Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118892 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 41957 invoked from network); 27 Oct 2022 22:32:22 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Oct 2022 22:32:22 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 773C11804F7 for ; Thu, 27 Oct 2022 15:32:21 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS24940 176.9.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 27 Oct 2022 15:32:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1666909938; bh=kPKgz8VuARWewSD2Ww96OWnTp4DU4VX07gIch4a/Udo=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=a1Cm1Y36LTjb3GUd/8G2HCirasOuIZZrw17ArRProVkVr4gaxVAfMciUDC19StpfH DuGboI+2KvQ7vuRnko23jIaxF9iIXBVMvJ8NFikmqzrgj0PGeIkErps7q2Kz8HYdyQ g8lIbjhcrITOIGY3vkKcDzb4VUMJqjh5HlKgBZRd0/R1pwTv/Qa3XP8pO83tiOVLW5 H7K4c3Nk/RO5czgfcR7hK3q5/ott18ACnOzlnQswmHBZu+LbGPQ3r9ZJZRlBa7qknS dkTU82uuGbTN/rnZroRvaz4tGlrgd4s/jrnzPZqiXIkdxrh1OF4/HR0bWZxd2Gmz9Y 62tlREORIvSnA== Message-ID: <19932b6e-efe8-d24a-0e1e-e8960fb1566b@bastelstu.be> Date: Fri, 28 Oct 2022 00:32:18 +0200 MIME-Version: 1.0 Content-Language: en-US To: Pedro Nacht , Jordan LeDoux Cc: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Adding the OpenSSF Scorecards GitHub Action From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=) Hi I'm also highly sceptical of wasting CPU time on such an automated scan. Once the few universally useful low-hanging fruits are picked, only the non-low-hanging fruits remain by definition. If they are not implemented reasonably timely then there is likely a reason for that, be that technical or processual. Then there is also no need for the reports to sit within the Security tab forever and also no need for them to be rechecked by maintainers regularly. Then there's also the issue of what's effectively false-positives (see below) which further distract from whatever benefit to the automated scan there might be in the first place. On 10/24/22 19:05, Pedro Nacht via internals wrote: > - set GitHub workflow dependencies to adopt hash-pinning instead of > major-version pinning. This is to eliminate the risk of tag-hijacking > attacks where a malicious commit is published to an Action you rely on and > the tag is then recreated to point to that malicious commit. Dependabot or > Renovatebot (which the tool also recommends adding to the project) can then > be used to keep your dependencies up-to-date. Is there any practical benefit to this when all the workflows are read-only with regard to the repository contents? On the contrary I believe that hashes make it much harder to verify which major version of an action is used, e.g. to check the changelog for any relevant breaking changes before upgrading the action. > - set all GitHub workflows with top-level read-only permissions. It > recognizes that almost all PHP's workflows have top-level read-only > permissions, but points out that github/workflows/labeler.yml doesn't > (though it does have job-level contents read-only permissions). I consider that a false-positive then, because the workflows *is* secure in practice. No need to waste maintainers time with the busy-work of moving the 'permissions' section around. I can see the small benefit of consistency across workflows, though and will likely send a PR to unify this if no one beats me to it. > - and yes, enforce Code-Review and maximal Branch-Protection. I > understand this would be quite impactful on the project's current workflow, > but it's the sort of thing that would mitigate the sort of > attack @ricardoboss mentioned in the linked GH issue. Whether the costs are > worth the benefit is a question you are all certainly better equipped to > determine than me. I would hope none of the core contributers disputes the benefit of code review, so … there is no need for a tool to tell them what they already know. > However, others offer more continuous monitoring in case there's an > accidental slip-up: if any new workflows are added to the project in the > future without minimal permissions or without pinning dependencies, for > example, the Action will update the Security Dashboard with an alert. The repository is already configured to only grant "read" permissions to the workflow by default using this setting: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions I believe this is a much more reliable solution than expecting the maintainers to regularly check the Security Tab and noticing that a new warning popped up. The proposed automated scanner does not appear to detect that this setting is enabled, thus effectively making the labeler.yml report a double false-positive. Best regards Tim Düsterhus