search

ossf / scorecard-action

Official GitHub Action for OpenSSF Scorecard.
Apache License 2.0
242 stars 67 forks source link

dependabot tool not detected even though the file exists #235

Closed godofredoc closed 1 year ago

godofredoc commented 2 years ago

The flutter/samples repository scorecard runs fail to detect the dependabot file even though the file exists.

update tool detected:
Warn: dependabot config file not detected in source location.
We recommend setting this configuration in code so it can be easily verified by others.
Warn: renovatebot config file not detected in source location.
We recommend setting this configuration in code so it can be easily verified by others.
Click Remediation section below to solve this issue

Running the scorecards application from docker returns the correct results:

docker run -e GITHUB_AUTH_TOKEN=$THE_TOKEN gcr.io/openssf/scorecard --show-details --repo=https://github.com/flutter/samples --verbosity=debug --checks=Dependency-Update-Tool Starting [Dependency-Update-Tool]

RESULTS

Aggregate score: 10.0 / 10

Check scores:

Finished [Dependency-Update-Tool]

SCORE NAME REASON DETAILS DOCUMENTATION/REMEDIATION
10 / 10 Dependency-Update-Tool update tool detected Info: Dependabot detected: https://github.com/ossf/scorecard/blob/875b6f694efec2267a5f9da54ffabc51cec59de7/docs/checks.md#dependency-update-tool
.github/dependabot.yaml:1

Could this be related to some caching when generating the SARIF file?

laurentsimon commented 2 years ago

Does it correctly return the results with this container https://github.com/ossf/scorecard-action/blob/v1.0.4/Dockerfile#L24? This is the container hash used for the latest action release (2+ months old).

godofredoc commented 2 years ago

Yes, it replicates with that hash:

docker run -e GITHUB_AUTH_TOKEN=$THE_TOKEN gcr.io/openssf/scorecard@sha256:8165ad910019422f40c51cbb97ff6e7db0e2e2e11faebf59e0b6f1a2eb66ebd7 --show-details --repo=https://github.com/flutter/samples --verbosity=debug --checks=Dependency-Update-Tool

Starting [Dependency-Update-Tool]

RESULTS

Aggregate score: 0.0 / 10

Check scores: Finished [Dependency-Update-Tool]

SCORE NAME REASON DETAILS DOCUMENTATION/REMEDIATION
0 / 10 Dependency-Update-Tool no update tool detected Warn: dependabot config https://github.com/ossf/scorecard/blob/c60b66bbc8b85286416d6ab9ae9324a095e66c94/docs/checks.md#dependency-update-tool
file not detected in source
location. We recommend setting
this configuration in code
so it can be easily verified
by others. Warn: renovatebot
config file not detected in
source location. We recommend
setting this configuration
in code so it can be easily
verified by others.
laurentsimon commented 2 years ago

Great. We're planning a release this month so you should get the proper results then.

azeemshaikh38 commented 1 year ago

@laurentsimon @godofredoc. Is this now fixed and could we close this?

godofredoc commented 1 year ago

We can close it, I don't see the error anymore. Thanks for the fix!