Skip to main content
Version: 1.11.x

Hoppr OpenSSF Scorecard Plugin

The Hoppr OpenSSF Scorecard Plugin can be used to populate component metadata in a CycloneDX Software Bill of Materials (SBOM) with data from OpenSSF Scorecard.

How to use this plugin

Get a Libraries.io API key

In order to use this plugin, an API key from Libraries.io is required.

Once you have this API key, you can provide it to the plugin in one of the following ways:

  • Set the LIBRARIES_API_KEY environment variable in the shell before running Hoppr

    export LIBRARIES_API_KEY="<your key here>"
  • Create a Hoppr credentials file with an entry for https://libraries.io/api and an environment variable of your choosing that holds the value of the API key

    ---
    schemaVersion: v1
    kind: Credentials

    credential_required_services:
    - url: https://libraries.io/api
    user: ""
    pass_env: API_KEY_ENV_VAR

Create a transfer file

A Hoppr transfer file defines the stages to be run and which plugins will be run in those stages.

Create a transfer file that defines a stage with this plugin (identified by hoppr_openssf_scorecard.plugin) specified. For example:

---
schemaVersion: v1
kind: Transfer

stages:
ScorecardData:
plugins:
- name: hoppr_openssf_scorecard.plugin
Bundle:
plugins:
- name: hoppr.core_plugins.bundle_tar
config:
tarfile_name: tarfile.tar.gz

max_processes: 10

Run Hoppr

That's everything! Run hopctl bundle as normal and the SBOM with Scorecard data will be located in the specified bundle file.

How does it work?

Get the source control repository URL

Various API endpoints are leveraged in an attempt to retrieve a component's source control repository URL in order to request a Scorecard report.

First, a REST API or well-known metadata URL for the package manager specific to the PURL type of the component is tried.

PURL TypeURL Endpoint(s)
debhttps://sources.debian.org/api for Debian, https://api.launchpad.net/1.0 for Ubuntu
gemhttps://rubygems.org/api/v1
gitSearches both https://api.github.com and https://gitlab.com/api/v4
golangFirst https://proxy.golang.org, then https://libraries.io/api/Go if not found
helmhttps://artifacthub.io/api/v1/packages/helm
mavenFirst, https://search.maven.org/remotecontent, then https://libraries.io/api/Maven if not found
npmhttps://registry.npmjs.com
pypihttps://pypi.org/pypi
rpmRepository metadata from either rpm repositories defined in the manifest file, or sensible defaults.

These are the defaults for RPM components if not provided.

DistributionMetadata URL
Red Hat 7http://mirror.centos.org/centos/7/os/x86_64
http://mirror.centos.org/centos/7/extras/x86_64
Red Hat/Rocky Linux 8https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os
https://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os
https://dl.rockylinux.org/pub/rocky/8/PowerTools/x86_64/os
https://dl.rockylinux.org/pub/rocky/8/extras/x86_64/os
Red Hat/Rocky Linux 9https://dl.rockylinux.org/pub/rocky/9/AppStream/x86_64/os
https://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os
https://dl.rockylinux.org/pub/rocky/9/CRB/x86_64/os
https://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os
Fedorahttps://dl.fedoraproject.org/pub/fedora/linux/releases/<Fedora release>/Everything/x86_64/os

If a source control repository isn't found this way, the next attempt is to search Libraries.io and try to narrow down and intuit the correct repo URL from the results.

Finally, as a last-ditch effort, the GitHub API is queried in a similar fashion. If no repository URL is found by this point, the component is skipped and the plugin will move on to the next one.

If a repository URL was found during any of these passes, it gets added to the SBOM compoment's externalReferences as a URL with a type of vcs.

Request the report data from Scorecard API

For components that have a vcs repository URL (whether identified as outlined in the previous section or explicitly defined in the SBOM), a request is made to the OpenSSF Scorecard API using that project URL.

The response data is then used to populate the SBOM according to the taxonomy outlined below.

SBOM property taxonomy

Properties generated by this plugin consist of a name prefixed with hoppr:scorecard and a value corresponding to the associated Scorecard field.

NameDescription
hoppr:scorecard:dateDate of the Scorecard report
hoppr:scorecard:metadataMetadata for the Scorecard report
hoppr:scorecard:repo:commitCommit ref/SHA the report was run on
hoppr:scorecard:repo:nameName of the repository
hoppr:scorecard:scoreAggregate score for all checks
hoppr:scorecard:scorecard:commitCommit ref/SHA of Scorecard used to generate the report
hoppr:scorecard:scorecard:versionVersion of Scorecard used to generate the report
hoppr:scorecard:check:Binary-ArtifactsScore for the Binary-Artifacts check
hoppr:scorecard:check:Branch-ProtectionScore for the Branch-Protection check
hoppr:scorecard:check:CI-TestsScore for the CI-Tests check
hoppr:scorecard:check:CII-Best-PracticesScore for the CII-Best-Practices check
hoppr:scorecard:check:Code-ReviewScore for the Code-Review check
hoppr:scorecard:check:ContributorsScore for the Contributors check
hoppr:scorecard:check:Dangerous-WorkflowScore for the Dangerous-Workflow check
hoppr:scorecard:check:Dependency-Update-ToolScore for the Dependency-Update-Tool check
hoppr:scorecard:check:FuzzingScore for the Fuzzing check
hoppr:scorecard:check:LicenseScore for the License check
hoppr:scorecard:check:MaintainedScore for the Maintained check
hoppr:scorecard:check:PackagingScore for the Packaging check
hoppr:scorecard:check:Pinned-DependenciesScore for the Pinned-Dependencies check
hoppr:scorecard:check:SASTScore for the SAST check
hoppr:scorecard:check:Security-PolicyScore for the Security-Policy check
hoppr:scorecard:check:Signed-ReleasesScore for the Signed-Releases check
hoppr:scorecard:check:Token-PermissionsScore for the Token-Permissions check
hoppr:scorecard:check:VulnerabilitiesScore for the Vulnerabilities check
hoppr:scorecard:check:WebhooksScore for the Webhooks check

For descriptions of all the checks performed by Scorecard, see this table.