Improve Score Reporting: Dependency-Update-Tool irrelevant for projects without dependencies

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source

https://scorecard.dev

Apache License 2.0

4.31k stars 470 forks source link

Improve Score Reporting: Dependency-Update-Tool irrelevant for projects without dependencies #2190

Open azeemshaikh38 opened 1 year ago

azeemshaikh38 commented 1 year ago

Projects which have no dependencies do not require a Dependency-Update-Tool check and we shouldn't penalize them for not using dependabot or renovatebot.

LappleApple commented 5 months ago

The "bug" element of this would be giving people a zero score when the check just isn't applicable. This means the "zero" score should be pulled out of the aggregate score.

spencerschrock commented 5 months ago

Which is usually what we use inconclusive result (-1) for.