Add OpenSSF Best Practices about john-packages HOT 16 CLOSED

accept the access request you (probably) received some days ago?

Accepted.

from john-packages.

Thank you.

from john-packages.

Done.

from john-packages.

@claudioandre-br Somehow today I got the codefactor.io authorization again, and approved it again. What's worse, I don't see it among the approved third-party apps - I only see Azure Pipelines and Travis CI there. Also, the authorization request is worded as granting access to "private resources", which doesn't sound like something we actually want here (what private resources? we have no private repos).

Here's what those e-mails say:

Subject: [GitHub] Third-party application approval request for "Openwall"

@claudioandre-br has requested approval for a third-party application to access "Openwall" organization resources via the GitHub API:


  "codefactor.io" from CodeFactor


Until it is approved, this application will have no access to private resources and will have read-only access to public resources belonging to your organization.

from john-packages.

Somehow today I got the codefactor.io authorization again,

I saw this happening more than once (you need to authorize twice). There are two connectors Github x Codefactor.

Don't ask why, I don't kwow the answer. Both links to my settings(?) page.

Now codefactor badge and repo grade are updated (so, things are fully working). It wasn't some time ago.

I guess we can use codefactor in private repositories. Since they don't exist, we are safe.

If you create one later, we can review or revoke the setting.

We can also revoke the access now and see what happens (it only needs to create a webhook once). No need to request to go to your medical doctor with you.

from john-packages.

The remaining issues are listed below [1]:

[1] Ok, the content present here (the project itself) is simple.

• these erros will stay "as is" for a while.
• linters and static analysers are happy.
• there is no solution for the first two.

from john-packages.

There are two connectors Github x Codefactor.

@claudioandre-br I hope those links you posted are not security-sensitive, but just in case we might want to remove them from here. The IDs in them appear specific to your account anyway, so not useful here.

from john-packages.

There are two connectors Github x Codefactor.

@claudioandre-br I hope those links you posted are not security-sensitive, but just in case we might want to remove them from here. The IDs in them appear specific to your account anyway, so not useful here.

Don't worry, if Github is drunk and you can access them, you need to provide 2FA/MFA.

from john-packages.

Don't worry, if Github is drunk and you can access them, you need to provide 2FA/MFA.

I meant that attacks on web apps often involve tricky and unexpected interactions of different things, and a copy of some normally secret material, even if not sufficient on its own, could turn out to be precisely the missing bit for a successful attack. But I don't worry much.

from john-packages.

I removed it (also from history).

from john-packages.

Follow up:

the authorization request is worded as granting access to "private resources", which doesn't sound like something we actually want here (what private resources? we have no private repos).

Codefactor.io is an OAuth application. It's nothing or everything. I think this will get better some day; we all agree that the request is invasive.

An evolution:
On the other hand, Github Apps are better and allow us to narrow down the list of repositories properly:

Above, an example of another Github app (which does something else). Newer and better.

The wording is the same, but it allows people to adjust what is shared.

from john-packages.

@claudioandre-br Do you suggest any specific action now? Do you need anything from me?

from john-packages.

No, thanks.

Github should enforce best practices and all these companies (codefactor is the focus now) should invest in improvements.

from john-packages.

@claudioandre-br I mean, do we possibly need to revoke permissions? If you're not going to use this app.

from john-packages.

I'm afraid it will stop working properly sometime if we revoke the permissions. But, if you feel uncomfortable with the current permissions, I think you can revoke without removing.

I enjoy the checking they are doing.

from john-packages.

@claudioandre-br Oh, OK. I think I misinterpreted some of what you wrote. I'll leave things as they are for now.

from john-packages.