{"id":18508472,"url":"https://github.com/ossf/project-security-metrics","last_synced_at":"2025-04-09T03:32:03.161Z","repository":{"id":41930771,"uuid":"285366480","full_name":"ossf/Project-Security-Metrics","owner":"ossf","description":"Collect, curate, and communicate relevant security metrics for open source projects.","archived":true,"fork":false,"pushed_at":"2024-03-13T13:15:43.000Z","size":1303,"stargazers_count":63,"open_issues_count":33,"forks_count":24,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-03-03T01:16:45.596Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://openssf.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-08-05T18:00:26.000Z","updated_at":"2024-07-13T05:56:30.000Z","dependencies_parsed_at":"2024-03-13T14:45:13.254Z","dependency_job_id":null,"html_url":"https://github.com/ossf/Project-Security-Metrics","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":"ossf/project-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2FProject-Security-Metrics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2FProject-Security-Metrics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2FProject-Security-Metrics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2FProject-Security-Metrics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/Project-Security-Metrics/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247973842,"owners_count":21026735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:14:27.806Z","updated_at":"2025-04-09T03:32:02.485Z","avatar_url":"https://github.com/ossf.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security Metrics\n\nThe purpose of this project is to collect, organize, and provide interesting security metrics\nfor open source projects to stakeholders, including users.\n\nThis project is in early development and we welcome community support. For more information or\nto get involved, please see our [workgroup](https://github.com/ossf/wg-identifying-security-threats)\npage.\n\n## Installing a Local Development Environment\n\nSetting up a basic development environment is straightforward:\n\n1. Clone the repository (`git clone https://github.com/ossf/Project-Security-Metrics`).\n1. Ensure that you have [Docker Compose](https://docs.docker.com/compose/) installed.\n1. Copy `docker/web/.env.dev.web-example` to `docker/web/.env.dev.web` and modify the values\n   in that file for your local environment.\n1. Do the same thing for `docker/db/.env.dev.db-example` and `docker/worker/.env.dev.worker-example`.\n1. Run `start.ps1`.\n1. Open https://127.0.0.1:8000\n\nThe first configuration file has a template at `docker/db/.env.dev.db-example`, which should\nbe copied or renamed to `docker/db/.env.dev.db`. There is only one field in that file\nthat you need to change, the password for your local PostgreSQL database.\n\nThe second configuration file has a template at `docker/web/.env.dev.web-example`, which\nsimilarly should be copied or renamed to `docker/web/.env.dev.web`. Open this file in your\nfavorite text editor and update the `SECRET_KEY`, `DJANGO_SUPERUSER_PASSWORD` and\n`DB_PASSWORD` fields. Use the same value for `DB_PASSWORD` as you specified in the first\nconfiguration file.\n\nWhen you're done, you can try building and running the Docker application. From the root\nof the repository, run:\n\n`docker-compose -f docker/docker-compose.yml build`\n\nThis should take 5-10 minutes to complete (perhaps more, depending on bandwidth and the\nimages that Docker needs to pull).\n\nNow you can run the application with:\n\n`docker-compose -f docker/docker-compose.yml run`\n\n**NOTE**: You might see some errors the first or second time you run this. I know about\nthem, but haven't had cycles to fix them yet. Press Ctrl-C to exit the application,\nand then re-run `docker-compose -f docker/docker-compose.yml run`. In my testing,\n\"third time's the charm\". I hope this to be fixed shortly.\n\n## First Time Usage\n\nOpen a web browser to [http://localhost:8000](http://localhost:8000). You should see an \nerror message from Django. (This is also a bug that hasn't been fixed yet.)\n\nNow open a web browser to [http://localhost:8000/grafana/](http://localhost:8000/grafana/).