scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

BUG api.securityscorecards.dev returning wrong documentation link for CII best practices

Open Abdur-rahmaanJ opened this issue 3 years ago • 3 comments

Describe the bug https://api.securityscorecards.dev/projects/github.com/pyhoneybot/honeybot returns among others

{
      "details": null,
      "score": 0,
      "reason": "no badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/3155d134e59d8f47261b1ae9d143034c69572227/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has a CII Best Practices Badge."
      }
    },

But, https://github.com/ossf/scorecard/blob/3155d134e59d8f47261b1ae9d143034c69572227/docs/checks.md#cii-best-practices does not return anything

Json output: honeybot.txt

Abdur-rahmaanJ avatar Aug 03 '22 11:08 Abdur-rahmaanJ

Interesting find. For some reason the commitSHA points to a commit in scorecard-action repo - https://github.com/ossf/scorecard-action/commit/3155d134e59d8f47261b1ae9d143034c69572227. Need to investigate more. Thanks for the report.

azeemshaikh38 avatar Aug 03 '22 13:08 azeemshaikh38

Np i am a bit lazy to dive in myself

Abdur-rahmaanJ avatar Aug 03 '22 15:08 Abdur-rahmaanJ

Looks like a problem with how scorecard-action propagates runtime environment to scorecard. I can take a look further

raghavkaul avatar Aug 23 '22 21:08 raghavkaul

Not sure when this was fixed, but no longer occurring as of December 2022 ish. https://api.securityscorecards.dev/projects/github.com/ossf/scorecard?commit=9e6870cc4cc40ef542651d0775c0888163f05e17

spencerschrock avatar Nov 09 '23 19:11 spencerschrock