Suggest hash-pin GitHub Actions with sensitive permissions and a Dependency-Update-Tool about libevent HOT 5 OPEN

Hi @diogoteles08

I see you point, but I don't want to maintain this deps manually.
How serious this flaw is in your opinion?

P.S. libevent uses more or less trusted plugins

from libevent.

Hi @azat!

First, answering your question:
According to Scorecard Documentation, Pinning your dependencies is a measure of Medium priority. Considering your specific case, I'd also say it'd fit as a flaw of medium risk, considering that you indeed have dangerous permissions with unpinned deps, but those deps are quite trustful (e.g. the ones from github itself).

Now complementing my answer:

I'm not sure I understood what you meant by "maintain the deps manually", but are you considering the help from the Dependency-Update-Tools? They would make sure to automatically create PRs updating your dependencies at the pace that conveys to your demands. I.e., we can configure it to create PRs only updating major versions, only minors, only security updates, etc.

That said, having a Dependency-Update-Tool is also a requirement from Scorecard, and one of High priority (mostly for making sure you'd have access to security updates as soon as they're released). So I'd suggest that you consider this, independently of your decision around hash-pinning the dependencies =).

Let me know your thoughts and I can act on a PR with whatever you decide.

from libevent.

I'm not sure I understood what you meant by "maintain the deps manually", but are you considering the help from the Dependency-Update-Tools? They would make sure to automatically create PRs updating your dependencies at the pace that conveys to your demands. I.e., we can configure it to create PRs only updating major versions, only minors, only security updates, etc.

To be honest, I don't see the difference in this case, from my point of view, it will improve the security only if someone will take a look at the plugins/changes before update, if some bot will do this, then it does not looks better then simply using official tags.

from libevent.

Hi @azat, That's a very valid concern and we have even created the issue ossf/scorecard#3549 to clarify this differences (we're still pending to update the issue with our conclusions).

The main advantage is that by hashpinning dependencies and using a Dependency-Update-Tools, your dependencies won't be updated right after the new version is released. So you have a larger time period to ensure any malicious releases are detected by the community before they're consumed by your project.

As an example, consider this attack on python ecosystem. In summary, the ctx python package was compromised and the project reference in pypi was replaced by a malicious version -- i.e., every project that installed this dependency without proper pinning had the malicious version installed. This ctx problem was detected by the community ~1 week after the attack.

Considering the example, if the dependency was pinned and a Dependency-Update-Tool was used, there would be considerabe changes that the problem would be detected before the new version was suggested to you and/or you merged the Dependabot PR. That's even clearer when you consider that Dependabot doesn't suggest updates to version that has a CVE registered, and you could also choose to update your versions only after some time the new version was released.

from libevent.