scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feedback on Scorecard result data

Open azeemshaikh38 opened this issue 4 years ago • 8 comments

I had a conversation with Jose Duart from Google and he had some interesting observations on Scorecard data from BQ that he analyzed.

  1. Some repos may be pretty well established (e.g https://github.com/yaml/pyyaml), so not a lot of commits will be happening. We mark these repos as Not Active, which is unexpected from a users POV. We probably need better signals to understand if repos are Active or improve how we score these repos.
  2. The Vulnerabilities check simply tells if there is an open vulnerability or not. This is not a strong signal when considering a package as a dependency. A stronger signal might be something like - how long do the repo owners take on average to fix vulnerabilities once they become known.

These might be interesting points to discuss in our next meeting, so creating an issue.

azeemshaikh38 avatar Jul 30 '21 19:07 azeemshaikh38

I had a conversation with Jose Duart from Google and he had some interesting observations on Scorecard data from BQ that he analyzed.

  1. Some repos may be pretty well established (e.g https://github.com/yaml/pyyaml), so not a lot of commits will be happening. We mark these repos as Not Active, which is unexpected from a users POV. We probably need better signals to understand if repos are Active or improve how we score these repos.

in addition to whether issues are closed or commented on, etc I think when the repo has dependabot installed we would get some PRs merged once in a while.

laurentsimon avatar Aug 11 '21 23:08 laurentsimon

the statistics API may be useful to assess the activity of a repo https://docs.github.com/en/rest/reference/repos#statistics

laurentsimon avatar Oct 27 '21 23:10 laurentsimon

increasing the time period may also be useful - related to https://github.com/ossf/scorecard/issues/1025

laurentsimon avatar Oct 28 '21 00:10 laurentsimon

this API may also be useful https://docs.github.com/en/rest/reference/activity

laurentsimon avatar Oct 28 '21 01:10 laurentsimon

another idea is to use the list of transitive deps, see if some have been updated and if the project has accepted dependabot PRs. That's pretty involved, though

laurentsimon avatar Nov 09 '21 01:11 laurentsimon

Stale issue message

github-actions[bot] avatar Jan 09 '22 02:01 github-actions[bot]

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 07 '23 01:11 github-actions[bot]

Still relevant:

  • Extending lookback period for maintained activity: https://github.com/ossf/scorecard/issues/2160
  • Deps Update Tool activity: https://github.com/ossf/scorecard/issues/2165

justaugustus avatar May 16 '24 20:05 justaugustus