scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Dependabot link in alert is 404, and false positive

Open nealmcb opened this issue 3 years ago • 4 comments

Describe the bug A Dependency-Update-Tool alert contains a link to https://dependabot.com/docs/config-file/ which now redirects to https://github.com/docs/config-file/

which is 404.

Expected behavior

Perhaps a link to https://github.com/dependabot would be appropriate though it seems different based on the URL.

Additional context

I have configured dependabot via GItHub's Security tab, but my project is still failing the Dependency-Update-Tool check. GitHub didn't ask me to put a config file anywhere. How does Scorecard detect such uses of dependabot?

This is a bit old but may be relevant: GitHub acquires Dependabot - 2019-05-23 - Crunchbase Acquisition Profile

nealmcb avatar May 11 '22 21:05 nealmcb

Thanks, Would you be interested in fixing it by sending a PR?

naveensrinivasan avatar May 12 '22 17:05 naveensrinivasan

If I'm not mistaken, there are different settings:

  1. create a dependabot.yml config file to allow updates for dependencies.

  2. enable the settings, selecting options to enable Dependabot alerts and security updates. Also enable secret scanning if it is available.

So although these are all called "dependabot", they are different features, IIUC.

I think you need both to have a comprehensive dependabot installation. We currently only check for option 1.

@josepalafox will have a better understanding. Let's amend our documentation and improve the check once we have clarification.

laurentsimon avatar May 12 '22 20:05 laurentsimon

Thanks, @naveensrinivasan I'd be happy to, but I'm not actually finding it right now in a search. I do see a commit 062e33ba2984cea2 that seems related, but haven't tracked down how that fits into the logic, or even if that is fixed but not deployed, or what.

nealmcb avatar May 12 '22 21:05 nealmcb

@laurentsimon - good description of the subtleties. It would indeed help to be clearer about that in the docs.

The text "no update tool detected" was easy for me to interpret as the absence of any sort of "security update" tool to scan for issues during updates, though it does make more sense as a tool to automate the offering of PRs to update dependencies.

Clarifying that Scorecard checks for both (as it indeed should) would be most helpful.

Github could also be clearer about how to verify this and the benefits of the active update options. After lots of digging I wasn't very clear on it.

For more context, I'm looking at About Dependabot alerts - GitHub Docs. It has a checklist of sorts:

Dependabot performs a scan to detect vulnerable dependencies and sends Dependabot alerts when:

It seemed like a false positive because I looked at the Security tab overview, and it says "Dependabot alerts — Active". Then when I view "Dependabot alerts" it just says "Welcome to Dependabot alerts!" - again, no suggestion that it isn't fully configured and active. Digging into the GitHub "Insights" tab, I look at the "Dependency graph" and it notes that my dependencies are defined in pyproject.toml and …/workflows/scorecards.yml. When I continue to dig to the dependabot subtab of that page that I see "Dependabot version updates aren't configured yet", but that seems optional: "Dependabot creates pull requests to keep your dependencies up-to-date."

nealmcb avatar May 13 '22 00:05 nealmcb

This isn't applicable anymore. This has been addressed.

naveensrinivasan avatar Apr 13 '23 17:04 naveensrinivasan