scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature: Look up GitHub repositories by Maven package URL

Open raghavkaul opened this issue 3 years ago • 4 comments

Is your feature request related to a problem? Please describe. Scorecard can look up GitHub repositories linked to Packages when the package comes from NPM, RubyGems, or PYPI.

Describe the solution you'd like Scorecard should look up the GitHub repository associated with a project if given a Maven package URL.

raghavkaul avatar Feb 13 '23 21:02 raghavkaul

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 16 '23 01:09 github-actions[bot]

see #2687

vorburger avatar Sep 24 '23 14:09 vorburger

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 25 '23 01:11 github-actions[bot]

As I see it, there are two variations of this:

  1. Not including a version, for example com.fasterxml.jackson.core/jackson-databind. This would just check if there is a <url> tag in the pom.xml of the latest release and invoke Scorecard with that URL. This is a very easy addition.
  2. Including a version, for example com.fasterxml.jackson.core:jackson-databind:2.19.1. This would do the same as above, but it would perform the Scorecard analysis from the tag that the version refers to. Currently Scorecard checks a project from now and back N commits, N days etc, so this requires some changes. However, it would unlock an entirely new use case, for example for users that want to scan their SBOM with Scorecard.

AdamKorcz avatar Jun 28 '25 17:06 AdamKorcz