scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

How can I get the details when using scorecard serve?

Open gcanlin opened this issue 8 months ago • 3 comments

I deployed scorecard as a service by ./scorecard serve. I send a HTTP request to the port, but it returns the json whose details field is null. And I check the usage of ./scorecard serve by ./scorecard serve --help. It only support the flags -h --help but no any flags like --show-details.

gcanlin avatar May 15 '25 03:05 gcanlin

Hi, I found the reson why lead to this result. I'm not sure yet whether this is a bug. In serve.go, the line 79, the usage of repoResult.AsJson is old, which doesn't compute the aggregate score. I replace it by format.JSON, which uses AsJSON2. Then I get the right result. Besides, I think that the serve should invoke rootCmd functions and inherit flags of root command by o.AddFlags(cmd). If you agree with this, I'm glad to create a pull request to fix them.

gcanlin avatar May 16 '25 02:05 gcanlin

Thanks for taking a look at this, yeah, serve.go is pretty old, I don't think it's ever worked in my ~3 years on the project. We haven't really had any interest/report until this issue. Do you have a use case for the functionality?

In terms of things like --show-details, I would need to think if that would be a CLI flag, or something like a GET parameter for the request

spencerschrock avatar May 16 '25 06:05 spencerschrock

Thank you for your reply. Due to GitHub token limitations, the Scorecard API service officially deployed is not real-time. Our product relies on a large number of open-source components, and we use the Scorecard score as one of the criteria for technology selection. This helps us quickly identify open-source software that may pose security risks and prevent potential supply chain attacks.

Therefore, we need to evaluate multiple open-source projects in bulk and in an automated way. A stable and reliable HTTP service would significantly improve both efficiency and security. We plan to deploy a real-time internal Scorecard service for shared use across our teams, and to provide machine-to-machine interfaces for other services within our system.

I also fully agree with your idea to treat CLI flags as parameters — it might be a good time for us to consider designing a complete REST API.

gcanlin avatar May 16 '25 07:05 gcanlin

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jul 16 '25 02:07 github-actions[bot]

Fixed by #4665

spencerschrock avatar Sep 10 '25 17:09 spencerschrock