You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2022/01/26 20:10:00 UTC

[jira] [Assigned] (LOG4J2-3260) Missing branch protection settings on log4j2 repo

     [ https://issues.apache.org/jira/browse/LOG4J2-3260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Volkan Yazici reassigned LOG4J2-3260:
-------------------------------------

    Assignee: Volkan Yazici

> Missing branch protection settings on log4j2 repo
> -------------------------------------------------
>
>                 Key: LOG4J2-3260
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3260
>             Project: Log4j 2
>          Issue Type: Improvement
>            Reporter: Abhishek Arya
>            Assignee: Volkan Yazici
>            Priority: Trivial
>         Attachments: 20211224-scorecard-report.txt
>
>
> The branch protection setting is missing on [https://github.com/apache/logging-log4j2] repo. Please check [https://github.com/ossf/scorecard/blob/090ae4f0bbc3b6956971bec83530c86696e1e75d/docs/checks.md#branch-protection] for reason why this setting is important. This setting is easy to enable and needs to be done for main and all release branches using [https://github.com/apache/logging-log4j2/settings/branches].
> You can run OpenSSF Scorecard to see the failures::
> ./scorecard --repo [https://github.com/apache/logging-log4j2] --show-details
> You will see some failures, but this branch protection check failure is the the most important failure out of them.
> Different types of branch protection protect against different risks:
>  * Require code review: requires at least one reviewer, which greatly reduces the risk that a compromised contributor can inject malicious code. Review also increases the likelihood that an unintentional vulnerability in a contribution will be detected and fixed before the change is accepted.
>  * Prevent force push: prevents use of the {{--force}} command on public branches, which overwrites code irrevocably. This protection prevents the rewriting of public history without external notice.
>  * Require [status checks|https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks]: ensures that all required CI tests are met before a change is accepted.
> Next good one to have is to enable CodeQL CI/CD check. Also, in the near future, please consider installing the OpenSSF AllStar app (https://github.com/ossf/allstar) on your github organization. It will help with continuous enforcement of various security policies (including branch protection).
> -Abhishek Arya, Principal Engineer and Manager, Google Open Source Security Team



--
This message was sent by Atlassian Jira
(v8.20.1#820001)