Updated Scorecard Report (Manually)

[UlisesGascon]

Main changes

• Added updated version for the Scorecard report.
• This new version includes an alternative way to visualize the reports (new link), thanks @KoolTheba

Context

This is related to #961

Analysis

Key repos

Repository	Commit	Score	Date	Difference	Report Link	StepSecurity Link
nodejs/node	2ac5e98	7.3	2023-04-26T08:57:49Z	-0.3	Full Report	Fix it
nodejs/security-wg	436ca24	8.2	2023-04-24T22:24:57Z	0.1	Full Report	Fix it
nodejs/undici	a3efc98	5.7	2023-04-25T10:24:06Z	-0.9	Full Report	Fix it

Conclusions

• The biggest different is located in undici, due binary artifacts lib/llhttp/llhttp.wasm & lib/llhttp/llhttp_simd.wasm and code review relatedfound 5 unreviewed human changesets:
• Node has decreased 0.3 point total, but there are more changes:
  • Reduce scoring scoring due many new binary artifacts in deps/ and test/ folders.
  • Reduce scoring also due code review found 5 unreviewed human changesets
  • Increased due Fuzzing project is fuzzed with [OSSFuzz]
  • Increased due Pinned-Dependencies, still work to do but less than before
  • Increased due no vulnerabilities detected
• Security-wg has increased 0.1 as we achieve the 30 commits checked:
  • SAST: Info: all commits (30) are checked with a SAST tool
  • CI Test: 30 out of 30 merged PRs checked by a CI test -- score normalized to 10

Additional context

• link to the StepSecurty Dashboard for Node.js org

[mhdawson]

@UlisesGascon thanks for the detailed analysis. The ones related to wasm are interesting while most are for tests related to WASM support which I don't think should be flagged, while others are legit things (the wasm used for llhttp).

Do you know if there is a good contact for the scorecard to send feedback to. I think there really should be a configuration list or equivalent that we can exclude the wasm used for tests.

[mhdawson]

LGTM

[RafaelGSS]

LGTM. Let's review it tomorrow