\nThat last slash is important. You should be asked to login. Do so using `admin/admin` and then\nchange the password to whatever you'd like. Now you'll have an empty Grafana instance.\n\nClick on the gear icon on the left and select `Data Sources` / `Add data source`. Choose\nPostgreSQL and use the following details:\n\n* Host: `db`\n* Database: `metricdb` (unless you changed it in `.env.dev.db` above)\n* User: `metricuser` (unless you changed it in `.env.dev.db` above)\n* Password: Use what you specified in `.env.dev.db` above.\n* SSL Mode: `disable`.\n* Version: 12 (though it might work set as other versions too).\n\nClick `Save \u0026 Test`.\n\nNow we just need to import the current dashboard configuration. Click on the icon with\nfour squares (above the gear icon) on the left and select `Manage Dashboards`. Press\n`Import`.\n\nNow open a new browser tab and access\n[this URL](https://metrics.openssf.org/grafana/d/default/metric-dashboard?editview=dashboard_json\u0026orgId=1).\nYou can get to it by accessing [metrics.openssf.org](https://metrics.openssf.org), opening\na dashboard, clicking on the share icon on the top, then `Export` and `View JSON`. Copy the JSON\ncontent and paste it into your local instance and click `Save`.\n\nNow you have Grafana set up, but you don't have any data yet. Open a command prompt and check\nto see what the name of the containers are:\n\n```\nPS C:\\dev\u003e docker ps -a\nCONTAINER ID   IMAGE            COMMAND                  CREATED       STATUS       PORTS                    NAMES\ncf11aee4c908   docker_nginx     \"/docker-entrypoint.…\"   9 hours ago   Up 9 hours   0.0.0.0:8000-\u003e80/tcp     docker_nginx_1\ncd8978797dd9   docker_web       \"/usr/src/app/entryp…\"   9 hours ago   Up 9 hours   8000/tcp                 docker_web_1\n010bd148d19a   redis:alpine     \"docker-entrypoint.s…\"   9 hours ago   Up 9 hours   6379/tcp                 docker_redis_1\nf64a3ccd0ac4   docker_grafana   \"/entrypoint.sh\"         9 hours ago   Up 9 hours   3000/tcp                 docker_grafana_1\n7c431e863842   postgres         \"docker-entrypoint.s…\"   9 hours ago   Up 9 hours   0.0.0.0:5432-\u003e5432/tcp   docker_db_1\n```\n\nWe need to kick off a reload job on the web server:\n\n```\nPS C:\\dev\u003e docker exec -it docker_web_1 /bin/bash\nroot@cd8978797dd9:/usr/src/app/src/management# /etc/cron.daily/openssf-reload-all\n\nOpenSSF: Starting data reload.\n[25/Apr/2021 21:25:06] INFO [load_bestpractices_data.handle:25] Gathering all best practice data.\n[25/Apr/2021 21:25:06] DEBUG [connectionpool._new_conn:971] Starting new HTTPS connection (1): bestpractices.coreinfrastructure.org:443\n[25/Apr/2021 21:25:06] DEBUG [connectionpool._new_conn:971] Starting new HTTPS connection (1): bestpractices.coreinfrastructure.org:443\n...\n```\n\nNow grab a snack, or let it run overnight. For me, this initial load took approximately 7 hours\nto complete. (This is absurdly long, and something that we'll need to fix.)\n\nOnce the process has started, you can immediately access the site. The main URL\n(http://localhost:8000) should work, and Grafana should have some projects populated.\n\n## Actualy doing development work\n\nThe Django application is set up to run from the host machine, so you can immediately edit\nfiles and see them reflected in the running application. For example, change some text\nin the `src/management/app/templates/app/index.html` file and then access http://localhost:8000.\nIf you change the model, you'll need to either reload the application or execute the command\nin the running container like we did above.\n\nIf you change an import job, then you'll need to ensure it's properly plumbed together, which\nmeans:\n\n* Creating the import job in `src/management/app/management/commands/`\n* Adding the job to `docker/web/cron.daily`.\n\n## Reporting Issues\n\nThere are definitely bugs in this documentation and in the individual components. Please\nreport them as a GitHub issue and we'll get it fixed/improved.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fproject-security-metrics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fproject-security-metrics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fproject-security-metrics/lists"}