Setup OpenSSF scorecards and fix issues #530
Comments
|
These are not vulnerabilities in taskcluster. The report is also older than #1935 getting merged, as far as I can tell. |
|
Yeah, no. The file |
|
mozilla/neqo#1935 deletes that file... |
|
You're right. The OSSF score was taken when that file was still present. Still, it was created by |
|
I think Julien meant that this repo is not theTaskcluster repo, and any vulnerabilities here do not represent vulnerabilities in the CI system itself. The scope of this repo is more or less limited to the decision task. That said I've been meaning to setup openssf here already and I don't see why we wouldn't want to fix these. Also fwiw openssf was a requirement in the recent fxci-config rra I did, so seems prudent to get it going in general |
|
I think there's some investigation required too. I think last time I looked openssf didn't know about pip-compile-multi, so thought our dependencies weren't locked and gave us a bogus score. This might block on switching to poetry |
Pulling in Taskcluster via mozilla/neqo#1935 made neqo's OSSF score drop because of unpatched vulnerabilities in taskcluster:
Reason
7 existing vulnerabilities detected
Details
Warn: Project is vulnerable to: GHSA-jjg7-2v4v-x38h
Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95
Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj
Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56
Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf
Warn: Project is vulnerable to: GHSA-g4mx-q9vg-27p4 / PYSEC-2023-212
Warn: Project is vulnerable to: GHSA-v845-jxx5-vc9f / PYSEC-2023-192
The text was updated successfully, but these errors were encountered: