Showing content from https://api.securityscorecards.dev/projects/github.com/google/clusterfuzz below:
{"date":"2024-03-19","repo":{"name":"github.com/google/clusterfuzz","commit":"4867a3b9f71068edfa808d9a9ec283a83bd18a51"},"scorecard":{"version":"v4.10.2","commit":"376f465c111c39c6a5ad7408e8896cd790cb5219"},"score":6.5,"checks":[{"name":"Binary-Artifacts","score":0,"reason":"binaries present in source code","details":["Warn: binary detected: local/bin/golint:1","Warn: binary detected: resources/platform/android/aapt:1","Warn: binary detected: resources/platform/android/adb:1","Warn: binary detected: resources/platform/android/fastboot:1","Warn: binary detected: resources/platform/linux/chrpath:1","Warn: binary detected: resources/platform/linux/libstdc++.so.6:1","Warn: binary detected: resources/platform/linux/llvm-symbolizer:1","Warn: binary detected: resources/platform/linux/minijail0:1","Warn: binary detected: resources/platform/linux/radamsa/libradamsa.so:1","Warn: binary detected: resources/platform/linux/unshare:1","Warn: binary detected: resources/platform/mac/llvm-symbolizer:1","Warn: binary detected: resources/platform/windows/handle.exe:1","Warn: binary detected: resources/platform/windows/llvm-symbolizer.exe:1","Warn: binary detected: src/clusterfuzz/_internal/bot/fuzzers/bin/linux/radamsa:1","Warn: binary detected: src/clusterfuzz/_internal/bot/fuzzers/bin/mac/radamsa:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/afl-analyze:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/afl-fuzz:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/afl-gotcpu:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/afl-showmap:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/afl-tmin:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/always_crash_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/assert_fail:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/easy_crash_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/return_code_255:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/afl/data/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/__extra_build/clusterfuzz_format_target:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/__extra_build/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/centipede:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/clusterfuzz_format_target:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/clusterfuzz_format_target_sanitized:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/minimize_me_fuzz_target:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/centipede/test_data/test_fuzzer_sanitized:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/honggfuzz/test_data/always_crash_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/honggfuzz/test_data/fuzz_netdriver_crash:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/honggfuzz/test_data/honggfuzz:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/honggfuzz/test_data/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/always_crash_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/analyze_dict_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/android/always_crash_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/android/analyze_dict_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/android/crash_with_A_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/android/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/check_out:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/check_tmp:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/crash_with_A_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/exit_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/fuzzers/libFuzzer/data/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/tasks/utasks/corpus_pruning_task_data/build/test_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/untrusted_runner/test_data/test_build/binary:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/untrusted_runner/test_data/test_build/do_stuff_fuzzer:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/bot/untrusted_runner/test_data/test_build/target:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/build_management/build_manager_data/rpath_existing_msan/app:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/build_management/build_manager_data/rpath_libfuzzer/target_1:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/build_management/build_manager_data/rpath_libfuzzer/target_2:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/build_management/build_manager_data/rpath_new/app:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/build_management/build_manager_data/rpath_prepend_to_existing/app:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/platforms/android/sanitizer_data/libclang_rt.asan-aarch64-android.so:1","Warn: binary detected: src/clusterfuzz/_internal/tests/core/platforms/android/sanitizer_data/libclang_rt.asan-arm-android.so:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":1,"reason":"branch protection is not maximal on development and all release branches","details":["Warn: 'force pushes' enabled on branch 'master'","Info: 'allow deletion' disabled on branch 'master'","Warn: settings do not apply to administrators on branch 'master'","Info: status checks require up-to-date branches for 'master'","Warn: 'last push approval' disabled on branch 'master'","Warn: no status checks found to merge onto branch 'master'","Warn: number of required reviewers is only 1 on branch 'master'","Warn: stale review dismissal disabled on branch 'master'","Warn: codeowner review is not required on branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":9,"reason":"20 