laurentsimon
commented
3 years ago An idea could be to search for dependency files, and when we find one, look for the corresponding lock files that should live in the same folder. Everything that lives outside this folder could be considered not pinned. We can then compute the percentage of LoC that is pinned vs non-pinned; and use this as a score.
@jeffmendoza FYI
The Pinning-Dep checks for known file names for various languages. However, as soon as it finds one, it returns success. Some repos may contain more than one language -- Tink crypto library is an example, protobuf is another one.
We could use the language APIs to automatically detect the languages used, and validate that the filenames we find correspond to the languages used. We need not check all languages, but only the prominent ones used in the repo.
Note that the language API does not give us the folders that contain the code. So an alternative approach may be to list all files, count their LoC ourselves instead.
This will allow scorecard to report what languages we tested the repo for and which folders passed the tests. We may report a score that is the percentage of lines of code 'pinned' over the number of lines non 'pinned'. Running scorecard on envoy currently fails to detect the following files since we only check for files in the root folder.
This suggests that long-term, it would be useful to have a comprehensive config file for each repo.
Related to #404 #403