diff --git a/checks/permissions.go b/checks/permissions.go index 7aab6c5ab078..3c44ac07ec40 100644 --- a/checks/permissions.go +++ b/checks/permissions.go @@ -248,7 +248,7 @@ func calculateScore(result permissionCbData) int { // Start with a perfect score. score := float32(checker.MaxResultScore) - // If not top level permissions are defined... + // If no top level permissions are defined... if permissionIsPresentInTopLevel(result, "all") { switch permissionIsPresentInRunLevel(result, "all") { case true: diff --git a/docs/checks.md b/docs/checks.md index 006cba878434..e560430243c4 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -330,6 +330,31 @@ is therefore not a definitive indication that the project is at risk. **Remediation steps** - Integrate the project with OSS-Fuzz by following the instructions [here](https://google.github.io/oss-fuzz/). +## LicenseCheck + +Risk: `Low` (possible impediment to security review) + +This check tries to determine if the project has published a license. It +works by checking standard locations for a file named according to common +conventions for licenses. + +A license can give users information about how the source code may or may +not be used. The lack of a license will impede any kind of security review +or audit and creates a legal risk for potential users. + +This check will detect files in the top-level directory with any combination +of the following names and extensions:`LICENSE`, `LICENCE`, `COPYING`, +`COPYRIGHT` and .html, .txt, .md. It will also detect these files in a +directory named `LICENSES`. (Files in a `LICENSES` directory are typically +named as their [SPDX](https://spdx.org/licenses/) license identifier followed +by an appropriate file extension, as described in the [REUSE](https://reuse.software/spec/) Specification.) + + +**Remediation steps** +- Determine [which license](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository) to apply to your project. +- Create the license in a .txt, .html, or .md file named LICENSE or COPYING, and place it in the top-level directory. +- Alternately, create a `LICENSE` directory and add license files with a name that matches your [SPDX license identifier](https://spdx.dev/ids/). + ## Maintained Risk: `High` (possibly unpatched vulnerabilities) @@ -547,6 +572,9 @@ yaml file are set as read-only at the [top level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions) and the required write permissions are declared at the [run-level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions). +One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not. The reasoning +is that even though this configuration is secure, there is a chance that when a new job is added to the workflow, +job permissions are not defined because of human error. The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available. diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 0558caa680f0..7114f5c3d155 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -632,9 +632,9 @@ checks: [top level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions) and the required write permissions are declared at the [run-level](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions). - A score of 9 is awarded if all jobs have their permissions defined but the top level permissions are not. The reasoning + One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not. The reasoning is that even though this configuration is secure, there is a chance that when a new job is added to the workflow, - permissions are not defined because of human error. + job permissions are not defined because of human error. The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available.