{"id":31552291,"url":"https://github.com/cedarcode/fido_metadata","last_synced_at":"2025-11-11T20:01:14.305Z","repository":{"id":36105059,"uuid":"221505552","full_name":"cedarcode/fido_metadata","owner":"cedarcode","description":"Client for looking up metadata about FIDO authenticators, for use by WebAuthn relying parties","archived":false,"fork":false,"pushed_at":"2025-09-16T16:21:57.000Z","size":1857,"stargazers_count":15,"open_issues_count":1,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-10-13T12:58:20.089Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cedarcode.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-11-13T16:36:46.000Z","updated_at":"2025-09-18T07:59:35.000Z","dependencies_parsed_at":"2023-01-16T13:33:13.328Z","dependency_job_id":"0b99f02b-deb9-4374-ad67-3315d0890378","html_url":"https://github.com/cedarcode/fido_metadata","commit_stats":{"total_commits":21,"total_committers":3,"mean_commits":7.0,"dds":"0.19047619047619047","last_synced_commit":"2da3470c2bf6d7ff4ed24a857efda39533a95456"},"previous_names":["cedarcode/fido_metadata","bdewater/fido_metadata"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/cedarcode/fido_metadata","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Ffido_metadata","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Ffido_metadata/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Ffido_metadata/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Ffido_metadata/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cedarcode","download_url":"https://codeload.github.com/cedarcode/fido_metadata/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedarcode%2Ffido_metadata/sbom","scorecard":{"id":229046,"data":{"date":"2025-08-11","repo":{"name":"github.com/bdewater/fido_metadata","commit":"fcc1fc1a92f9b0eda5900485d773336494b2c1c6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":3,"reason":"Found 6/16 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/bdewater/fido_metadata/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/bdewater/fido_metadata/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/bdewater/fido_metadata/lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/bdewater/fido_metadata/lint.yml/main?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":4,"reason":"6 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-2rxp-v6pw-ch6m","Warn: Project is vulnerable to: GHSA-4xqq-m2hx-25v8","Warn: Project is vulnerable to: GHSA-5866-49gr-22v4","Warn: Project is vulnerable to: GHSA-r55c-59qm-vjw6","Warn: Project is vulnerable to: GHSA-vg3r-rm7w-2xgh","Warn: Project is vulnerable to: GHSA-vmwr-mc7x-5vc3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T04:28:36.759Z","repository_id":36105059,"created_at":"2025-08-17T04:28:36.759Z","updated_at":"2025-08-17T04:28:36.759Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":283921119,"owners_count":26916743,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-11T02:00:06.610Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-04T19:42:03.270Z","updated_at":"2025-11-11T20:01:14.130Z","avatar_url":"https://github.com/cedarcode.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FidoMetadata\n\nA Ruby gem for the [FIDO Alliance Metadata Service (MDS)](https://fidoalliance.org/metadata/). The MDS is a way to retrieve data about FIDO2 and U2F authenticators such as make, model, biometric capabilities, security status and the manufacturer root certificate(s). See [FIDO TechNotes: The Truth about Attestation](https://fidoalliance.org/fido-technotes-the-truth-about-attestation/) for a generic overview.\n\nThis gem provides a HTTP client for the MDS that performs the necessary security checks, parses the data into objects, and caches the results for speed and resiliency. It is intended to be used by WebAuthn relying parties wishing to verify attestation statement during registration.\n\n## Installation\n\nAdd this line to your application's Gemfile:\n\n```ruby\ngem 'fido_metadata'\n```\n\nAnd then execute:\n\n    $ bundle\n\nOr install it yourself as:\n\n    $ gem install fido_metadata\n\n## Usage\n\nFirst, you need to [register for an access token](https://mds2.fidoalliance.org/tokens/) and configure a cache backend.\nThe cache interface is compatible with Rails' [`ActiveSupport::Cache::Store`](https://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html), which means you can configure the gem to use your existing cache or a separate one:\n```ruby\nFidoMetadata.configure do |config|\n  config.cache_backend = Rails.cache # or something like `ActiveSupport::Cache::FileStore.new(...)`\nend\n```\n\nThen you can query the table of contents (TOC):\n```ruby\nstore = FidoMetadata::Store.new\ntoc = store.table_of_contents\n# returns a FidoMetadata::TableOfContents object. `toc.entries` returns an array of FidoMetadata::Entry objects, see\n# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-service-v2.0-ps-20170927.html#metadata-toc-payload-entry-dictionary\n```\n\nRetrieve metadata statement via the authenticator `aaguid` (FIDO2) or `attestation_certificate_key_id` (U2F):\n```ruby\nstore.fetch_statement(aaguid: \"0132d110-bf4e-4208-a403-ab4f5f12efe5\")\n# returns a FidoMetadata::Statement object, see\n# https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-metadata-statement-v2.0-ps-20170927.html#types\n```\n\n### Custom cache backend\n\nIt is possible to implement your own backend for using any datastore you'd like, such as your database. The interface you need to implement is as follows:\n\n```ruby\nclass CustomMetadataCacheStore\n  def read(name, _options = nil)\n    # deserialize and return `value`\n  end\n\n  def write(name, value, _options = nil)\n    # serialize and store `value` so it can be looked up using `name`\n  end\nend\n\n# and configure the gem to use it:\nFidoMetadata.configure do |config|\n  config.cache_backend = CustomMetadataCacheStore.new\nend\n```\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/rspec` to run the tests.\n\nYou can also run `MDS_TOKEN=yourtoken bin/console` for an interactive prompt that will allow you to experiment. It is configured to use a simple in-memory cache. If you don't supply the token via the environment variable, the prompt will print instructions to set it in another way.\n\nTo install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/bdewater/fido_metadata. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n\nThe gem and its authors are unaffiliated with the FIDO Alliance. The FIDO and FIDO ALLIANCE trademarks and logos are trademarks of FIDO Alliance, Inc.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedarcode%2Ffido_metadata","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedarcode%2Ffido_metadata","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedarcode%2Ffido_metadata/lists"}