search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.58k stars 497 forks source link

BUG: Didn't recognize CII Best Practice Badge of repository #3466

Open rootxrishabh opened 1 year ago

rootxrishabh commented 1 year ago

Describe the bug Scorecard is failing to detect the CII Best Practices Badge for the project https://github.com/kubearmor/KubeArmor

Reproduction steps Steps to reproduce the behavior:

  1. The project scores 0/10, but it has the badge in its readme, and it can also be found on the CII Best Practices website.

Expected behavior The project should receive a 5/10 on the CII Best Practices check, as they have a passing badge.

gabibguti commented 1 year ago

Hey @rootxrishabh! Thanks for reporting, I will investigate your problem.

gabibguti commented 1 year ago

Looks like the latest version of ossf/scorecard, v4.12.0, is correctly scoring 5/10 for CII-Best-Practices. Ref: https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor

You are using v2.1.2 of ossf/scorecard-action. https://github.com/kubearmor/KubeArmor/blob/main/.github/workflows/scorecard.yml#L40

May we try updating to v2.2.0?

uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0

Ref: https://github.com/ossf/scorecard-action/releases/tag/v2.2.0

rootxrishabh commented 1 year ago

Hey @gabibguti, thank you for the information. I have opened a PR for the same.

rootxrishabh commented 1 year ago

Hey @gabibguti, changing the version to v4.12.0 seems more appropriate. Can you give me the val for 4.12.0 instead of 2.2.0?

rootxrishabh commented 1 year ago

NVM, looks like 2.2.0 is the latest release.

gabibguti commented 1 year ago

Yes, 2.2.0 os the latest release of Scorecard action, that corresponds to Scorecard 4.12.0.

gabibguti commented 1 year ago

Hey @rootxrishabh! It seems like the repository results are being uploaded to: https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor instead of: https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/kubearmor I'm checking why this case sensitive difference is happening but, meanwhile, I think we can update the link for Scorecard badge in kubearmor README.md. The first link seems to be reflecting the scores fine, including detecting the CII-Best-Practices badge.

spencerschrock commented 1 year ago

the difference in the two results is due to capitalization in two places:

  1. The scorecard API is case sensitive apparently, and we do it differently in two different places, which is why @gabibguti 's links above give different scores. The fix is easy, but I would need to think about how to do the data renaming.
  2. The best practices API is also case sensitive, and will require fixing upstream.