Closed godofredoc closed 1 year ago
Does it correctly return the results with this container https://github.com/ossf/scorecard-action/blob/v1.0.4/Dockerfile#L24? This is the container hash used for the latest action release (2+ months old).
Yes, it replicates with that hash:
docker run -e GITHUB_AUTH_TOKEN=$THE_TOKEN gcr.io/openssf/scorecard@sha256:8165ad910019422f40c51cbb97ff6e7db0e2e2e11faebf59e0b6f1a2eb66ebd7 --show-details --repo=https://github.com/flutter/samples --verbosity=debug --checks=Dependency-Update-Tool
Starting [Dependency-Update-Tool]
Aggregate score: 0.0 / 10
Check scores: Finished [Dependency-Update-Tool]
SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
---|---|---|---|---|
0 / 10 | Dependency-Update-Tool | no update tool detected | Warn: dependabot config | https://github.com/ossf/scorecard/blob/c60b66bbc8b85286416d6ab9ae9324a095e66c94/docs/checks.md#dependency-update-tool |
file not detected in source | ||||
location. We recommend setting | ||||
this configuration in code | ||||
so it can be easily verified | ||||
by others. Warn: renovatebot | ||||
config file not detected in | ||||
source location. We recommend | ||||
setting this configuration | ||||
in code so it can be easily | ||||
verified by others. |
Great. We're planning a release this month so you should get the proper results then.
@laurentsimon @godofredoc. Is this now fixed and could we close this?
We can close it, I don't see the error anymore. Thanks for the fix!
The flutter/samples repository scorecard runs fail to detect the dependabot file even though the file exists.
Running the scorecards application from docker returns the correct results:
docker run -e GITHUB_AUTH_TOKEN=$THE_TOKEN gcr.io/openssf/scorecard --show-details --repo=https://github.com/flutter/samples --verbosity=debug --checks=Dependency-Update-Tool
Starting [Dependency-Update-Tool]RESULTS
Aggregate score: 10.0 / 10
Check scores:
Finished [Dependency-Update-Tool]
Could this be related to some caching when generating the SARIF file?