Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: ossf scorecard reporting improvements #886

Merged
merged 3 commits into from
Feb 25, 2023
Merged

feat: ossf scorecard reporting improvements #886

merged 3 commits into from
Feb 25, 2023

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Feb 23, 2023
edited
Loading

Main changes

  • Removed previous data files as the v2 has breaking changes
  • Discovery mode enabled (so the repos are auto-added once they are available)
  • Bump to openssf-scorecard-monitor v2.0.0-beta1 (this include commit hash reference)
  • Enabled report tags in case that we want to add extra info to the reporting file
  • Change cron frequency to once per week to avoid spamming issues as we track many projects and we meet once per 2 weeks

Full context

What to expect?

This is a sample output. If we proactively push the reports (as we do in the security-wg) we can see more updated scores

OpenSSF Scorecard Report

Summary

Repository Commit Score Date Difference Report Link
nodejs/readable-stream 6efcd35 6.3 2022-11-28 0 Full Report
nodejs/node-addon-examples 0f57746 5 2022-11-28 0 Full Report
nodejs/http-parser ec8b5ee 6.1 2022-11-28 0 Full Report
nodejs/build f14e2b7 7.6 2022-11-28 0 Full Report
nodejs/nan dd5edf8 6 2022-11-28 0 Full Report
nodejs/node-gyp ee46f9d 5.5 2022-11-28 0 Full Report
nodejs/node 22c645d 6.8 2022-11-28 0 Full Report
nodejs/diagnostics 0d04ec6 5.6 2022-11-28 0 Full Report
nodejs/docker-node 3954388 7.3 2022-11-28 0 Full Report
nodejs/nodejs-ko ab14802 6.3 2022-11-28 0 Full Report
nodejs/changelog-maker b5fb668 5.5 2022-11-28 0 Full Report
nodejs/Release 857d26d 7.1 2022-11-28 0 Full Report
nodejs/nodejs.org b56353b 8.3 2022-11-28 0 Full Report
nodejs/help e9936f0 7.1 2022-11-28 0 Full Report
nodejs/TSC ec47fc4 7.1 2022-11-28 0 Full Report
nodejs/citgm a35b3fd 5.8 2022-11-28 0 Full Report
nodejs/llnode de1f01d 6 2022-11-28 0 Full Report
nodejs/core-validate-commit 38b4910 4.8 2022-11-28 0 Full Report
nodejs/node-inspect 9043c69 5.8 2022-11-28 0 Full Report
nodejs/nodejs-dist-indexer da5b157 5.3 2022-11-28 0 Full Report
nodejs/node-report 9054749 5.5 2022-11-28 0 Full Report
nodejs/nodejs-nightly-builder 00c8135 5.2 2022-11-28 0 Full Report
nodejs/security-wg 4f8a10a 7 2023-02-21 0 Full Report
nodejs/node-addon-api 39267ba 5.6 2022-11-28 0 Full Report
nodejs/tap2junit 5c10d8e 4.8 2022-11-28 0 Full Report
nodejs/nodejs-latest-linker 5792ec9 5.3 2022-11-28 0 Full Report
nodejs/remark-preset-lint-node ec3dc3f 6.8 2022-11-28 0 Full Report
nodejs/node-v8 4d3c871 5.7 2022-11-28 0 Full Report
nodejs/lts-schedule 9cabad5 5.5 2022-11-28 0 Full Report
nodejs/node-core-utils 35ef99f 6.3 2022-11-28 0 Full Report
nodejs/string_decoder 1f29dd7 5.4 2022-11-28 0 Full Report
nodejs/modules ce02534 5.7 2022-11-28 0 Full Report
nodejs/llparse 4d7e352 6.2 2022-11-28 0 Full Report
nodejs/mentorship 452a38a 5.7 2022-11-28 0 Full Report
nodejs/meeting-picker 164fcf1 5.5 2022-11-28 0 Full Report
nodejs/i18n 61aa09b 7.8 2022-11-28 0 Full Report
nodejs/llhttp 85dd446 7 2022-11-28 0 Full Report
nodejs/undici e461407 6.5 2023-02-23 0 Full Report
nodejs/official-images 6921123 2.7 2022-11-28 0 Full Report
nodejs/package-maintenance 35d8252 7.4 2022-11-28 0 Full Report
nodejs/nodejs.dev e31da70 6.1 2022-11-28 0 Full Report
nodejs/uvwasi c5b979d 5.2 2022-11-28 0 Full Report
nodejs/whatwg-stream 092231d 5.1 2022-11-28 0 Full Report
nodejs/gyp-next ac262fe 6.1 2022-11-28 0 Full Report
nodejs/corepack 4efc06d 5.8 2022-11-28 0 Full Report

@UlisesGascon
feat: ossf scorecard reporting improvements
1612c89 
- Removed previous data files as the v2 has breaking changes
- Discovery mode enabled
- Bump to openssf-scorecard-monitor v2.0.0-beta1
- Enabled report tags in case that we want to add extra info to the reporting file
@UlisesGascon UlisesGascon self-assigned this Feb 23, 2023
@fraxken fraxken mentioned this pull request Feb 24, 2023
Closed
RafaelGSS
RafaelGSS approved these changes Feb 24, 2023
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, the summary you provided in the PR description will be different from the one we will get after merging this PR, right? I'm assuming we are only tracking undici/security-wg/nodejs

mcollina
mcollina approved these changes Feb 24, 2023
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@UlisesGascon
Copy link
Member Author

Great point @RafaelGSS, in the current status this change will cover nodejs as org so it will generate the file shown above (and will keep adding automatically more repos once they are available to osff scorecard), but I can disable the discovery mode flag and keep the same scope as it is currently in place (undici, node, security-wg).

so... are we happy to use the discovery mode and extend the scope or we want to keep the current scope?

@mcollina
Copy link
Member

Something to note, but we have fuzzying in undici: https://github.com/nodejs/undici/blob/06f77a92087f18151f1ed8c7eb25ad44351ba508/package.json#L67

@RafaelGSS
Copy link
Member

Great point @RafaelGSS, in the current status this change will cover nodejs as org so it will generate the file shown above (and will keep adding automatically more repos once they are available to osff scorecard), but I can disable the discovery mode flag and keep the same scope as it is currently in place (undici, node, security-wg).

so... are we happy to use the discovery mode and extend the scope or we want to keep the current scope?

I think we can keep the discovery mode. But, let's concentrate our work only on those three repos for now, then we can move forward.

@nschonni nschonni mentioned this pull request Feb 24, 2023
Merged
@UlisesGascon
Copy link
Member Author

I will merge the PR as we seem happy with the changes and the scope. BTW I bumped the version to v2.0.0-beta2 as I promoted a new version yesterday with minor fixes, more details

@UlisesGascon UlisesGascon merged commit 9835926 into nodejs:main Feb 25, 2023
@UlisesGascon UlisesGascon deleted the feat/ossf-scorecard-v2-beta1 branch February 25, 2023 21:28
@UlisesGascon UlisesGascon mentioned this pull request Mar 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fraxken fraxken fraxken approved these changes

@nschonni nschonni nschonni left review comments

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@mcollina mcollina mcollina approved these changes

@mhdawson mhdawson Awaiting requested review from mhdawson

Assignees

@UlisesGascon UlisesGascon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@UlisesGascon @mcollina @RafaelGSS @nschonni @fraxken @marco-ippolito