遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/1084)
<a href="https://www.bestpractices.dev/projects/1084"><img src="https://www.bestpractices.dev/projects/1084/badge"></a>
umoci is a tool for modifying Open Container images
Currently this project has a bus factor of one (Aleksa Sarai). However, we are working on improving this situation (Tycho Andersen is close to qualifying in this respect).
There are currently two unassociated significant contributors (Aleksa Sarai and Tycho Andersen). See https://github.com/opencontainers/umoci/graphs/contributors for current statistics.
Every source file includes the standard Apache 2.0 license header which includes the copyright holder and year. Contributors are encouraged to add their names to these headers if they make significant contributions.
Every source file includes the standard Apache 2.0 license header.
Repository on GitHub, which uses git. git is distributed.
This is provided by https://github.com/opencontainers/umoci/labels/good%20first%20issue.
The opencontainers GitHub organisation requires 2FA be enabled for all accounts that are members, and thus all developers with push access must have 2FA.
GitHub provides TOTP and FIDO 2FA, which are both cryptographically secure.
Coding standards and requirements are described in the contributing documentation https://github.com/opencontainers/umoci/blob/master/CONTRIBUTING.md.
As described in the governance rules https://github.com/opencontainers/umoci/blob/master/GOVERNANCE.md, 100% of contributions require two LGTMs from maintainers before a change can be merged. For changes made by maintainers, they are allowed to approve their own changes meaning that their contributions require one additional LGTM from a different maintainer.
umoci is written in Go which is a reproducible project https://blog.filippo.io/reproducing-go-binaries-byte-by-byte/, and we also have CI checks to ensure that builds are trivially reproducible. https://github.com/opencontainers/umoci/blob/v0.4.3/Makefile#L111-L122
The test suite can be invoked from the project's Makefile https://github.com/opencontainers/umoci/blob/master/Makefile which uses the standard go testing tool for unit tests and runs the bats testing tool for integration tests.
This project makes use of the free software CI system Travis https://travis-ci.org/opencontainers/umoci, and the actual test framework is the free software project bats https://github.com/bats-core/bats-core.
We currently have a hard requirement of 80% statement coverage for all new changes, which are automatically tested as part of CI. In future we plan to increase this to 90% (the main restriction is that currently Go's error paths are considered separate statements -- and it's not always possible to mock all error paths, especially obvious error paths).
There doesn't currently exist any branch coverage tool for Go -- only statement coverage is available. https://github.com/golang/go/issues/28888
This project does not support network communication.
This project does not use TLS.
The necessary hardening headers are being set (see https://observatory.mozilla.org/analyze/umo.ci for an up-to-date report), but unfortunately our CSP has to include unsafe-inline for both script-src and style-src because the Hugo theme we use makes use of inline JS and CSS. However we do plan to move away from this theme to resolve the issue https://github.com/opencontainers/umoci/issues/336 and our project website is entirely static with no private data.
unsafe-inline
script-src
style-src
This project has not yet received any third-party security review.
While Go doesn't provide many hardening mechanisms, we do use -buildmode=pie to enable ASLR https://github.com/opencontainers/umoci/blob/v0.4.3/Makefile. We also additionally have several protections such as making extracted filesystems world-inaccessible by default https://umo.ci/reference/security/, as well as working actively on protecting against container escapes (though this is something still being worked on https://github.com/opencontainers/umoci/issues/277).
This is on the roadmap -- see https://github.com/opencontainers/umoci/issues/335.
We have various forms of validation (most notably relating to checksum mismatches), and our test suite validates that such attacks are being correctly detected. However, since we do not have any dynamic analysis suite (our test suite only checks statement coverage not branch coverage), this requirement is technically not met.
后退