Indexing and queryable database

[laurentsimon]

I really like the idea of sharing security audit reports: it's both useful to 1) learn common mistakes to avoid and 2) assess the security practices of projects.

I work on the ossf's scorecard project, and we could surface this information in a new scorecard's check Manual Security Audit.
For this, we need an API and unique naming for projects and reports.

The documentation is unclear about naming For example, a security review of Django could be placed in the pypi/django path, and a review of Zlib could be placed in the github/madler/zlib path.

GitHub is great for storing data, but not so much for indexing it. There are also API quotas for using APIs which are restricting. (scorecard is struggling to scale because of this).

Is there an ossf meeting for this project to discuss it?

[david-a-wheeler]

The security-audits collection is part of the OpenSSF Security Threats WG efforts. We just met August 18, but you're welcome to join the next meeting, Sep 1, 1-2pm US Eastern Time (adjust for your timezone). I've added this as an agenda item for the next meeting. Email Michael Scovetta for the details, michael.scovetta .AT. microsoft.com

You don't need to wait for that. I suggest sending an email to the mailing list: https://lists.openssf.org/g/openssf-wg-security-threats to start that discussion.

The Security Threats WG already has to link the scorecards work with the audit reports, to implement metrics.openssf.org, so this is already a problem we have to address. Ideas on how to make it better would be received with great interest. Or you could use the API we already have.

Let's talk!!

[laurentsimon]

Great. I'll start a thread on the mailing list. I need to try the API you have first. I'm OOO on 1 Sept, but I'll join the following meeting.
FYI @oliverchang , @kimsterv , @inferno-chromium , @meder

[david-a-wheeler]

The easy way is to just query metrics.openssf.org - it has a REST API & indexes this.

E.g., https://metrics.openssf.org/api/1/get-project?package_url=pkg:npm/left-pad will retrieve information about that purl.

[david-a-wheeler]

I think that querying metrics.openssf.org is the right answer. If that doesn't work for you, please explain!

[ristomcgehee]

I've heard talk that the metrics.openssf.org API might be deprecated at some point. Is this accurate? @david-a-wheeler
If not, it would be useful to use for scorecard to lookup security-reviews.

[scovetta]

Yep, I think there's general consensus that the implementation now at metrics.openssf.org would be superseded by something better. Either way, yes, there should be way to query security reviews -- and this should have a clean, long-term stable API.

In the longer term, I've been thinking about maybe using SCITT (SCIM) as a data store for facts about a package/project -- perhaps even the raw security review data. There's a lot to discuss and iron out, but it's one route we can go down at some point.