scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature: expose the ecosystem name in Packaging check

Open laurentsimon opened this issue 3 years ago • 7 comments

We currently don't expose the ecosystem name - raw results and in the logs. We should expose these names properly.

laurentsimon avatar Nov 29 '22 00:11 laurentsimon

copying from #2495

technically the name could be more complex than just the repo URI, we would need to read go.mod. e.g. scorecard would report github.com/ossf/scorecard even though it's now github.com/ossf/scorecard/v4.

running it on https://github.com/golang/tools/ (which is a mirror) would report that instead of the module name golang.org/x/tools

spencerschrock avatar Nov 30 '22 00:11 spencerschrock

Agreed that parsing go.mod is the right approach. Starting with the ecosystem name like Go, PyPi would be useful. Realistically, we won't be able to infer package names for other ecosystems unless the registry exposes it after verifying it themselves. Right?

laurentsimon avatar Nov 30 '22 01:11 laurentsimon

What is the motivation for exposing the ecosystem name in Packaging check? Also, how do we handle monorepos?

azeemshaikh38 avatar Nov 30 '22 08:11 azeemshaikh38

the check currently looks for ecosystem-specific Actions, so we already surface this implcitely. If we find multiple Actions, we can identify multiples projects in monorepos.

laurentsimon avatar Nov 30 '22 16:11 laurentsimon

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 19 '23 01:09 github-actions[bot]

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 18 '23 01:11 github-actions[bot]

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar May 03 '24 01:05 github-actions[bot]