Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards for Dart and Flutter projects
•
0 likes•121 views
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge. You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter. The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Report
Share
More Related Content
Similar to Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards for Dart and Flutter projects
Similar to Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards for Dart and Flutter projects (20)
More from Chris Swan
More from Chris Swan (20)
Recently uploaded
Recently uploaded (20)
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards for Dart and Flutter projects
- 1. © 2024 - Atsign | docs.atsign.com Showing that you care about security - OpenSSF Scorecards for Dart and Flutter projects Fluttercon - Jun 2024
- 2. © 2024 - Atsign | docs.atsign.com
- 3. © 2024 - Atsign | docs.atsign.com
- 4. © 2024 - Atsign | docs.atsign.com Hi, I’m Chris @cpswan https://chris.swanz.net
- 5. © 2024 - Atsign | docs.atsign.com Agenda ➔ The Dart and Flutter inspiration ➔ Who are OpenSSF, and what is a scorecard? ➔ Start with Allstar ➔ Doing your first repository ➔ Scaling across multiple repositories ➔ 80:20 ➔ The toil of it all
- 6. The Dart and Flutter inspiration
- 7. © 2024 - Atsign | docs.atsign.com https://opensource.googleblog.com/2022/06/Dart-and-Flutter-enable-Allstar-and-Security-Scorecards.html
- 8. © 2024 - Atsign | docs.atsign.com https://github.com/flutter/flutter
- 9. Who are OpenSSF, and what is a scorecard?
- 10. © 2024 - Atsign | docs.atsign.com https://openssf.org/
- 11. © 2024 - Atsign | docs.atsign.com
- 13. © 2024 - Atsign | docs.atsign.com https://github.com/ossf/allstar
- 14. A whole bunch of config, and a whole bunch of files
- 15. Doing your first repository
- 16. Expect LOTS of issues
- 17. Help is at hand
- 18. Dependency (pinning) hell cont…
- 19. Scaling across multiple repositories
- 20. Rinse and repeat - more of this
- 21. And more of this
- 22. 80:20
- 23. It’s relatively easy to get most stuff right
- 24. There will be a residue
- 25. How this looks to your users
- 26. Radar plot
- 27. Static analysis with osv-scanner steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: dart-lang/setup-dart@f0ead981b4d9a35b37f30d36160575d60931ec30 # v1.6.4 with: sdk: stable - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: 'stable' cache-dependency-path: tools/osv-scanner/go.sum - name: Run osv-scanner working-directory: packages/${{ matrix.package }} run: | dart pub get go install github.com/google/osv-scanner/cmd/osv-scanner@6316373e47d... osv-scanner --lockfile=./pubspec.lock
- 28. This is where it gets really gnarly
- 29. The questionnaire is long and detailed
- 30. And some sections might be hard to accomplish
- 31. The toil of it all
- 32. Make friends with the new boss
- 33. From a docs repo (no actual code to maintain)
- 34. From a code repo
- 35. Scorecard’s own dependencies can change with annoying regularity (in every repo with a scorecard)
- 36. Base dependencies can be amplified
- 37. Use the directories capability, and groups - package-ecosystem: "pub" directories: - "/packages/dart/sshnoports/" - "/packages/dart/sshnp_flutter/" schedule: interval: "daily" groups: pub: patterns: - "*"
- 38. It might still help to do rollups: rollup.sh #!/bin/bash if [ $# -ne 2 ] ; then echo "Usage rollup.sh <BASE_PR> <LAST_PR>" exit 1 fi BASE_PR=$1 LAST_PR=$2 git pull gh pr checkout "$BASE_PR" for (( i=(($BASE_PR + 1)); i<=$LAST_PR; i++ )) do PR_BRANCH=$(gh pr view "$i" --json headRefName -q .headRefName) git merge origin/"$PR_BRANCH" -m "build(deps): Rollup merge branch for #${i} ${PR_BRANCH}" done git push
- 39. Bonus content: SBOMs and SLSA
- 40. Generating Software Bill of Materials (SBOM) - name: Checkout pubspec.lock uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: sparse-checkout: packages/dart/sshnoports/pubspec.lock sparse-checkout-cone-mode: false - name: Install Syft uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 - name: Generate SBOMs run: | syft scan file:./packages/dart/sshnoports/pubspec.lock -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json'
- 41. Make the SBOM with Syft, understand it with GUAC https://github.com/anchore/syft https://guac.sh/
- 42. Generate hashes and build attestation - name: Generate SHA256 checksums working-directory: tarballs run: sha256sum * > checksums.txt - id: hash name: Pass artifact hashes for SLSA provenance working-directory: tarballs run: | echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - uses: actions/attest-build-provenance@f8d5ea8082b0d9f5… # v1.1.0 with: subject-path: 'tarballs/**'
- 43. In the GitHub Actions run for a build:
- 44. Clicking through to an attestation
- 45. Generate hashes and build attestation: Supply-chain Levels for Software Artifacts (SLSA) provenance: needs: [github-release] permissions: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.github-release.outputs.hashes }}" upload-assets: true
- 46. Peeking inside SLSA attestation: multiple.intoto.jsonl { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [ { "name": "dart_sshnoports_sbom.cyclonedx.json", "digest": { "sha256": "017532bc7a01a0249211819be5858bc76cf4db7824e0e6432dd0831983948094" } }, { "name": "dart_sshnoports_sbom.spdx.json", "digest": { "sha256": "013bff32cd7c776e54c36db692aceadce13d28839c06ec1b8ed23421edf305e1" } },
- 47. The software supply chain trifecta
- 48. © 2024 - Atsign | docs.atsign.com Review ➔ Our journey started with adoption by the Dart/Flutter team. ➔ An OpenSSF Scorecard can show you care about security. ➔ Allstar provides a good starting point. ➔ Pick a first repo to get a hang of what’s needed. ➔ Then automate across the rest of the organisation. ➔ 20% of the effort to get 80% of the score. Uphill from there. ➔ Scorecards do create ongoing toil that needs to be minimised.
- 49. © 2024 - Atsign | docs.atsign.com Call to action: Run the scorecard CLI against one of your own repos https://github.com/ossf/scorecard# scorecard-command-line-interface
- 50. Resources Blog posts https://blog.thestateofme.com/2022/12/02/implementing-ossf-scorecard s-across-a-github-organisation/ https://blog.thestateofme.com/2023/03/09/roll-up-rollup-get-your-depe ndabot-prs-together-here/ atGitHub https://github.com/atsign-foundation/.github/blob/trunk/docs/atGitHub.md Varun Sharma’s (Step Security) QCon Demo Org https://github.com/qcon-demo-org
- 51. Thanks for your time chris@atsign.com @cpswan
- 52. Questions?