scorecard-webapp icon indicating copy to clipboard operation
scorecard-webapp copied to clipboard

Published 20 hours ago verified publisher icon ossf

Feature - Human readable report to link to from scorecards badge

Open godofredoc opened this issue 3 years ago • 15 comments

Is your feature request related to a problem? Please describe. No, this is a feature request for generating a human readable report rather than printing json when clicking on the scorecard badge. Describe the solution you'd like Clicking on the scorecard badge redirects to json output e.g. link. It would be great if a human readable version could be generated from the json.

Describe alternatives you've considered N/A

Additional context Users clicking on the scorecard badge need to manually parse the json to understand what the project score means.

godofredoc avatar Sep 09 '22 01:09 godofredoc

Thanks for the report @godofredoc. Should be doable by using JS to convert the JSON. I'm not too familiar with JS so I might be slow to get this fixed. If anyone else wants to take a shot at this, happy to give it over.

Moving to scorecard-webapp repo for better tracking.

azeemshaikh38 avatar Sep 14 '22 22:09 azeemshaikh38

@godofredoc can you expand on what would make this human readable?

CaseyHillers avatar Oct 06 '22 17:10 CaseyHillers

It seems that badge results are linked to a JSON file.

Instead, it should link to a webpage that like looks part of the https://securityscorecards.dev website, and that's fit for human consumption and maybe, make the JSON file available somewhere from a link there too. Maybe have two links:

  • https://api.securityscorecards.dev/projects/github.com/ossf/scorecard for machines (this already exists)
  • https://securityscorecards.dev/projects/github.com/ossf/scorecard for humans (renders html, this doesn't exist)

ditman avatar Oct 06 '22 18:10 ditman

Ideally an html table presenting the name, description, score and a link to more docs but having a formatted json may be a good intermediate option.

Note: formatted json may need to go to a new API as there is some tooling that expects the json as a single string. @laurentsimon

godofredoc avatar Oct 06 '22 18:10 godofredoc

Looking at this more @ditman has the right approach. I can certainly modify the return data but I don't think that is the way to go about it. Better to make a webpage with either that formatted json or something prettier.

ricardoamador avatar Oct 07 '22 23:10 ricardoamador

Hello people, just wanted to say that I'm glad this issue already exists and it should be very helpful. I was working to add the badge on the Angular project, and the reason why they have declined the PR seems to be closely related to this issue.

diogoteles08 avatar Oct 14 '22 17:10 diogoteles08

+1 clicking the badge currently does not give you much context as to its meaning. I expected to get linked to a website, and a report. The website would have more information about the general meaning of the badge on it.

jakemac53 avatar Oct 17 '22 22:10 jakemac53

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

diogoteles08 avatar Jan 18 '23 14:01 diogoteles08

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

@laurentsimon and I were thinking the same. Until Scorecards builds its UI, this is a good solution! Thanks for the suggestion.

naveensrinivasan avatar Jan 18 '23 16:01 naveensrinivasan

The link to deps.dev is definitely better than the JSON file! Thanks for the message @diogoteles08!

(I think this issue should stay open until it is decided whether the scorecard-webapp will render a pretty output like deps.dev or not.)

((Also not all the repos seem to be available in deps.dev? Can't find flutter/packages for example :/))

ditman avatar Jan 19 '23 21:01 ditman

Hi, I would like to bring a feedback from a maintainer from systemd (see https://github.com/systemd/systemd/issues/25042#issuecomment-1534899228) that it is really important that the result linked to the badge to be human readable. As mentioned, not all projects are available to be shown through deps.dev (even though they publish the results)

joycebrum avatar May 04 '23 16:05 joycebrum

it is really important that the result linked to the badge to be human readable

I think that apart from that to make it actually useful numerous scorecard false positives should be addressed as well. The official way of "fixing" them in the security dashboard doesn't work there because those results are raw and unfiltered.

evverx avatar May 05 '23 16:05 evverx

With the debug option this feature would be even more important: https://github.com/ossf/scorecard-action/issues/176.

(before I forget it's related to https://github.com/systemd/systemd/pull/27530)

evverx avatar May 06 '23 16:05 evverx

Looks like it should be addressed in https://github.com/ossf/scorecard/issues/2979

evverx avatar May 09 '23 23:05 evverx

Looks like it should be addressed in https://github.com/ossf/scorecard/issues/2979

It does look pretty!

ditman avatar May 09 '23 23:05 ditman