scorecard
scorecard copied to clipboard
ossf
Improve Score Reporting: Signed-Releases looks at old release data
In some cases, Signed-Releases check looks at older releases instead of looking at the latest 5 releases. Some failing repos:
- https://github.com/pallets/jinja
- http://github.com/scikit-build/cmake-python-distributions
- http://github.com/hardbyte/python-can
- http://github.com/scikit-build/scikit-build
- http://github.com/koalalorenzo/python-digitalocean
I believe this is because we're not getting asset data back in raw results for recent releases, e.g. for Jinja, the first release that we get assets for is 2.10:
"releases": [
{
"tag": "3.1.2",
"url": "https://api.github.com/repos/pallets/jinja/releases/65605546",
"assets": null
},
{
"tag": "3.1.1",
"url": "https://api.github.com/repos/pallets/jinja/releases/62821662",
"assets": null
},
...
{
"tag": "2.10",
"url": "https://api.github.com/repos/pallets/jinja/releases/8439285",
"assets": [
{
"path": "Jinja2-2.10-py2.py3-none-any.whl",
"url": "https://api.github.com/repos/pallets/jinja/releases/assets/5285245"
},
{
"path": "Jinja2-2.10-py2.py3-none-any.whl.asc",
"url": "https://api.github.com/repos/pallets/jinja/releases/assets/5285246"
},
{
"path": "Jinja2-2.10.tar.gz",
"url": "https://api.github.com/repos/pallets/jinja/releases/assets/5285243"
},
{
"path": "Jinja2-2.10.tar.gz.asc",
"url": "https://api.github.com/repos/pallets/jinja/releases/assets/5285244"
}
]
}
I can take a look further.
I believe this ended up being the same bug that #4059 exposed and #4060 fixed
