Packaging

ID

openssf_scorecard/packaging

Severity

high

Category

Levels

Optional

false

Tags

releases, security, supply-chain

Description

Does the project build and publish official packages from CI/CD?

This check tries to determine if the project is published as a 'package' or 'deployment unit'.

You can create a 'package' or 'deployment unit' in several ways:

  • Many program language ecosystems have a generally-used packaging format supported by a language-level package manager tool and public package repository.

  • Many operating system platforms also have at least one package format, tool, and public repository (in some cases the source repository generates system-independent source packages, which are then used by others to generate system executable packages).

  • Using container images.

Reference: OpenSSF Scorecard - Packaging.

Rationale

Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. In particular, they make it easy for users to receive security patches as updates.

When a project does not distribute updates via a package manager, users may miss security updates.

Other recommendations targeted at improving the security posture of a project against supply-chain attacks seem to contradict this check, as version-pinning is often recommended to avoid unintended injection of malicious, compromised components. Do not confuse the two aspects: Component updates should be easy-to-do but not blindly automatic in general.

Verification

The check currently looks for CI workflows and language-specific commands that upload the package to a corresponding hub, like Npm or PyPI.

Remediation

  • Publish your project as a downloadable package. This is done typically in a CI workflow that packages the component and publishes it to a component repository or package hub. Follow the instructions for the target, language-specific package manager, for packaging the software assets into a deployable package.

Some SCM platforms have package hubs often used for internal components, but foss components are typically deployed into public language-specific repositories like Npm, PyPI, Maven Central…​ There are also commercial tools for enterprise software repositories. like the popular SonaType Nexus or JFrog Artifactory.

Example: if the project is hosted on GitHub, use GitHub’s mechanisms for publishing a package. In case you need to publish a package in GitHub package registry, follow the instructions here.

Small Print

There are many ways to package software, and it is challenging for an automated tool to detect them all. A FAIL status is therefore not a definitive indication that the project is at risk.