Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The recommendations for security #2746

Open
China-zoupanpan opened this issue Dec 11, 2024 · 0 comments
Open

The recommendations for security #2746

China-zoupanpan opened this issue Dec 11, 2024 · 0 comments
Labels
ctg-enhancement New feature, improvement or change request

Comments

@China-zoupanpan
Copy link

I am writing to inquire if you are the administrator of the UTBotJava repository. If so, I would like to share some recommendations from the Scorecard tool on how to improve the security properties of your repository.

Scorecard is an automated tool that assesses the security risks of open-source projects through a series of checks. These checks cover three main themes: comprehensive security practices, source code risk assessment, and build process risk assessment. You can use it to run checks on your own code or other projects and obtain scores and risk levels for each check. Each check is scored between 0 and 10, with higher scores indicating higher security levels for open-source software. The overall score is the weighted average of each check's score, also ranging from 0 to 10.

Our evaluation has identified several areas where UTBotJava could benefit from enhancements:

Token-Permissions: It is recommended that the tokenpermissions setting in the workflows be limited to read-only access.
Branch-Protection: We suggest implementing thefollowing measures:
Require at least one reviewer forapproval before merging (administrators' requirements counttwice)
Administrators should require pull requests priorto making any code changes
Administrators should ensure the target branchis up-to-date before merging
Administrators should require approval of themost recent reviewable push
Enabling Dependabot in the repository can providewitnesses to potential vulnerabilities.
Opening CodeQL for scanning may identifyadditional issues.
Signed Releases can add an extra layer ofsafeguard against malicious interference.
A clear Security Policy and process forgathering and addressing vulnerability reportswould be beneficial.
Binary Artifacts present in theutbot-junit-contest/src/resources/projectsdirectory may pose a risk.
We believe these improvements will enhance the overallsecurity posture of the UTBotJava repository. Thank you for consideringour recommendations.

Best regards,
zoupanpan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ctg-enhancement New feature, improvement or change request
Projects
UTBot Java
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@China-zoupanpan