Closed another-rex closed 1 month ago
Hi @another-rex, could you please elaborate more what the exact ask is? Is the ask to improve the scores in those areas where ORT currently seems to perform low? If so, let me comment one some of these:
could you please elaborate more what the exact ask is?
The ask is mostly to use the scorecard github action https://scorecard.dev/#using-the-github-action to keep track of the score, and potentially putting a scorecard badge with the score in your readme: https://github.com/ossf/scorecard/blob/main/README.md#scorecard-badges.
The idea is essentially letting potential users know whether the project roughly follows good practices, as a way to help users decide whether to make use of a project.
Is the ask to improve the scores in those areas where ORT currently seems to perform low
Thanks for the explanation! I think scorecard does a poor job of explaining the score range, but 6.6 is actually not bad! For example other popular ossf projects (e.g. Allstar) has 7.1. Scorecard tries to score for the general case, so scores like vulnerabilities don't really work for a project like this one with test vulnerabilities.
I'm adding both the action and badge in https://github.com/oss-review-toolkit/ort/pull/8860. @another-rex any idea why the badge shows a score of 6.1 when your manual run shows 6.6?
The reason GitHub action score is a bit different is most likely because the scorecard-action has older dependencies compared to the main scorecard (the GitHub action last release is May 20). A new release should be out soon for scorecard action though.
Hello!
What is the feature you want to request?
OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of existing entrants.
We feel it helps boost the security credibility of the projects and products we're linking to.
Here's the results of a one-time run: