The Open Source Security Foundation (OpenSSF) has a tool called OpenSSF Scorecard, which runs automated security assessments on code repositories, recently updated to better support .NET NuGet packages. Many popular .NET packages have low scores and Microsoft is encouraging project maintainers to "to adopt necessary improvements" in order to improve the "overall security of the entire .NET ecosystem."
The post from software engineers Ioana Amarande and Avishay Balter, along with technical program manager Mélanie Guittet, includes an analysis of over 1,000 C# and F# repositories, showing low average scores for many of the checks - though some low scores may show errors running the tool.
In a post on LinkedIn Balter wrote that the work on OpenSSF Scorecard came out of the Microsoft Global Hackathon, where employees and interns work in Microsoft Garage workspaces to accelerate work on specific projects. According to Balter, "during the Hackathon we contributed to new capabilities that bring .NET/NuGet to the same level of support as other ecosystems already supported by Scorecard."
The Scorecard project dates from late 2020 and aims "to help open source consumers judge whether their dependencies are safe" - though it can also be used on any repository by developers keen to assess the security of their own code.
Rather than looking directly for coding errors which cause vulnerabilities, the Scorecard tries to assess the health of a project from a security perspective. There are around 20 checks, which include such factors as: whether code reviews are required before pull requests are merged; whether there are dangerous patterns in GitHub Action workflows; how active the project is; and whether there are pinned dependencies - meaning dependencies are set to specific versions, preferably verified with a hash. It also checks whether a project has cryptographically signed releases. GitHub is the best supported repository host, though the Scorecard also works with GitLab.
Some projects are subject to regular checks by OpenSSF. In this case, developers can view the score on the web using a URL derived from the repository location - such as https://scorecard.dev/viewer/?uri=github.com/JamesNK/Newtonsoft.Json - or via results stored in Google's BigQuery database.
Developers have several ways to check their own repositories. One is to add the Scorecard's GitHub action to a repository. This is supported for all public repositories, or for private repositories with GitHub Advanced Security, in which case an enterprise account is required.
Another option is to use the command line, using a GitHub or GitLab access token. The Scorecard software runs on macOS or Linux, or via a Docker container. We used this approach to assess a private repository from a Mac, showing a number of issues that merit investigation.
According to the Microsoft engineers, there are plenty of "low-hanging fruit opportunities for .NET ecosystem maintainers to make improvements." Put another way, that suggests that many easily implemented changes that would improve security are being missed - though the opinion of hard-pressed open source maintainers on whether or not a change is simple to implement may be different.