Closed pnacht closed 1 year ago
I believe this is a bug with the API code. The JSON output when run from the scorecard binary looks good to me.
I'm guessing it's this line https://github.com/ossf/scorecard-webapp/blob/d26d8e627ebe31052b2c1353fa19d62f52a43839/app/generated/models/scorecard_check.go#L40.
which is generated code, so the real culprit would be https://github.com/ossf/scorecard-webapp/blob/main/openapi.yaml#L203. And we can get rid of the omitempty with x-omitempty
: "true|false: force the omitempty modifier in struct json and xml tags"
Describe the bug JSON output visibie in api.securityscorecards.dev/projects/[...] omits
"score": 0
from checks.Reproduction steps For example, see numpy's scores:
Some of these define the score within
reason
, but the actualscore
value is missing.Similar behavior with pandas:
CII-Best-Practices, Dependency-Update-Tool, Pinned-Dependencies, Signed-Releases and Token-Permissions checks.
Those two packages have the scorecard-action enabled, but others without it have the same behavior.
NixOS/nixpgs:
ansible:
In all cases, the checks would have resulted in a 0-score. And the JSON includes no
"score": 0
checks. Basically, if the score is zero, it's omitted.Is this a feature, not a bug?
Expected behavior All checks to include a
score
value, even if it's zero, to improve legibility and possible automation.