scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Scanning alert proposes unsupported remediation

Open jenstroeger opened this issue 3 years ago • 1 comments

Describe the bug

Here’s a scanning alert: https://github.com/jenstroeger/python-package-template/security/code-scanning/38

It suggests to use pip with a hash instead of a pinned version. Alas, pip install does not have such a feature. While I understand the intention of the alert, we have good reason to pin instead of using a hash (doesn’t work) or a lock file/requirements.txt (too much clutter).

Expected behavior

No alert, or at least a better message.

Additional context

I’m tempted to say that this alert is a false positive; probably not, in which case the messaging ought to be clarified.

jenstroeger avatar Aug 06 '22 08:08 jenstroeger

Hi, thanks for the report.

In you use case, the workflow has low privilege (pull_request trigger with only read permissions, no secrets available), so I agree scorecard should be handling this better. We have a tracking issue in https://github.com/ossf/scorecard/issues/2018

Please let me know if this would address the problem.

@raghavkaul this would fall under the Impact field we described in https://github.com/ossf/scorecard/issues/1874

laurentsimon avatar Aug 08 '22 19:08 laurentsimon