BUG: Didn't recognize CII Best Practice Badge of repository

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source

https://scorecard.dev

Apache License 2.0

4.62k stars 503 forks source link

BUG: Didn't recognize CII Best Practice Badge of repository #3442

Closed diogoteles08 closed 1 year ago

diogoteles08 commented 1 year ago

Describe the bug Scorecard is failing to detect the CII Best Practices Badge for the project github.com/AcademySoftwareFoundation/openexr.

Reproduction steps

Run the following command to run Scorecard on project github.com/AcademySoftwareFoundation/openexr

scorecard --repo=http://github.com/AcademySoftwareFoundation/openexr --checks=CII-Best-Practices --show-details --format=json | jq .

Note that the project scores 0/10, but it has the badge in its readme, and it can also be found on the CII Best Practices website.

Expected behavior The project should receive a 5/10 on the CII Best Practices check, as they have a passing badge.

diogoteles08 commented 1 year ago

Issue was exposed/discussed in https://github.com/AcademySoftwareFoundation/openexr/pull/1535 cc @cary-ilm

raghavkaul commented 1 year ago

It looks like the badge is for github.com/openexr/openexr, but scorecard uses the current URL to look up, which fails.

@david-a-wheeler If this maintainer changes their project's GitHub URL on bestpractices.dev, would https://bestpractices.coreinfrastructure.org/projects.json reflect those changes?

david-a-wheeler commented 1 year ago

@raghavkaul - it's supposed to reflect those changes! I took a look, here's what I see so far:

OpenEXR is at https://www.bestpractices.dev/en/projects/2799, with these fields:

What is the URL for the project (as a whole)? https://www.openexr.com/
What is the URL for the version control repository (it may be the same as the project URL)? https://github.com/openexr/openexr

I requested the JSON data at https://www.bestpractices.dev/projects/2799.json and received this in the JSON:

homepage_url: "https://www.openexr.com",
repo_url: "https://github.com/openexr/openexr"

So the JSON and website data are consistent. I notice those repo URLs redirect to https://github.com/AcademySoftwareFoundation/openexr. That should be okay.

If you edited the repo field and it didn't "stick", let me know & I'll fix it. We're a little picky about repo URL changes, because there are some attacks that can exploit that.

raghavkaul commented 1 year ago

Thanks David - @diogoteles08 , if the maintainer could update their best practices page, that would be ideal - I can't see a great way for Scorecard to follow the redirect backwards.

cary-ilm commented 1 year ago

Oops, looks like the form did not get updated when we moved the repo to the AcademySoftwareFoundation GitHub organization. I've updated that url, and the other entries that were out of date.

david-a-wheeler commented 1 year ago

No problem!! It looks like the badge entry was updated without incident. As far as I can tell all is well. Is there anything else I can help with? Or can we close this issue?

raghavkaul commented 1 year ago

I can confirm scorecard now detects the repo's passing badge. So, closing.