laurentsimon
commented
1 year ago Thanks for the issue.
Given the description of Scorecard in https://github.com/ossf/scorecard#what-is-scorecard, I'm curious if "fork" is a best practice with a remediation for maintainers, or if the goal if mostly to detect malicious repository - which is out of scope of Scorecard.
One possibility could be to report the information as part of repository metadata https://github.com/ossf/scorecard/blob/main/pkg/scorecard_result.go#L55 instead. The metadata is a list, and should probably replaced by a map {isFork: true, etc}.
Or, if we want to have backward compatibility, maybe add it in repo https://github.com/ossf/scorecard/blob/main/pkg/scorecard_result.go#L41?
spencerschrock
github-actions[bot]
raghavkaul
Is your feature request related to a problem? Please describe. It would be nice to have the scorecard evaluate whether or not the repository is a fork, if it has a parent etc. The security risk is that the project can be forked to a very similar name of the original and malicious code can be added(also called typosquatting).
Describe the solution you'd like I would simply add a check called Fork which scores high if the repository is not a fork and low if it is. Go-github has a Fork boolean in one of its structs as well as Parent and Source pointers, these would be utilized.
Describe alternatives you've considered Adding this functionality to the Client. That way it could be implemented in a probe, instead of making a completely new check.