendations from StepSecurity for this repo for the time being:

• Add step-security/harden-runner - This would introduce a large amount of labor and I wasn't sure if this were a large load of false positives or not.
• Add CodeQL Workflow ( SAST Tool) - This would introduce a large amount of labor and I wasn't sure if this were a large load of false positives or not.
• Add Dependency Review Workflow - I wasn't sure if this were a large load of false positives or not.
• Update the pre-commit configuration - I don't want to interfered with your existing linting.

I can understand if adding OpenSSF's GitHub Action may be a bit of a large ask. I can break the following out into a separate pull request if you all are concerned about additional labor for maintainers:

• Add your OpenSSF Scorecard to the README
• OpenSSF Best Practices Badge to the README
• include the osv-scanner.toml file to remove the Vulnerability positives from the OpenSSF scorecard CLI Tool.

[haubourg]

@gregorywaynepower Hello, sorry for the lag.
I would focus the PR on the OSSF activation part, ie. readme, actions and artifacts creation.
Fixing dependency and docker versions should probably be tackled in a subsequent approach where will probably discuss a lot about maintenance, real exposure etc.. I'd be happy to have other dev's opinion here

[gregorywaynepower]

@haubourg I can understand the lag--there is a lot going on in this pull request. I have no problem with having the addition of OpenSSF's GitHub Action and making decisions on what recommendations to implement as a separate pull request so you aren't inundated with notifications from OpenSSF's GitHub Action.

For context, all those "StepSecurity" commits are what the OpenSSF GitHub Action will pester you about adding.

[github-actions]

The QGIS project highly values your contribution and would love to see this work merged! Unfortunately this PR has not had any activity in the last 14 days and is being automatically marked as "stale". If you think this pull request should be merged, please check

• that all unit tests are passing

• that all comments by reviewers have been addressed

• that there is enough information for reviewers, in particular

  • link to any issues which this pull request fixes

  • add a description of workflows which this pull request fixes

  • add screenshots if applicable

• that you have written unit tests where possible
  In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this pull request.
  If there is no further activity on this pull request, it will be closed in a week.

[gregorywaynepower]

Hello Folks,

I'm closing this pull request since we should address the addition of the Open Source Security Foundation's Scorecard GitHub Action incrementally. Thank you all for your input so far in this process.