-
Notifications
You must be signed in to change notification settings - Fork 24
Design
The project will consist of a set of data collectors, and API endpoint, a database for storing the data collected, and an application for displaying that data in interesting way.
For the initial (MVP) release, the following collectors will be implemented:
- OpenSSF Scorecard
- OpenSSF Best Practices Criteria
- Project Releases (using the GitHub and the libraries.io API)
- Distinct Committers
- Security Reviews
Source code for these collectors is available on TBD, but will be run from a trusted virtual machine.
We'll use public data collected by the OpenSSF Scorecard project, refreshed periodically (daily? weekly?)
We'll leverage the Security Reviews project, cloned and refreshed nightly.
The API endpoint currently serves one purpose -- to abstract away database details from the collectors. One route is available, called AddMetric. It must be called (via POST) with JSON content that conforms to the following format:
{
"package_url": "pkg:npm/left-pad",
"key": "openssf.metadata.homepage",
"operation": "replace",
"values": [
{
"value": "https://example.com",
"timestamp": "2020-12-28 07:06:06.745358"
"properties": {
"source": "libraries.io"
}
}
]
}
The operation field can either be replace or insert. If it is replace, then existing rows (for the given package_url and key) are removed prior to the new set of rows being added.
The values array will often contain only a single structure, but for cases like openssf.version, it would contain one structure for each version published.
This API call will return JSON that will convey the result of the operation.
For the MVP, the endpoint will require a secret key to be passed in along with the request. This will be improved post-MVP.
The database is a "plain" PostgreSQL database with a single table called metrics:
CREATE TABLE public.metrics
(
id bigserial,
package_url text NOT NULL,
key text NOT NULL,
value text,
"timestamp" timestamp without time zone NOT NULL,
properties jsonb,
CONSTRAINT metrics_pkey PRIMARY KEY (id)
)
The package_url column contains a valid Package URL, such as pkg:npm/left-pad or pkg:github/madler/zlib. By convention, these Package URLs will be without a version.
The key column corresponds to the type of metric in this row. Currently used keys are:
-
openssf.metadata.homepage- The home page of a project -
openssf.metadata.description- The description of a project -
openssf.version- A released version of a component (from libraries.io) -
openssf.version.github.release- A GitHub release -
openssf.version.github.tag- A GitHub tag -
openssf.scorecard.raw.*- Metrics coming from the OpenSSF Scorecard. The last part is taken directly from the Scorecard output (CheckName, converted to lowercase).openssf.scorecard.raw.activeopenssf.scorecard.raw.ci-testsopenssf.scorecard.raw.cii-best-practicesopenssf.scorecard.raw.code-reviewopenssf.scorecard.raw.contributorsopenssf.scorecard.raw.frozen-depsopenssf.scorecard.raw.fuzzingopenssf.scorecard.raw.pull-requestsopenssf.scorecard.raw.sastopenssf.scorecard.raw.security-policyopenssf.scorecard.raw.signed-releasesopenssf.scorecard.raw.signed-tags
-
metrics.development.contributors.unique[90d]- Number of unique code contributors in the past 90 days -
metrics.development.contributors.unique[365d]- Number of unique code contributors in the past 365 days -
security-review- Content of a security review -
openssf.bestpractice.raw.*- Metrics coming from the OpenSSF Best Practices Criteria. The full list can be found in the JSON output of the Best Practices API](https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/api.md).
The value column is TEXT, and contains the primary quality indicator for the corresponding key.
The timestamp column should contain the most relevant date/time that the metric reflects.
The properties column is a JSON (technically jsonb) structure that can contain arbitrary data.
The dashboard application will use the open source version of Grafana. Anonymous viewer access will be enabled, and editor access will be available to members of the OpenSSF that will work on this project.
A development version of this application is currently available at: https://openssf-security-dashboard-dev1.westus2.cloudapp.azure.com/