Yesterday, we discussed what we found when we tried to assess the value of OpenSSF Scorecard scores for WordPress plugins. OpenSSF Scorecard scores are supposed to “quickly assess open source projects for risky practices.” With WordPress plugins, we found that it was of limited value due to lack of scores for many plugins, lack of an easy ability to check if there is a score for a plugin, and questionable metrics. Another use for this for WordPress plugins would be looking at the scores for libraries included in WordPress plugins. While looking into gathering more information on libraries included in plugins for our Plugin Security Scorecard, we found that a major promoter of the OpenSSF Scorecard project is using multiple libraries in a popular plugin despite low scores. That raises the question of how much weight others should put in those scores, if a major proponent appears not to put much.

Google has been heavily involved in the OpenSSF Scorecard project since the beginning. The blog post announcing the project on the OpenSSF was written by a Google employee. Days later, Google’s Open Source Blog promoted the project. Google’s involvement has continued as new versions of the scorecard have been released. Google is also the developer of the Site Kit by Google plugin, which has 4+ million active installs according to wordpress.org data. That includes 7 third-party libraries referenced in a file generated by Composer in the plugin.

The OpenSSF Scorecard scoring goes from 0 to10, with 10 being the best score. Here are the libraries in that plugin and the scores:

• ralouphie/getallheaders: 3.3
• symfony/polyfill-intl-normalizer: 3.9
• symfony/polyfill-php72: 4.2
• symfony/polyfill-intl-idn: 3.9
• guzzle/guzzle: 5.4
• guzzle/promises: 3.9
• guzzle/psr7: 4.4

The majority of the libraries score below 4 with that. The breakdown for the lowest scoring library shows a lot of problems, if the scoring system scoring is useful:

One metric it gets 0 for is being maintained, which is accurate, as the library was last updated on GitHub in March 2019 and the author last contributed anything to GitHub in February 2020.

If the scoring system is valuable, it seems like that library shouldn’t be included, but it is.

Integrating the Results

On the roadmap for our own scoring solution, we plan to surface information on libraries included in WordPress plugins. We are planning to include a link OpenSSF Scorecard results for libraries, as we are already doing for plugins we find have a score. We don’t plan to incorporate the scores in to our grades at this point, because we haven’t seen evidence that they are useful enough.

Your Thoughts?

We would love to hear other people’s perspectives on the OpenSSF Scorecard results for libraries shipping with WordPress plugins.