Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scorecards indicators in Thoth recommendations [Tracker] #289

Closed
3 of 23 tasks
pacospace opened this issue Jun 14, 2021 · 13 comments · Fixed by thoth-station/prescriptions-refresh-job#14
Closed
3 of 23 tasks

Scorecards indicators in Thoth recommendations [Tracker] #289

pacospace opened this issue Jun 14, 2021 · 13 comments · Fixed by thoth-station/prescriptions-refresh-job#14
Assignees
@KPostOffice @pacospace @sesheta
Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/key-result This is a Key Result we want to achieve. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@pacospace
Copy link
Contributor

pacospace commented Jun 14, 2021
edited
Loading

GOAL: Provide Code Review justifications for each dependency used
thoth-station/thamos#868

To include these indicators in the recommendations, these data needs to be collected for each pypi project linked to GitHub repo, in the best case this can be done per tag.

Steps

Part 1

Part 2

  • 1. Create a new handler for Ceph for this new data;
  • 2. Create new table to sync scorecards;
  • 3. Create new sync logic in database to sync new data (update logic);
  • 4. new thoth-storages release
  • 5. create a new workflow ScoreCardAnalysis workflow with tasks:
    5.1. Run scorecards and get json data. ( ./scorecard --repo https://github.com/thoth-station/adviser --checks=CI-Tests,Code-Review --format json --show-details)
    5.2. graph sync score cards reports
  • 6. create new common methods to schedule the new workflow;
  • 7. new thoth-common release
  • 8. Add step to solver workflow: Run solver project url job to find candidates URL from solver document;
  • 9.create message in thoth-messaging ScoreCardAnalysisMessage
  • 10. new thoth-messaging release
  • 11. Add task in solver to trigger ScoreCardAnalysisMessage after URLs candidates are discovered (if any)
  • 12. Add consumer and metrics to investigator for new message that is used to schedule ScoreCardAnalysis workflow
  • 13. Add env variable to disable/enable this workflow in investigator.
  • 14. new investigator release
  • 15. Restart security indicators;

Part 3

  • Create logic in adviser to provide justification for security recommendation that consider scorecards;

Enhancments: ossf/scorecard#575
@pacospace pacospace added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 14, 2021
@fridex
Copy link
Contributor

fridex commented Jun 14, 2021

What's the priority of this? CC @goern

@goern
Copy link
Member

goern commented Jun 15, 2021

I created a new GitHub app https://github.com/apps/baboon-the-sourcerer and put the secrets at https://github.com/thoth-station/thoth-application/blob/master/baboon/base/secrets.enc.yaml

@goern
Copy link
Member

goern commented Jun 15, 2021

/priority important-soon

@sesheta sesheta added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jun 15, 2021
@fridex
Copy link
Contributor

fridex commented Jun 15, 2021

I created a new GitHub app https://github.com/apps/baboon-the-sourcerer and put the secrets at https://github.com/thoth-station/thoth-application/blob/master/baboon/base/secrets.enc.yaml

Do we have a higher priority work than this?

@goern
Copy link
Member

goern commented Jun 15, 2021

ja, there are 8 critical-urgent and 80 important-soon issues in our org.

@fridex
Copy link
Contributor

fridex commented Jun 15, 2021

ja, there are 8 critical-urgent and 80 important-soon issues in our org.

So why there is time spent on this? What is the value of this?

@goern
Copy link
Member

goern commented Jun 15, 2021

good point, a) I'll keep an eye on the critical issues b) @riekrh asked if we can have a look at more security-related indicators bringing more Sec in DevOps. Given the software infrastructure we have for bandit-based SI, I put a soon'ish prior on it for us to explore how to add scorecard-related indicators. c) always feel free to re-prioritize, it's in important sentiment we should share!

@fridex
Copy link
Contributor

fridex commented Jun 15, 2021

IMHO computing and ingesting dependency information data should be prioritized now + have the data lifecycle management in prod done. That way we can keep up with rhel/ubi/fedora releases to support thoth users = we will be able to give recommendations on these runtime environments. Once this will be in place, adding additional information to the recommendations is a manner of evaluating suitability of data and eventually plugging in other data sources. Unless we have dependency data (which btw https://deps.dev/ do not have as of now) any other data are not directly valuable to recommendations we do.

@pacospace
Copy link
Contributor Author

Related-To: ossf/scorecard#575

@goern goern added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Aug 16, 2021
@fridex fridex mentioned this issue Sep 8, 2021
Merged
1 task
@sesheta
Copy link
Member

sesheta commented Sep 15, 2021

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

@sesheta
Copy link
Member

sesheta commented Sep 15, 2021

@sesheta: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sesheta sesheta closed this as completed Sep 15, 2021
@pacospace pacospace reopened this Sep 15, 2021
@sesheta sesheta added the needs-triage Indicates an issue or PR lacks a `triage/...` label and requires one. label Sep 15, 2021
@goern goern added the kind/key-result This is a Key Result we want to achieve. label Oct 5, 2021
@goern
Copy link
Member

goern commented Oct 5, 2021

/triage accepted

Let's put this for Q4 as a key result, syn?

@sesheta sesheta added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/...` label and requires one. labels Oct 5, 2021
@codificat
Copy link
Member

The solution currently proposed is to use prescriptions for this. See a detailed explanation
here

@codificat codificat mentioned this issue Oct 13, 2021
Open
3 tasks
@harshad16 harshad16 moved this to Completed in SIG-DevSecOps Sep 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KPostOffice KPostOffice

@pacospace pacospace

@sesheta sesheta

Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/key-result This is a Key Result we want to achieve. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
No open projects
SIG-DevSecOps
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add prescriptions related to Security Scorecards fridex/prescriptions-refresh-job
6 participants
@goern @codificat @fridex @KPostOffice @pacospace @sesheta