Choosing the Right Dependencies: Ensuring Quality and Security in your Software Projects

Building a project from scratch is rare due to the complexity and time constraints involved. Instead, developers often build applications on top of existing software. This means our software depends on other software. Dependencies are necessary and unavoidable; they reduce development time and costs and usually solve problems outside our expertise that we might not know how to address on our own.

The dependencies of our project begin with the choice of programming language and include frameworks, packages, libraries, binaries, and any other software that helps our development process.

Before adding a new dependency to our project, we check if it is in good health by seeing if it has enough stars on GitHub and if there's an active community implementing features and maintaining them.

But this is just the tip of the iceberg. When we accept a dependency, we are entrusting third parties with its governance, implementation, and maintenance. Therefore, it's important to ask ourselves if the dependency is reliable and meets the minimum quality standards required for our project. Furthermore, do the dependencies of dependencies meet these standards as well?

Evaluating Dependency Quality: What You Need to Know

Thankfully, the Open Source Security Foundation (OpenSSF) comes to the rescue. Let's quote their own words, as they describe their solution perfectly:

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

The Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

The Scorecard evaluates project dependencies based on security best practices and industry standards in five areas: project maintenance, code vulnerabilities, continuous testing, source risk assessment, and build risk assessment.

Here are a few of the 18 checks available at the time of writing:

• Is the project at least 90 days old, and maintained?

• Does the project declare and pin dependencies? Does it use tools to help update them?

• Does the project use Branch Protection?

• Does the project practice code review before code is merged?

• Does the project have contributors from at least two different organizations?

• Does the project run tests in CI, e.g. GitHub Actions, Prow?

• Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ?

• Does the project contain a security policy?

Establishing Your Project's Quality Benchmarks

First, define the minimum quality standards for your the project. Use the OpenSSF Scorecard—both their website and GitHub—to identify must-haves, red flags, and areas needing improvement.

Second, install Scorecard into your project—either as a GitHub Action or Command line interface—and evaluate if it meets your standards. These checks apply to your project, even if it is not a dependency of other projects.

Next, evaluate dependencies and determine if they are safe and reliable based on your minimum quality standards. Check the Scorecard Badge in their repository or run the Command Line Interface against the repository.

If a dependency does not meet the minimum quality standards, investigate the reasons behind it. Do the authors plan to improve their Scorecard in their roadmap? Are they willing to accept and prioritize issues to improve the Scorecard? Are the authors reluctant to show their failed score?

Keep in mind that some checks may fail (false negatives) because the Scorecard might not yet support the specific development environment of the repository.

Note that many projects may lack the necessary resources, such as sufficient personnel or time, to implement a Scorecard. This might be a good opportunity to help them out!

Conclusion: Ensuring Quality and Security in your Software Projects

In conclusion, choosing the right dependencies is crucial for the quality and security of software projects. By leveraging tools like the OpenSSF Scorecard, one can ensure that and project and its dependencies meet high standards and contribute to the overall robustness. Remember, a well-chosen dependency not only saves time but also enhances the reliability and security of your software.

Fun fact: OpenSSF Scorecard is also a dependency of your project! Their shiny badge on GitHub shows an impressive overall score of 9.7 out of 10! By integrating Scorecard into your project, it gets an automatic thumbs-up.