scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature - Support Maven Central in the packaging check

Open coheigea opened this issue 2 years ago • 6 comments

Is your feature request related to a problem? Please describe. Java projects which publish to Maven Central are not included in the packaging scorecards check.

Describe the solution you'd like We could extract the groupId/artifactId from the pom.xml and then search Maven Central via e.g. https://search.maven.org/artifact/org.apache.santuario/xmlsec and check if the latest release has packaged jars.

Alternatively we could check the README for a badge which redirects to Maven Central, e.g. something like https://maven-badges.herokuapp.com/maven-central/org.apache.santuario/xmlsec

If I got some feedback on this proposal I could work on a PR

coheigea avatar Feb 22 '23 07:02 coheigea

Thanks for the report. I think the original goal of the Packaging check was to verify whether users have open-source release pipeline, to help consumers know that the build corresponds to the source code. We test if mvn command is used in https://github.com/ossf/scorecard/blob/main/checks/fileparser/github_workflow.go#L462.

For the project you are using, do you use a workflow to build publish?

NOTE: the packaging check starts to overlap with SLSA / signed releases, though.

laurentsimon avatar Feb 23 '23 20:02 laurentsimon

Stale issue message - this issue will be closed in 7 days

github-actions[bot] avatar Sep 16 '23 01:09 github-actions[bot]

We test if mvn command is used in https://github.com/ossf/scorecard/blob/main/checks/fileparser/github_workflow.go#L462.

E.g. for (my) https://github.com/MariaDB4j/MariaDB4j/ where I've added Scorecard in https://github.com/MariaDB4j/MariaDB4j/issues/661 on https://securityscorecards.dev/viewer/?uri=github.com/MariaDB4j/MariaDB4j it says ? for Packaging and Signed-Releases. The problem seems to be that I still run mvn deploy locally when doing a release, not in a GitHub Action. (As in, I do have GitHub Actions which contain ./mvnd for CI, but then don't deploy.) So scanning for a pom.xml and checking if an artifact is available as suggested above would detect this better than (only) scanning for run in GitHub Workflow Actions .

vorburger avatar Sep 24 '23 14:09 vorburger

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 24 '23 01:11 github-actions[bot]

What about release workflow that 'release:prepare release:perform'?

The deploy phase is automatically performed by release plugin

jonesbusy avatar Feb 21 '25 10:02 jonesbusy

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Apr 23 '25 02:04 github-actions[bot]