Feature - Human readable report to link to from scorecards badge

[godofredoc]

Is your feature request related to a problem? Please describe. No, this is a feature request for generating a human readable report rather than printing json when clicking on the scorecard badge. Describe the solution you'd like Clicking on the scorecard badge redirects to json output e.g. link. It would be great if a human readable version could be generated from the json.

Describe alternatives you've considered N/A

Additional context Users clicking on the scorecard badge need to manually parse the json to understand what the project score means.

[azeemshaikh38]

Thanks for the report @godofredoc. Should be doable by using JS to convert the JSON. I'm not too familiar with JS so I might be slow to get this fixed. If anyone else wants to take a shot at this, happy to give it over.

Moving to scorecard-webapp repo for better tracking.

[CaseyHillers]

@godofredoc can you expand on what would make this human readable?

[ditman]

It seems that badge results are linked to a JSON file.

Instead, it should link to a webpage that like looks part of the https://securityscorecards.dev website, and that's fit for human consumption and maybe, make the JSON file available somewhere from a link there too. Maybe have two links:

• https://api.securityscorecards.dev/projects/github.com/ossf/scorecard for machines (this already exists)
• https://securityscorecards.dev/projects/github.com/ossf/scorecard for humans (renders html, this doesn't exist)

[godofredoc]

Ideally an html table presenting the name, description, score and a link to more docs but having a formatted json may be a good intermediate option.

Note: formatted json may need to go to a new API as there is some tooling that expects the json as a single string. @laurentsimon

[ricardoamador]

Looking at this more @ditman has the right approach. I can certainly modify the return data but I don't think that is the way to go about it. Better to make a webpage with either that formatted json or something prettier.

[diogoteles08]

Hello people, just wanted to say that I'm glad this issue already exists and it should be very helpful. I was working to add the badge on the Angular project, and the reason why they have declined the PR seems to be closely related to this issue.

[jakemac53]

+1 clicking the badge currently does not give you much context as to its meaning. I expected to get linked to a website, and a report. The website would have more information about the general meaning of the badge on it.

[diogoteles08]

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

[naveensrinivasan]

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

@laurentsimon and I were thinking the same. Until Scorecards builds its UI, this is a good solution! Thanks for the suggestion.

[ditman]

The link to deps.dev is definitely better than the JSON file! Thanks for the message @diogoteles08!

(I think this issue should stay open until it is decided whether the scorecard-webapp will render a pretty output like deps.dev or not.)

((Also not all the repos seem to be available in deps.dev? Can't find flutter/packages for example :/))

[joycebrum]

Hi, I would like to bring a feedback from a maintainer from systemd (see https://github.com/systemd/systemd/issues/25042#issuecomment-1534899228) that it is really important that the result linked to the badge to be human readable. As mentioned, not all projects are available to be shown through deps.dev (even though they publish the results)

[evverx]

it is really important that the result linked to the badge to be human readable

I think that apart from that to make it actually useful numerous scorecard false positives should be addressed as well. The official way of "fixing" them in the security dashboard doesn't work there because those results are raw and unfiltered.

[evverx]

With the debug option this feature would be even more important: https://github.com/ossf/scorecard-action/issues/176.

(before I forget it's related to https://github.com/systemd/systemd/pull/27530)

[evverx]

Looks like it should be addressed in https://github.com/ossf/scorecard/issues/2979

[ditman]

Looks like it should be addressed in https://github.com/ossf/scorecard/issues/2979

It does look pretty!