out of 22 merged PRs checked by a CI test -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: in_progress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":2,"reason":"6 out of last 30 changesets reviewed before merge -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"21 different organizations found -- score normalized to 10","details":["Info: contributors work for AFLplusplus,AVULN,BalalaikaCr3w,GoogleCloudPlatform,NoiSeBit,WebAssembly,arc-bits-goa,bytedance,computeranonymous,google,google inc,googlers,hackerschoice,hcs,leetchicken,llvm,recursecenter,rubyforgood,the hacker's choice | mh-sec | me | myself,v8,w3c"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: Dependabot detected: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 25 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub publishing workflow used in run https://api.github.com/repos/google/clusterfuzz/actions/runs/4120598232: .github/workflows/publish-to-pypi.yaml:23"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/tests.yaml/master?enable=pin","Warn: containerImage not pinned by hash: docker/base/Dockerfile:17: pin your Docker image by updating ubuntu:16.04 to ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6","Warn: containerImage not pinned by hash: docker/base/Dockerfile:26: pin your Docker image by updating ubuntu to ubuntu@sha256:77906da86b60585ce12215807090eb327e7386c8fafb5402369e421f44eff17e","Warn: containerImage not pinned by hash: docker/chromium/base/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/chromium/builder/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/chromium/high-end/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/chromium/base to gcr.io/clusterfuzz-images/chromium/base@sha256:cf25189fe068390fb6c5b294d3bd4e8aef8b7cce5967133fbe2fb2b010982a22","Warn: containerImage not pinned by hash: docker/chromium/python-profiler/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/chromium/base to gcr.io/clusterfuzz-images/chromium/base@sha256:cf25189fe068390fb6c5b294d3bd4e8aef8b7cce5967133fbe2fb2b010982a22","Warn: containerImage not pinned by hash: docker/chromium/tests-syncer/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/ci/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/fuchsia/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/high-end/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/oss-fuzz/base/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: containerImage not pinned by hash: docker/oss-fuzz/host-high-end/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/oss-fuzz/host to gcr.io/clusterfuzz-images/oss-fuzz/host@sha256:7926955c243fec9138ffe9ea191dcafba7fbf87831b2d68bef18c0610623d8bc","Warn: containerImage not pinned by hash: docker/oss-fuzz/host/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/oss-fuzz/base to gcr.io/clusterfuzz-images/oss-fuzz/base@sha256:e521bc662ad537dae3accceaf423c519c7602ad4228a606d3ac1eba2ae00c15c","Warn: containerImage not pinned by hash: docker/oss-fuzz/worker/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/oss-fuzz/base to gcr.io/clusterfuzz-images/oss-fuzz/base@sha256:e521bc662ad537dae3accceaf423c519c7602ad4228a606d3ac1eba2ae00c15c","Warn: containerImage not pinned by hash: docker/utask-main-scheduler/Dockerfile:14: pin your Docker image by updating gcr.io/clusterfuzz-images/base to gcr.io/clusterfuzz-images/base@sha256:cbe0cd7e1941d60b3225e83e4e92b3a60269d382df950558dab9644a2b7c7c66","Warn: npmCommand not pinned by hash: docker/ci/Dockerfile:38","Warn: pipCommand not pinned by hash: configs/test/bot/setup/android.bash:99","Warn: pipCommand not pinned by hash: configs/test/bot/setup/linux.bash:94","Warn: pipCommand not pinned by hash: configs/test/bot/setup/mac.bash:87","Warn: pipCommand not pinned by hash: configs/test/gce/android-init.bash:100","Warn: npmCommand not pinned by hash: local/install_deps_macos.bash:35","Warn: npmCommand not pinned by hash: local/install_python_deps_linux.bash:53","Warn: pipCommand not pinned by hash: .github/workflows/publish-to-pypi.yaml:39","Info: Third-party GitHubActions are pinned","Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles","Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commmits","details":["Warn: 0 commits out of 22 are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: Found linked content in security policy: github.com/google/.github/SECURITY.md","Info: Found text in security policy: github.com/google/.github/SECURITY.md","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md","Info: security policy detected in org repo: github.com/google/.github/SECURITY.md"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":["Warn: no GitHub releases found"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":9,"reason":"non read-only tokens detected in GitHub workflows","details":["Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/google/clusterfuzz/codeql-analysis.yml/master?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:26","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:27","Info: topLevel permissions set to 'read-all': .github/workflows/publish-to-pypi.yaml:20","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:11","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:21","Info: topLevel permissions set to 'read-all': .github/workflows/tests.yaml:18"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":-1,"reason":"internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: osvscanner.DoScan: vulnerabilities found","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#vulnerabilities"}}]}
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4