Login

Tag Archives: OpenSSF Scorecard

27 Jan 2025

OpenSSF Scorecard’s Developers Are Not Providing Evidence That The WordPress Community Should Trust its Results

As described by the developers, the OpenSSF Scorecard “assesses open source projects for security risks through a series of automated checks” to “help users as they decide the trust, risk, and security posture for their use case.” Considering the widespread belief that WordPress plugins are not secure, which comes from a combination of very real problems and a lot of very false claims, the scorecard could be rather beneficial for WordPress plugins. The scorecard also is the inspiration for our Plugin Security Scorecard, which is a reasonably similar scorecard focused specifically for WordPress plugins. We include a link to the results of the OpenSSF Scorecard for scored third-party libraries and WordPress plugins with a million or more installs. That being said, the developers are not providing the evidence to trust the results it produces to provide a meaningful measure of software’s security. A new blog post on their website doesn’t address that when seeking greater adoption by open source projects.

In July, we noted a number of issues that we ran across while looking at the results for WordPress plugins. Some were more serious than others. It had problems detecting the license of plugins, which doesn’t really even seem relevant to vetting the security of the software, but had a low effect on the score. More problematic was that another component of the score, which can lower the score for projects not doing something that they don’t need to do. Which even the scorecard’s documentation acknowledges. That month we also noted that Google, which is heavily involved in the scorecard, was using various third-party libraries in one of their WordPress plugins despite them getting low scores. [Read more]

25 Jul 2024

Do Low OpenSSF Scorecard Scores for Libraries Shipped With WordPress Plugins Matter?

Yesterday, we discussed what we found when we tried to assess the value of OpenSSF Scorecard scores for WordPress plugins. OpenSSF Scorecard scores are supposed to “quickly assess open source projects for risky practices.” With WordPress plugins, we found that it was of limited value due to lack of scores for many plugins, lack of an easy ability to check if there is a score for a plugin, and questionable metrics. Another use for this for WordPress plugins would be looking at the scores for libraries included in WordPress plugins. While looking into gathering more information on libraries included in plugins for our Plugin Security Scorecard, we found that a major promoter of the OpenSSF Scorecard project is using multiple libraries in a popular plugin despite low scores. That raises the question of how much weight others should put in those scores, if a major proponent appears not to put much.

Google has been heavily involved in the OpenSSF Scorecard project since the beginning. The blog post announcing the project on the OpenSSF was written by a Google employee. Days later, Google’s Open Source Blog promoted the project. Google’s involvement has continued as new versions of the scorecard have been released. Google is also the developer of the Site Kit by Google plugin, which has 4+ million active installs according to wordpress.org data. That includes 7 third-party libraries referenced in a file generated by Composer in the plugin. [Read more]

24 Jul 2024

Popular WordPress Plugins Get Low OpenSSF Scorecard Security Scores, But Does it Matter?

We recently introduced a Plugin Security Scorecard tool to promote better handling of security by the developers of WordPress plugins. A direct inspiration for this is the Open Source Security Foundation’s (OpenSSF) Scorecard. That is marketed as allowing you to “quickly assess open source projects for risky practices” and is supposed to have information on “over 1 million of the most used OSS projects.” While the marketing makes their solution sound impressive, there is a decided lack of evidence put forward that it provides useful results. That seems important, considering that the broad scope of the project raises questions about how reliable the results can be across such divergent software. As we look to improve our own tool, we wanted to better understand what that delivers for WordPress plugins. The results were not great.

Limited Breadth of WordPress Plugins Covered

While it is claimed that over 1 million of the most used OSS projects are covered, the website doesn’t provide further details on what is covered. So there is no breakdown of how many WordPress plugins are covered and what those are. As best we can tell, the project checks software hosted on GitHub and GitLab, so WordPress plugins hosted on the WordPress Plugin Directory could only be checked if they are also hosted on one of those. [Read more]