Skip to content

chore(security): close residual OSSF Scorecard Pinned-Dependencies gaps after #401 and #493 #496

Description

@WilliamBerryiii

Affected Component

OSSF Scorecard Pinned-Dependencies check (currently normalized to 8/10).

Context

After PRs #401 (requirements.lock for Python tooling) and #493 (awk → cut plus DL3006 suppression on the OSS-Fuzz base image) merge, the Scorecard Pinned-Dependencies check still reports the following unpinned items. None of them are covered by an existing open issue.

This issue tracks closing every remaining gap so the check can return to 10, with the single permanent exception of the OSS-Fuzz upstream base image (no digest published; deduction is unavoidable).

Residual Findings

containerImage — 2 unpinned (excluding the OSS-Fuzz exception)

  • src/500-application/509-sse-connector/services/connector-test-client/Dockerfile:1 — pin mcr.microsoft.com/azurelinux/base/python:3.12 to @sha256:8300706a0e644a7e260b6a464a1ae3967181ee9057a4accceaaf0ecdedb1d4a2
  • src/500-application/509-sse-connector/services/sse-server/Dockerfile:1 — same pin

pipCommand — 4 unpinned

  • src/500-application/510-onvif-connector/services/camera-dashboard/Dockerfile:18 — switch pip install -r requirements.txt to pip install --require-hashes -r requirements.txt; regenerate requirements.txt with uv pip compile --generate-hashes (matches the pattern already used by sibling SSE services)
  • .clusterfuzzlite/build_python.sh:31 — pin the pyinstaller fallback install to pyinstaller==<ver> with --require-hashes against a tracked hash file
  • .clusterfuzzlite/build_python.sh:35 — same treatment for atheris
  • .clusterfuzzlite/build_python.sh:44pip install -r requirements.txt for harness service deps; depends on each harness service shipping a hashed requirements.txt. Scope this as "use --require-hashes and require harness services to provide hashed requirements"

npmCommand — 2 unpinned

  • .clusterfuzzlite/build_js.sh:24 — replace npm install --no-audit --no-fund with npm ci; requires committing package-lock.json for src/500-application/513-tiered-notification-service
  • .github/workflows/docs-automation.yml:110 — replace npm install -g markdown-link-check@3.14.2 with either:
    • a package-lock.json-backed npm ci + npx markdown-link-check, or
    • a pinned GitHub Action equivalent (e.g. gaurav-nelson/github-action-markdown-link-check@<sha>), which moves the dependency from npmCommand to the already-100%-pinned GitHubAction category

downloadThenRun — 2 unpinned

  • src/100-edge/100-cncf-cluster/scripts/k3s-device-setup.sh:214curl -sfL https://get.k3s.io | sh -. Refactor to: download the installer to disk, verify SHA256 against a constant tracked alongside the pinned K3S_VERSION, then exec
  • src/100-edge/100-cncf-cluster/scripts/k3s-device-setup.sh:227curl -LO https://dl.k8s.io/release/.../kubectl. Refactor to: fetch the version-matched checksum file from dl.k8s.io, verify the downloaded binary, then install

Permanent Exception

Acceptance Criteria

  • All non-exception findings above resolved
  • OSSF Scorecard Pinned-Dependencies check reports 9.7+ (10 minus the OSS-Fuzz deduction)
  • CI green: container builds, k3s device setup script lint, fuzz workflow

Dependencies

References

Metadata

Metadata

Labels

ossf-complianceOpenSSF security compliancesecuritySecurity-related changes or concerns

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions