diff --git a/scanpipe/migrations/0070_alter_project_purl_discoveredpackagescore_and_more.py b/scanpipe/migrations/0070_alter_project_purl_discoveredpackagescore_and_more.py new file mode 100644 index 000000000..203dec295 --- /dev/null +++ b/scanpipe/migrations/0070_alter_project_purl_discoveredpackagescore_and_more.py @@ -0,0 +1,49 @@ +# Generated by Django 5.1.3 on 2024-12-02 22:53 + +import django.db.models.deletion +import uuid +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('scanpipe', '0069_project_purl'), + ] + + operations = [ + migrations.AlterField( + model_name='project', + name='purl', + field=models.CharField(blank=True, help_text="Package URL (PURL) for the project, required for pushing the project's scan result to FederatedCode. For example, if the input is an input URL like https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz, the corresponding PURL would be pkg:npm/lodash@4.17.21.", max_length=2048), + ), + migrations.CreateModel( + name='DiscoveredPackageScore', + fields=[ + ('scoring_tool', models.CharField(blank=True, choices=[('ossf-scorecard', 'Ossf'), ('others', 'Others')], help_text='Defines the source of a score or any other scoring metricsFor example: ossf-scorecard for scorecard data', max_length=100)), + ('scoring_tool_version', models.CharField(blank=True, help_text='Defines the version of the scoring tool used for scanning thepackageFor Eg : 4.6 current version of OSSF - scorecard', max_length=50)), + ('score', models.CharField(blank=True, help_text='Score of the package which is scanned', max_length=50)), + ('scoring_tool_documentation_url', models.CharField(blank=True, help_text='Documentation URL of the scoring tool used', max_length=100)), + ('score_date', models.DateTimeField(blank=True, editable=False, help_text='Date when the scoring was calculated on the package', null=True)), + ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')), + ('discovered_package', models.ForeignKey(blank=True, editable=False, help_text='The package for which the score is given', null=True, on_delete=django.db.models.deletion.CASCADE, related_name='discovered_packages_score', to='scanpipe.discoveredpackage')), + ], + options={ + 'abstract': False, + }, + ), + migrations.CreateModel( + name='ScorecardCheck', + fields=[ + ('check_name', models.CharField(blank=True, help_text='Defines the name of check corresponding to the OSSF scoreFor example: Code-Review or CII-Best-PracticesThese are the some of the checks which are performed on a scanned package', max_length=100)), + ('check_score', models.CharField(blank=True, help_text='Defines the score of the check for the package scannedFor Eg : 9 is a score given for Code-Review', max_length=50)), + ('reason', models.CharField(blank=True, help_text='Gives a reason why a score was given for a specific checkFor eg, : Found 9/10 approved changesets -- score normalized to 9', max_length=300)), + ('details', models.JSONField(blank=True, default=list, help_text='A list of details/errors regarding the score')), + ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')), + ('for_package_score', models.ForeignKey(blank=True, editable=False, help_text='The checks for which the score is given', null=True, on_delete=django.db.models.deletion.CASCADE, related_name='discovered_packages_score_checks', to='scanpipe.discoveredpackagescore')), + ], + options={ + 'abstract': False, + }, + ), + ] diff --git a/scanpipe/models.py b/scanpipe/models.py index 0b0cbd837..70b2c3908 100644 --- a/scanpipe/models.py +++ b/scanpipe/models.py @@ -29,6 +29,7 @@ from collections import Counter from collections import defaultdict from contextlib import suppress +from datetime import datetime from itertools import groupby from operator import itemgetter from pathlib import Path @@ -88,6 +89,8 @@ from rq.exceptions import NoSuchJobError from rq.job import Job from rq.job import JobStatus +from scorecode.contrib.django.models import PackageScoreMixin +from scorecode.contrib.django.models import ScorecardChecksMixin from taggit.managers import TaggableManager from taggit.models import GenericUUIDTaggedItemBase from taggit.models import TaggedItemBase @@ -4023,6 +4026,103 @@ def as_spdx(self): ) +class DiscoveredPackageScore(UUIDPKModel, PackageScoreMixin): + def __str__(self): + return self.score or str(self.uuid) + + discovered_package = models.ForeignKey( + DiscoveredPackage, + related_name="discovered_packages_score", + help_text=_("The package for which the score is given"), + on_delete=models.CASCADE, + editable=False, + blank=True, + null=True, + ) + + def parse_score_date(date_str, formats=None): + """ + Parse a date string into a timezone-aware datetime object, + or return None if parsing fails. + """ + if not formats: + formats = ["%Y-%m-%d", "%Y-%m-%dT%H:%M:%SZ"] + + if date_str: + for fmt in formats: + try: + naive_datetime = datetime.strptime(date_str, fmt) + return timezone.make_aware( + naive_datetime, timezone.get_current_timezone() + ) + except ValueError: + continue + + # Return None if date_str is None or parsing fails + return None + + @classmethod + @transaction.atomic() + def create_from_scorecard_data( + cls, discovered_package, scorecard_data, scoring_tool=None + ): + """Create ScoreCard object from scorecard data and discovered package""" + final_data = { + "score": scorecard_data.score, + "scoring_tool_version": scorecard_data.scoring_tool_version, + "scoring_tool_documentation_url": ( + scorecard_data.scoring_tool_documentation_url + ), + "score_date": cls.parse_score_date(scorecard_data.score_date), + } + + scorecard_object = cls.objects.create( + **final_data, + discovered_package=discovered_package, + scoring_tool=scoring_tool, + ) + + for check in scorecard_data.checks: + ScorecardCheck.create_from_data(package_score=scorecard_object, check=check) + + return scorecard_object + + @classmethod + def create_from_package_and_scorecard(cls, scorecard_data, package): + score_object = cls.create_from_scorecard_data( + discovered_package=package, + scorecard_data=scorecard_data, + scoring_tool="ossf-scorecard", + ) + return score_object + + +class ScorecardCheck(UUIDPKModel, ScorecardChecksMixin): + def __str__(self): + return self.check_score or str(self.uuid) + + for_package_score = models.ForeignKey( + DiscoveredPackageScore, + related_name="discovered_packages_score_checks", + help_text=_("The checks for which the score is given"), + on_delete=models.CASCADE, + editable=False, + blank=True, + null=True, + ) + + @classmethod + def create_from_data(cls, package_score, check): + """Create a ScorecardCheck instance from provided data.""" + return cls.objects.create( + check_name=check.check_name, + check_score=check.check_score, + reason=check.reason or "", + details=check.details or [], + for_package_score=package_score, + ) + + def normalize_package_url_data(purl_mapping, ignore_nulls=False): """ Normalize a mapping of purl data so database queries with diff --git a/scanpipe/pipelines/fetch_scorecode_info.py b/scanpipe/pipelines/fetch_scorecode_info.py new file mode 100644 index 000000000..21049fc99 --- /dev/null +++ b/scanpipe/pipelines/fetch_scorecode_info.py @@ -0,0 +1,68 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# http://nexb.com and https://github.com/nexB/scancode.io +# The ScanCode.io software is licensed under the Apache License version 2.0. +# Data generated with ScanCode.io is provided as-is without warranties. +# ScanCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# ScanCode.io should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# +# ScanCode.io is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/scancode.io for support and download. + + +from scorecode import ossf_scorecard + +from scanpipe.models import DiscoveredPackageScore +from scanpipe.pipelines import Pipeline + + +class FetchScoreCodeInfo(Pipeline): + """ + Fetch ScoreCode information for packages and dependencies. + + This pipeline retrieves ScoreCode data for each package in the project + and stores it in the corresponding package instances. + """ + + download_inputs = False + is_addon = True + + @classmethod + def steps(cls): + return ( + cls.check_scorecode_service_availability, + cls.fetch_packages_scorecode_info, + ) + + def check_scorecode_service_availability(self): + """Check if the scorecode service is configured and available.""" + if not ossf_scorecard.is_available(): + raise Exception("scorecode service is not available.") + + def fetch_packages_scorecode_info(self): + """Fetch scorecode information for each of the project's discovered packages.""" + for package in self.project.discoveredpackages.all(): + scorecard_data = ossf_scorecard.fetch_scorecard_info( + package=package, logger=None + ) + + if scorecard_data: + DiscoveredPackageScore.create_from_package_and_scorecard( + scorecard_data=scorecard_data, + package=package, + ) + + else: + # We Want to create error instead of exception + raise Exception("No data found for the package") diff --git a/scanpipe/tests/__init__.py b/scanpipe/tests/__init__.py index 502412750..f1f06e27f 100644 --- a/scanpipe/tests/__init__.py +++ b/scanpipe/tests/__init__.py @@ -20,9 +20,11 @@ # ScanCode.io is a free software code scanning tool from nexB Inc. and others. # Visit https://github.com/nexB/scancode.io for support and download. +import json import os import uuid from datetime import datetime +from pathlib import Path from unittest import mock from django.apps import apps @@ -298,3 +300,10 @@ def make_message(project, **data): "license_key": "mpl-2.0", }, } + +scorecard_data = None + +data = Path(__file__).parent / "data" + +with open(f"{data}/scorecode/scorecard_response.json") as file: + scorecard_data = json.load(file) diff --git a/scanpipe/tests/data/scorecode/scorecard_response.json b/scanpipe/tests/data/scorecode/scorecard_response.json new file mode 100644 index 000000000..d6d7f4461 --- /dev/null +++ b/scanpipe/tests/data/scorecode/scorecard_response.json @@ -0,0 +1,811 @@ +{ + "date": "2024-11-25", + "repo": { + "name": "github.com/nexB/scancode-toolkit", + "commit": "65e1c2db473c0b0891dec0d0c369209cdd7cb0f5" + }, + "scorecard": { + "version": "v5.0.0-94-g51f31c98", + "commit": "51f31c9882b6e5998e0df571096147a99842092b" + }, + "score": 4.2, + "checks": [ + { + "name": "Code-Review", + "score": 5, + "reason": "Found 8/14 approved changesets -- score normalized to 5", + "details": null, + "documentation": { + "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#code-review" + } + }, + { + "name": "Maintained", + "score": 10, + "reason": "30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10", + "details": null, + "documentation": { + "short": "Determines if the project is \"actively maintained\".", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#maintained" + } + }, + { + "name": "CII-Best-Practices", + "score": 0, + "reason": "no effort to earn an OpenSSF best practices badge detected", + "details": null, + "documentation": { + "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#cii-best-practices" + } + }, + { + "name": "Security-Policy", + "score": 0, + "reason": "security policy file not detected", + "details": [ + "Warn: no security policy file detected", + "Warn: no security file to analyze", + "Warn: no security file to analyze", + "Warn: no security file to analyze" + ], + "documentation": { + "short": "Determines if the project has published a security policy.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#security-policy" + } + }, + { + "name": "Token-Permissions", + "score": 10, + "reason": "GitHub workflow tokens follow principle of least privilege", + "details": [ + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:319", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:360", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:401", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:59", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:126", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:161", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:196", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:228", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:25", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:91", + "Info: jobLevel 'contents' permission set to 'read': .github/workflows/scancode-release.yml:274", + "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/scancode-release.yml:438", + "Info: topLevel 'contents' permission set to 'read': .github/workflows/about-files-ci.yml:6", + "Info: topLevel 'contents' permission set to 'read': .github/workflows/docs-ci.yml:6", + "Info: found token with 'none' permissions: .github/workflows/scancode-release.yml:1" + ], + "documentation": { + "short": "Determines if the project's workflows follow the principle of least privilege.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#token-permissions" + } + }, + { + "name": "Dangerous-Workflow", + "score": 10, + "reason": "no dangerous workflow patterns detected", + "details": null, + "documentation": { + "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#dangerous-workflow" + } + }, + { + "name": "License", + "score": 9, + "reason": "license file detected", + "details": [ + "Info: project has a license file: apache-2.0.LICENSE:0", + "Warn: project license file does not contain an FSF or OSI license." + ], + "documentation": { + "short": "Determines if the project has defined a license.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#license" + } + }, + { + "name": "Packaging", + "score": 10, + "reason": "packaging workflow detected", + "details": [ + "Info: Project packages its releases by way of GitHub Actions.: .github/workflows/scancode-release.yml:547" + ], + "documentation": { + "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#packaging" + } + }, + { + "name": "Branch-Protection", + "score": -1, + "reason": "internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration", + "details": null, + "documentation": { + "short": "Determines if the default and release branches are protected with GitHub's branch protection settings.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#branch-protection" + } + }, + { + "name": "Signed-Releases", + "score": 0, + "reason": "Project has not signed or included provenance with any releases.", + "details": [ + "Warn: release artifact v32.3.0 not signed: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/180932258", + "Warn: release artifact v32.2.1 not signed: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/163419040", + "Warn: release artifact v32.2.0 not signed: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/161475747", + "Warn: release artifact v32.1.0 not signed: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/147940455", + "Warn: release artifact v32.0.8 not signed: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/124587514", + "Warn: release artifact v32.3.0 does not have provenance: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/180932258", + "Warn: release artifact v32.2.1 does not have provenance: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/163419040", + "Warn: release artifact v32.2.0 does not have provenance: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/161475747", + "Warn: release artifact v32.1.0 does not have provenance: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/147940455", + "Warn: release artifact v32.0.8 does not have provenance: https://api.github.com/repos/aboutcode-org/scancode-toolkit/releases/124587514" + ], + "documentation": { + "short": "Determines if the project cryptographically signs release artifacts.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#signed-releases" + } + }, + { + "name": "Fuzzing", + "score": 0, + "reason": "project is not fuzzed", + "details": [ + "Warn: no fuzzer integrations found" + ], + "documentation": { + "short": "Determines if the project uses fuzzing.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#fuzzing" + } + }, + { + "name": "SAST", + "score": 0, + "reason": "SAST tool is not run on all commits -- score normalized to 0", + "details": [ + "Warn: 0 commits out of 28 are checked with a SAST tool" + ], + "documentation": { + "short": "Determines if the project uses static code analysis.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#sast" + } + }, + { + "name": "Binary-Artifacts", + "score": 0, + "reason": "binaries present in source code", + "details": [ + "Warn: binary detected: tests/cluecode/data/copyrights/binary_lib-php_embed_lib.lib:1", + "Warn: binary detected: tests/cluecode/data/copyrights/copyright_php_lib-php_embed_lib.lib:1", + "Warn: binary detected: tests/cluecode/data/copyrights/dll-9_msvci_dll.dll:1", + "Warn: binary detected: tests/cluecode/data/copyrights/dll-9_msvci_dll2.dll:1", + "Warn: binary detected: tests/cluecode/data/copyrights/no_class_file_1-PersistentArrayHolder_class.class:1", + "Warn: binary detected: tests/cluecode/data/copyrights/no_class_file_2-PersistentElementHolder_class.class:1", + "Warn: binary detected: tests/cluecode/data/copyrights/no_class_file_3-PersistentIndexedElementHolder_class.class:1", + "Warn: binary detected: tests/cluecode/data/copyrights/no_class_file_4-PersistentListElementHolder_class.class:1", + "Warn: binary detected: tests/cluecode/data/copyrights/win-archive.lib:1", + "Warn: binary detected: tests/cluecode/data/copyrights/windows.dll:1", + "Warn: binary detected: tests/cluecode/data/finder/binaries/gapi32.dll:1", + "Warn: binary detected: tests/cluecode/data/finder/url/XMLConstants.class:1", + "Warn: binary detected: tests/licensedcode/data/datadriven/external/fossology-tests/No_license_found/ConfigRuleSet.class:1", + "Warn: binary detected: tests/licensedcode/data/datadriven/lic1/do-not_detect-licenses-in-archive.jar:1", + "Warn: binary detected: tests/licensedcode/data/datadriven/lic2/basename.elf:1", + "Warn: binary detected: tests/licensedcode/data/datadriven/lic3/long-s3cli-0.0.53-linux-amd64.go:1", + "Warn: binary detected: tests/licensedcode/data/datadriven/lic4/NamespaceNode.class:1", + "Warn: binary detected: tests/licensedcode/data/index/do-not-cache-full-paths/_codecs_jp.cpython-38-x86_64-linux-gnu-slim-v2.so:1", + "Warn: binary detected: tests/licensedcode/data/matched_text/binary_text/gosu:1", + "Warn: binary detected: tests/licensedcode/data/matched_text/ffmpeg/ffmpeg:1", + "Warn: binary detected: tests/licensedcode/data/matched_text/ffmpeg/ffmpeg.exe:1", + "Warn: binary detected: tests/licensedcode/data/matched_text/ffmpeg/libavsample.lib:1", + "Warn: binary detected: tests/licensedcode/data/perf/ath_pci.ko:1", + "Warn: binary detected: tests/licensedcode/data/perf/eeepc_acpi.ko:1", + "Warn: binary detected: tests/licensedcode/data/positions/ath_pci.ko:1", + "Warn: binary detected: tests/licensedcode/data/positions/eeepc_acpi.ko:1", + "Warn: binary detected: tests/licensedcode/data/positions/wlan_xauth.ko:1", + "Warn: binary detected: tests/licensedcode/data/query/ath_pci.ko:1", + "Warn: binary detected: tests/licensedcode/data/query/eeepc_acpi.ko:1", + "Warn: binary detected: tests/licensedcode/data/query/wlan_xauth.ko:1", + "Warn: binary detected: tests/packagedcode/data/archives/adduser_3.112ubuntu1_all.deb:1", + "Warn: binary detected: tests/packagedcode/data/archives/alfandega-2.2-2.rh80.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/archives/simple.jar:1", + "Warn: binary detected: tests/packagedcode/data/archives/small.iso:1", + "Warn: binary detected: tests/packagedcode/data/maven_misc/extracted-jar/hsqldb-2.4.0.jar-extract/org/hsqldb/Database.class:1", + "Warn: binary detected: tests/packagedcode/data/pypi/archive/atomicwrites-1.2.1-py2.py3-none-any.whl:1", + "Warn: binary detected: tests/packagedcode/data/pyrpm/Eterm-0.9.3-5mdv2007.0.rpm:1", + "Warn: binary detected: tests/packagedcode/data/recon/pypi/atomicwrites/atomicwrites-1.2.1-py2.py3-none-any.whl:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/FaxMail-2.3-12mdv2007.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/NEC-MultiWriter_1700C-1.0-1.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/alfandega-2.0-1.7.3.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/alfandega-2.2-2.rh80.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/alfandega-2.2-2.rh80.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/apache-commons-io-2.4-12.el7.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/berry-mkdiscicons-0.07-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/berry-service-0.05-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/broken.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/cndrvcups-common-2.00-2.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/cndrvcups-lipslx-2.00-2.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/elfinfo-1.0-1.fc9.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/firefox-3.5.6-b1.nosrc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.2b1-1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.2b1-49607cl.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4-0.b2.rhfc1.dag.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-10.fc12.ppc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-10.fc12.x86_64.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-114.1.ppc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-5.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-7.el4.asp101.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-7.el5.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-8mdv2007.1.sparc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2-9.fc11.ppc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fping-2.4b2to-20080101.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/fxload-2002_04_11-212.1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/kimera-1.40+-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/libproxy-bin-0.3.0-4.el6_3.x86_64.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/libsqueeze0.2_0-0.2.3-8mdv2010.0.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/m4ri-20081028-5.fc12.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/m4ri-devel-20081028-5.fc12.ppc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/mdcp-0.1.2-2.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/mdcp-0.1.2-2.i686.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/mdcp-0.1.2-2.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/mdv-rpm-summary-0.9.3-1mdv2010.0.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/mvlutils-2.8.4-7.0.2.0801061.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/necsul-1.2.0-2.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/necsul-devel-1.2.0-2.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/necsul-suse-1.2.0-2.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/necsul-suse-devel-1.2.0-2.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-CGI-3.42-8.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Class-MethodMaker-1.06-1.7.3.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Class-MethodMaker-1.06-1.8.0.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Class-MethodMaker-1.06-1.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Compress-Zlib-1.16-1.7.3.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Compress-Zlib-1.16-1.8.0.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Compress-Zlib-1.16-1.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Crypt-IDEA-1.08-2.fc10.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Crypt-IDEA-1.08-2.fc10.x86_64.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-IO-Interface-0.97-3.7.3.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-IO-Interface-0.97-3.8.0.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-IO-Interface-0.97-3.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Net-IP-1.15-1.7.3.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Net-IP-1.15-1.8.0.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Net-IP-1.15-1.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ProgressBar-2.00-1.7.3.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ProgressBar-2.00-1.8.0.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ProgressBar-2.00-1.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ReadKey-2.20-1.7.3.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ReadKey-2.20-1.8.0.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/perl-Term-ReadKey-2.20-1.8.0.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/ping-0.17-30994cl.ppc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/ping-0.17-30994cl.sparc.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/ping-ss020927-54702cl.i386.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/python-glc-0.7.1-1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/renamed.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/rpm_trailing.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/setup-2.5.49-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/svgalib-1.9.25-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/xsetup-0.28-b1.src.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/header/zziplib-0.11.15-3sf.i586.rpm:1", + "Warn: binary detected: tests/packagedcode/data/rpm/package/alfandega-2.0-1.7.3.noarch.rpm:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/Microsoft.Practices.EnterpriseLibrary.Caching.dll:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/Moq.Silverlight.dll:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/Windows.AI.winmd:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/_ctypes_test.pyd:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/chcp.com:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/clfs.sys.mui:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/crypt32.dll.mun:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/euc-jp.so:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/file.exe:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/libiconv2.dll:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/libintl3.dll:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/stdole2.tlb:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/tbs.sys:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/tre4.dll:1", + "Warn: binary detected: tests/packagedcode/data/win_pe/zlib1.dll:1", + "Warn: binary detected: tests/scancode/data/rpm/fping-2.4-0.b2.rhfc1.dag.i386.rpm:1", + "Warn: binary detected: tests/textcode/data/archive/simple.jar:1", + "Warn: binary detected: tests/textcode/data/strings/basic/main.o:1", + "Warn: binary detected: tests/textcode/data/strings/bin/amd64_exec:1", + "Warn: binary detected: tests/textcode/data/strings/bin/c_count.exe:1", + "Warn: binary detected: tests/textcode/data/strings/bin/cygmagic-1.dll:1", + "Warn: binary detected: tests/textcode/data/strings/bin/file_stripped:1", + "Warn: binary detected: tests/textcode/data/strings/bin/ia32_exec:1", + "Warn: binary detected: tests/textcode/data/strings/bin/ia64_exec:1", + "Warn: binary detected: tests/textcode/data/strings/bin/malformed_stringtable:1", + "Warn: binary detected: tests/textcode/data/strings/bin/mips32_exec:1", + "Warn: binary detected: tests/textcode/data/strings/bin/mips64_exec:1", + "Warn: binary detected: tests/textcode/data/strings/bin/msvci70.dll:1", + "Warn: binary detected: tests/textcode/data/strings/bin/php4embed.lib:1", + "Warn: binary detected: tests/textcode/data/strings/bin/pyexpat.lib:1", + "Warn: binary detected: tests/textcode/data/strings/bin/rlog.exe:1", + "Warn: binary detected: tests/textcode/data/strings/bin/shash.i686:1", + "Warn: binary detected: tests/textcode/data/strings/bin/shash.x86_64:1", + "Warn: binary detected: tests/textcode/data/strings/bin/ssdeep.i686:1", + "Warn: binary detected: tests/textcode/data/strings/bin/ssdeep.x86_64:1", + "Warn: binary detected: tests/textcode/data/strings/bin/sspi_protocol.dll:1", + "Warn: binary detected: tests/textcode/data/strings/bin/zlib.lib:1", + "Warn: binary detected: tests/textcode/data/strings/elf/shash.i686:1", + "Warn: binary detected: tests/textcode/data/strings/obj/test.o:1", + "Warn: binary detected: tests/textcode/data/strings/pe/7-zip-pe-with-unicode.dll:1", + "Warn: binary detected: tests/textcode/data/strings/wip-short_strings/false:1", + "Warn: binary detected: tests/textcode/data/strings/with-lf/strings.exe:1" + ], + "documentation": { + "short": "Determines if the project has generated executable (binary) artifacts in the source repository.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#binary-artifacts" + } + }, + { + "name": "Pinned-Dependencies", + "score": 0, + "reason": "dependency not pinned by hash detected -- score normalized to 0", + "details": [ + "Info: Possibly incomplete results: error parsing shell code: a command can only contain words and redirects; encountered ): tests/cluecode/data/authors/expat-ltmain.sh:0", + "Info: Possibly incomplete results: error parsing shell code: a command can only contain words and redirects; encountered ): tests/cluecode/data/ics/expat-conftools/ltmain.sh:0", + "Info: Possibly incomplete results: error parsing shell code: invalid parameter name: tests/licensedcode/data/datadriven/lic2/apache_and_apache-2.0_and_public-domain.txt:0", + "Info: Possibly incomplete results: error parsing shell code: \"for\" must be followed by a literal: tests/licensedcode/data/datadriven/lic3/no_license_22.txt:0", + "Info: Possibly incomplete results: error parsing shell code: if statement must end with \"fi\": tests/packagedcode/data/bashlex/ltmain.sh:0", + "Info: Possibly incomplete results: error parsing shell code: unclosed here-document 'EOF': tests/packagedcode/data/bashlex/stripheredoc.sh:0", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/about-files-ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/about-files-ci.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/about-files-ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/about-files-ci.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/docs-ci.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/docs-ci.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:246: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:249: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:254: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:292: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:295: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:300: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:337: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:340: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:345: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:459: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:465: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:471: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:477: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:483: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:489: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:495: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:501: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:507: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:513: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:519: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:525: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:531: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: third-party GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:541: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:566: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:571: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: third-party GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:581: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:180: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:188: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:378: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:381: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:386: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:419: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:422: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:427: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:212: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scancode-release.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/aboutcode-org/scancode-toolkit/scancode-release.yml/develop?enable=pin", + "Warn: containerImage not pinned by hash: Dockerfile:10: pin your Docker image by updating python:3.12-slim-bookworm to python:3.12-slim-bookworm@sha256:2a6386ad2db20e7f55073f69a98d6da2cf9f168e05e7487d2670baeb9b7601c5", + "Warn: pipCommand not pinned by hash: .github/workflows/docs-ci.yml:28", + "Warn: pipCommand not pinned by hash: .github/workflows/scancode-release.yml:264", + "Warn: pipCommand not pinned by hash: .github/workflows/scancode-release.yml:267", + "Info: 0 out of 52 GitHub-owned GitHubAction dependencies pinned", + "Info: 0 out of 2 third-party GitHubAction dependencies pinned", + "Info: 0 out of 1 containerImage dependencies pinned", + "Info: 0 out of 3 pipCommand dependencies pinned" + ], + "documentation": { + "short": "Determines if the project has declared and pinned the dependencies of its build process.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#pinned-dependencies" + } + }, + { + "name": "Vulnerabilities", + "score": 0, + "reason": "383 existing vulnerabilities detected", + "details": [ + "Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6", + "Warn: Project is vulnerable to: PYSEC-2022-42969 / GHSA-w596-4wvx-j9j6", + "Warn: Project is vulnerable to: GHSA-g7vv-2v7x-gj9p", + "Warn: Project is vulnerable to: GHSA-248v-346w-9cwc", + "Warn: Project is vulnerable to: GHSA-h4gh-qq45-vh27", + "Warn: Project is vulnerable to: PYSEC-2022-42991 / GHSA-v3c5-jqr6-7qm8", + "Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h", + "Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj", + "Warn: Project is vulnerable to: PYSEC-2023-117 / GHSA-mrwq-x4v8-fh7p", + "Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56", + "Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf", + "Warn: Project is vulnerable to: GHSA-jfmj-5v4g-7637", + "Warn: Project is vulnerable to: RUSTSEC-2020-0159", + "Warn: Project is vulnerable to: RUSTSEC-2020-0071 / GHSA-wcg3-cvx6-7396", + "Warn: Project is vulnerable to: RUSTSEC-2022-0054 / GHSA-rc23-xxgq-x27g", + "Warn: Project is vulnerable to: GHSA-3hhc-qp5v-9p2j", + "Warn: Project is vulnerable to: GHSA-579w-22j4-4749", + "Warn: Project is vulnerable to: GHSA-9rf5-jm6f-2fmm", + "Warn: Project is vulnerable to: GHSA-hqf9-rc9j-5fmj", + "Warn: Project is vulnerable to: GHSA-r8fh-hq2p-7qhq", + "Warn: Project is vulnerable to: GHSA-xrr6-3pc4-m447", + "Warn: Project is vulnerable to: GHSA-j6gc-792m-qgm2", + "Warn: Project is vulnerable to: GHSA-j96r-xvjq-r9pg", + "Warn: Project is vulnerable to: GHSA-pj73-v5mw-pm9j", + "Warn: Project is vulnerable to: GHSA-2gw2-8q9w-cw8p", + "Warn: Project is vulnerable to: GHSA-34hf-g744-jw64", + "Warn: Project is vulnerable to: GHSA-r5hc-9xx5-97rw", + "Warn: Project is vulnerable to: GHSA-jppv-gw3r-w3q8", + "Warn: Project is vulnerable to: GHSA-5cm2-9h8c-rvfx", + "Warn: Project is vulnerable to: GHSA-8mq4-9jjh-9xrc", + "Warn: Project is vulnerable to: GHSA-gj4p-3wh3-2rmf", + "Warn: Project is vulnerable to: GHSA-xfhh-rx56-rxcr", + "Warn: Project is vulnerable to: GO-2020-0036 / GHSA-wxc4-f4m6-wwqv", + "Warn: Project is vulnerable to: GO-2021-0061 / GHSA-r88r-gmrh-7j83", + "Warn: Project is vulnerable to: GO-2022-0956 / GHSA-6q6q-88xp-6f2r", + "Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95", + "Warn: Project is vulnerable to: GHSA-2hvc-hwg3-hpvw", + "Warn: Project is vulnerable to: GHSA-2rp8-hff9-c5wr", + "Warn: Project is vulnerable to: GHSA-83g7-8fch-p37m", + "Warn: Project is vulnerable to: PYSEC-2023-122 / GHSA-8wfh-qxxv-3q8c", + "Warn: Project is vulnerable to: PYSEC-2023-126 / GHSA-9q9v-qgwx-84mr", + "Warn: Project is vulnerable to: GHSA-chj7-w3f6-cvfj", + "Warn: Project is vulnerable to: PYSEC-2023-125 / GHSA-cv2j-922j-hr56", + "Warn: Project is vulnerable to: GHSA-fh54-3vhg-mpc2", + "Warn: Project is vulnerable to: PYSEC-2023-124 / GHSA-hh7p-hvm3-rg88", + "Warn: Project is vulnerable to: GHSA-jwrc-3v3f-5cq5", + "Warn: Project is vulnerable to: GHSA-mrmm-qmrj-xgp6", + "Warn: Project is vulnerable to: GHSA-qqv2-35q8-p2g2", + "Warn: Project is vulnerable to: PYSEC-2023-123 / GHSA-rr46-m366-gm44", + "Warn: Project is vulnerable to: PYSEC-2022-43063", + "Warn: Project is vulnerable to: GHSA-xgfm-fjx6-62mj", + "Warn: Project is vulnerable to: GHSA-crqg-jrpj-fc84", + "Warn: Project is vulnerable to: GHSA-27xj-rqx5-2255", + "Warn: Project is vulnerable to: GHSA-288c-cq4h-88gq", + "Warn: Project is vulnerable to: GHSA-4gq5-ch57-c2mg", + "Warn: Project is vulnerable to: GHSA-4w82-r329-3q67", + "Warn: Project is vulnerable to: GHSA-57j2-w4cx-62h2", + "Warn: Project is vulnerable to: GHSA-58pp-9c76-5625", + "Warn: Project is vulnerable to: GHSA-5949-rw7g-wx7w", + "Warn: Project is vulnerable to: GHSA-5p34-5m6p-p58g", + "Warn: Project is vulnerable to: GHSA-5r5r-6hpj-8gg9", + "Warn: Project is vulnerable to: GHSA-5ww9-j83m-q7qx", + "Warn: Project is vulnerable to: GHSA-645p-88qh-w398", + "Warn: Project is vulnerable to: GHSA-6fpp-rgj9-8rwc", + "Warn: Project is vulnerable to: GHSA-6wqp-v4v6-c87c", + "Warn: Project is vulnerable to: GHSA-758m-v56v-grj4", + "Warn: Project is vulnerable to: GHSA-85cw-hj65-qqv9", + "Warn: Project is vulnerable to: GHSA-89qr-369f-5m5x", + "Warn: Project is vulnerable to: GHSA-8c4j-34r4-xr8g", + "Warn: Project is vulnerable to: GHSA-8w26-6f25-cm9x", + "Warn: Project is vulnerable to: GHSA-95cm-88f5-f2c7", + "Warn: Project is vulnerable to: GHSA-9gph-22xh-8x98", + "Warn: Project is vulnerable to: GHSA-9m6f-7xcq-8vf8", + "Warn: Project is vulnerable to: GHSA-9mxf-g3x6-wv74", + "Warn: Project is vulnerable to: GHSA-9vvp-fxw6-jcxr", + "Warn: Project is vulnerable to: GHSA-c265-37vj-cwcc", + "Warn: Project is vulnerable to: GHSA-c2q3-4qrh-fm48", + "Warn: Project is vulnerable to: GHSA-c8hm-7hpq-7jhg", + "Warn: Project is vulnerable to: GHSA-cf6r-3wgc-h863", + "Warn: Project is vulnerable to: GHSA-cggj-fvv3-cqwv", + "Warn: Project is vulnerable to: GHSA-cjjf-94ff-43w7", + "Warn: Project is vulnerable to: GHSA-cmfg-87vq-g5g4", + "Warn: Project is vulnerable to: GHSA-cvm9-fjm9-3572", + "Warn: Project is vulnerable to: GHSA-f3j5-rmmp-3fc5", + "Warn: Project is vulnerable to: GHSA-f9hv-mg5h-xcw9", + "Warn: Project is vulnerable to: GHSA-f9xh-2qgp-cq57", + "Warn: Project is vulnerable to: GHSA-fmmc-742q-jg75", + "Warn: Project is vulnerable to: GHSA-fqwf-pjwf-7vqv", + "Warn: Project is vulnerable to: GHSA-gjmw-vf9h-g25v", + "Warn: Project is vulnerable to: GHSA-gwp4-hfv6-p7hw", + "Warn: Project is vulnerable to: GHSA-gww7-p5w4-wrfv", + "Warn: Project is vulnerable to: GHSA-h3cw-g4mq-c5x2", + "Warn: Project is vulnerable to: GHSA-h4rc-386g-6m85", + "Warn: Project is vulnerable to: GHSA-h822-r4r5-v8jg", + "Warn: Project is vulnerable to: GHSA-j823-4qch-3rgm", + "Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff", + "Warn: Project is vulnerable to: GHSA-m6x4-97wx-4q27", + "Warn: Project is vulnerable to: GHSA-mc6h-4qgp-37qh", + "Warn: Project is vulnerable to: GHSA-mph4-vhrx-mv67", + "Warn: Project is vulnerable to: GHSA-mx7p-6679-8g3q", + "Warn: Project is vulnerable to: GHSA-mx9v-gmh4-mgqw", + "Warn: Project is vulnerable to: GHSA-p43x-xfjf-5jhr", + "Warn: Project is vulnerable to: GHSA-q93h-jc49-78gg", + "Warn: Project is vulnerable to: GHSA-qjw2-hr98-qgfh", + "Warn: Project is vulnerable to: GHSA-qmqc-x3r4-6v39", + "Warn: Project is vulnerable to: GHSA-qr7j-h6gg-jmgc", + "Warn: Project is vulnerable to: GHSA-r3gr-cxrf-hg25", + "Warn: Project is vulnerable to: GHSA-r695-7vr9-jgc2", + "Warn: Project is vulnerable to: GHSA-rf6r-2c4q-2vwg", + "Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4", + "Warn: Project is vulnerable to: GHSA-rpr3-cw39-3pxh", + "Warn: Project is vulnerable to: GHSA-v3xw-c963-f5hc", + "Warn: Project is vulnerable to: GHSA-v585-23hc-c647", + "Warn: Project is vulnerable to: GHSA-vfqx-33qm-g869", + "Warn: Project is vulnerable to: GHSA-wh8g-3j2c-rqj5", + "Warn: Project is vulnerable to: GHSA-x2w5-5m2g-7h5m", + "Warn: Project is vulnerable to: GHSA-78wr-2p64-hpwj", + "Warn: Project is vulnerable to: GHSA-gwrp-pvrq-jmwv", + "Warn: Project is vulnerable to: GHSA-fmj2-7wx8-qj4v", + "Warn: Project is vulnerable to: GHSA-36p3-wjmg-h94x", + "Warn: Project is vulnerable to: GHSA-hh26-6xwr-ggv7", + "Warn: Project is vulnerable to: GHSA-4gc7-5j7h-4qph", + "Warn: Project is vulnerable to: GHSA-g5mm-vmx4-3rg7", + "Warn: Project is vulnerable to: GHSA-3rmv-2pg5-xvqj", + "Warn: Project is vulnerable to: GHSA-4487-x383-qpph", + "Warn: Project is vulnerable to: GHSA-f26x-pr96-vw86", + "Warn: Project is vulnerable to: GHSA-ffvq-7w96-97p7", + "Warn: Project is vulnerable to: GHSA-g8hw-794c-4j9g", + "Warn: Project is vulnerable to: GHSA-p5hg-3xm3-gcjg", + "Warn: Project is vulnerable to: GHSA-rcpf-vj53-7h2m", + "Warn: Project is vulnerable to: GHSA-558x-2xjg-6232", + "Warn: Project is vulnerable to: GHSA-564r-hj7v-mcr5", + "Warn: Project is vulnerable to: GHSA-9cmq-m9j5-mvww", + "Warn: Project is vulnerable to: GHSA-wxqc-pxw9-g2p8", + "Warn: Project is vulnerable to: GHSA-9339-86wc-4qgf", + "Warn: Project is vulnerable to: GHSA-h592-38cm-4ggp", + "Warn: Project is vulnerable to: GHSA-qxxx-2pp7-5hmx", + "Warn: Project is vulnerable to: GHSA-rfx6-vp9g-rh7v", + "Warn: Project is vulnerable to: GHSA-w3f4-3q6j-rh82", + "Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw", + "Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42", + "Warn: Project is vulnerable to: GHSA-8g4q-xg66-9fp4", + "Warn: Project is vulnerable to: GHSA-25mq-v84q-4j7r", + "Warn: Project is vulnerable to: GHSA-cwmx-hcrq-mhc3", + "Warn: Project is vulnerable to: GHSA-f2wf-25xc-69c9", + "Warn: Project is vulnerable to: GHSA-q559-8m2m-g699", + "Warn: Project is vulnerable to: GHSA-w248-ffj2-4v5q", + "Warn: Project is vulnerable to: GHSA-qq5c-677p-737q", + "Warn: Project is vulnerable to: PYSEC-2015-8 / GHSA-6565-fg86-6jcx", + "Warn: Project is vulnerable to: PYSEC-2021-98 / GHSA-68w8-qjq3-2gfm", + "Warn: Project is vulnerable to: PYSEC-2015-7 / GHSA-6g95-x6cj-mg4v", + "Warn: Project is vulnerable to: PYSEC-2015-11 / GHSA-6wcr-wcqm-3mfh", + "Warn: Project is vulnerable to: PYSEC-2015-9 / GHSA-7fq8-4pv5-5w5c", + "Warn: Project is vulnerable to: PYSEC-2015-4 / GHSA-7qfw-j7hp-v45g", + "Warn: Project is vulnerable to: GHSA-2x8x-jmrp-phxw / GHSA-8x94-hmjh-97hq", + "Warn: Project is vulnerable to: PYSEC-2016-2 / GHSA-c8c8-9472-w52h", + "Warn: Project is vulnerable to: PYSEC-2016-3 / GHSA-crhm-qpjc-cm64", + "Warn: Project is vulnerable to: PYSEC-2016-16 / GHSA-fp6p-5xvw-m74f", + "Warn: Project is vulnerable to: PYSEC-2015-5 / GHSA-gv98-g628-m9x5", + "Warn: Project is vulnerable to: PYSEC-2015-20 / GHSA-h582-2pch-3xv3", + "Warn: Project is vulnerable to: GHSA-hmr4-m2h5-33qx", + "Warn: Project is vulnerable to: PYSEC-2015-18 / GHSA-j3j3-jrfh-cm2w", + "Warn: Project is vulnerable to: PYSEC-2015-6 / GHSA-jhjg-w2cp-5j44", + "Warn: Project is vulnerable to: PYSEC-2015-22 / GHSA-pgxh-wfw4-jx2v", + "Warn: Project is vulnerable to: PYSEC-2016-15 / GHSA-pw27-w7w4-9qc7", + "Warn: Project is vulnerable to: PYSEC-2015-10 / GHSA-q5qw-4364-5hhm", + "Warn: Project is vulnerable to: GHSA-rrqc-c2jx-6jgv", + "Warn: Project is vulnerable to: PYSEC-2019-16 / GHSA-vfq6-hq5r-27r6", + "Warn: Project is vulnerable to: PYSEC-2015-23 / GHSA-x38m-486c-2wr9", + "Warn: Project is vulnerable to: PYSEC-2016-18", + "Warn: Project is vulnerable to: PYSEC-2012-14 / GHSA-hjf3-r7gw-9rwg", + "Warn: Project is vulnerable to: PYSEC-2018-97 / GHSA-6528-wvf6-f6qg", + "Warn: Project is vulnerable to: PYSEC-2017-94 / GHSA-cq27-v7xp-c356", + "Warn: Project is vulnerable to: PYSEC-2012-16 / GHSA-v367-p58w-98h5", + "Warn: Project is vulnerable to: PYSEC-2013-29 / GHSA-x377-f64p-hf5j", + "Warn: Project is vulnerable to: PYSEC-2017-24 / GHSA-r9jw-mwhq-wp62", + "Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc", + "Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h", + "Warn: Project is vulnerable to: PYSEC-2015-17 / GHSA-pg2w-x9wp-vw92", + "Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg", + "Warn: Project is vulnerable to: PYSEC-2020-99 / GHSA-537h-rv9q-vvph", + "Warn: Project is vulnerable to: PYSEC-2020-100 / GHSA-xrx6-fmxq-rjj2", + "Warn: Project is vulnerable to: GHSA-9772-cwx9-r4cj", + "Warn: Project is vulnerable to: PYSEC-2020-92 / GHSA-hj5v-574p-mj7c", + "Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4", + "Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7", + "Warn: Project is vulnerable to: PYSEC-2022-42986 / GHSA-43fp-rhv2-5gv8", + "Warn: Project is vulnerable to: PYSEC-2023-135 / GHSA-xqr8-7jwr-rhp7", + "Warn: Project is vulnerable to: PYSEC-2021-140 / GHSA-9w8r-397f-prfh", + "Warn: Project is vulnerable to: PYSEC-2021-141 / GHSA-pq64-v7f5-gqh8", + "Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4", + "Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp", + "Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f", + "Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24", + "Warn: Project is vulnerable to: PYSEC-2021-108 / GHSA-q2q7-5pp4-w6pg", + "Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6", + "Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5", + "Warn: Project is vulnerable to: PYSEC-2022-43012 / GHSA-r9hx-vwmv-q579", + "Warn: Project is vulnerable to: PYSEC-2021-421 / GHSA-h4m5-qpfp-3mpv", + "Warn: Project is vulnerable to: PYSEC-2023-120 / GHSA-45c4-8wx5-qw6w", + "Warn: Project is vulnerable to: PYSEC-2024-24 / GHSA-5h86-8mv2-jq9f", + "Warn: Project is vulnerable to: GHSA-5m98-qgg9-wh84", + "Warn: Project is vulnerable to: GHSA-7gpw-8wmc-pm8g", + "Warn: Project is vulnerable to: GHSA-8495-4g3g-x7pr", + "Warn: Project is vulnerable to: PYSEC-2024-26 / GHSA-8qpw-xqxj-h4r2", + "Warn: Project is vulnerable to: PYSEC-2023-246 / GHSA-gfw2-4jvh-wgfg", + "Warn: Project is vulnerable to: GHSA-jwhx-xcg6-8xhj", + "Warn: Project is vulnerable to: GHSA-pjjw-qhg8-p2p9", + "Warn: Project is vulnerable to: PYSEC-2023-250 / GHSA-q3qx-c6g2-7pw2", + "Warn: Project is vulnerable to: PYSEC-2023-251 / GHSA-qvrw-v9rv-5rjx", + "Warn: Project is vulnerable to: PYSEC-2021-76 / GHSA-v6wp-4m6f-gcjg", + "Warn: Project is vulnerable to: PYSEC-2023-247 / GHSA-xx9p-xxvh-7g8j", + "Warn: Project is vulnerable to: GHSA-55x5-fj6c-h6m8", + "Warn: Project is vulnerable to: PYSEC-2021-19 / GHSA-jq4v-f5q6-mjqq", + "Warn: Project is vulnerable to: PYSEC-2020-62 / GHSA-pgww-xf46-h92r", + "Warn: Project is vulnerable to: PYSEC-2022-230 / GHSA-wrxv-2j5q-m38w", + "Warn: Project is vulnerable to: PYSEC-2018-12 / GHSA-xp26-p53h-6h2p", + "Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q", + "Warn: Project is vulnerable to: GHSA-h47h-mwp9-c6q6", + "Warn: Project is vulnerable to: GHSA-4g8v-vg43-wpgf", + "Warn: Project is vulnerable to: GHSA-7wjx-3g7j-8584", + "Warn: Project is vulnerable to: GHSA-8727-m6gj-mc37", + "Warn: Project is vulnerable to: GHSA-8xww-x3g3-6jcv", + "Warn: Project is vulnerable to: GHSA-hjg4-8q5f-x6fm", + "Warn: Project is vulnerable to: GHSA-jp5v-5gx4-jmj9", + "Warn: Project is vulnerable to: GHSA-p84v-45xj-wwqj", + "Warn: Project is vulnerable to: GHSA-vfg9-r3fq-jvx4", + "Warn: Project is vulnerable to: GHSA-rmj8-8hhh-gv5h / GHSA-wh98-p28r-vrc9", + "Warn: Project is vulnerable to: GHSA-x76w-6vjr-8xgj", + "Warn: Project is vulnerable to: GHSA-65cv-r6x7-79hv", + "Warn: Project is vulnerable to: GHSA-86g5-2wh3-gc9j", + "Warn: Project is vulnerable to: GHSA-cfjv-5498-mph5", + "Warn: Project is vulnerable to: GHSA-ch3h-j2vf-95pv", + "Warn: Project is vulnerable to: GHSA-m63j-wh5w-c252", + "Warn: Project is vulnerable to: GHSA-xq5j-gw7f-jgj8", + "Warn: Project is vulnerable to: GHSA-q2qw-rmrh-vv42", + "Warn: Project is vulnerable to: GHSA-8hc4-xxm3-5ppp", + "Warn: Project is vulnerable to: GHSA-2p68-f74v-9wc6", + "Warn: Project is vulnerable to: GHSA-23c2-gwp5-pxw9", + "Warn: Project is vulnerable to: GHSA-6c3j-c64m-qhgq", + "Warn: Project is vulnerable to: GHSA-gxr4-xjj5-5px2", + "Warn: Project is vulnerable to: GHSA-jpcq-cgw6-v4j6", + "Warn: Project is vulnerable to: GHSA-228g-948r-83gx", + "Warn: Project is vulnerable to: GHSA-486f-hjj9-9vhh", + "Warn: Project is vulnerable to: GHSA-c3gv-9cxf-6f57", + "Warn: Project is vulnerable to: GHSA-g4xq-jx4w-4cjv", + "Warn: Project is vulnerable to: GHSA-x7rv-cr6v-4vm4", + "Warn: Project is vulnerable to: GHSA-242x-7cm6-4w8j", + "Warn: Project is vulnerable to: GHSA-286v-pcf5-25rc", + "Warn: Project is vulnerable to: GHSA-2qc6-mcvw-92cw", + "Warn: Project is vulnerable to: GHSA-2rr5-8q37-2w7h", + "Warn: Project is vulnerable to: GHSA-4hm9-844j-jmxp", + "Warn: Project is vulnerable to: GHSA-59gp-qqm7-cw4j", + "Warn: Project is vulnerable to: GHSA-6qvp-r6r3-9p7h", + "Warn: Project is vulnerable to: GHSA-7553-jr98-vx47", + "Warn: Project is vulnerable to: GHSA-7rrm-v45f-jp64", + "Warn: Project is vulnerable to: GHSA-882p-jqgm-f45g", + "Warn: Project is vulnerable to: GHSA-cf46-6xxh-pc75", + "Warn: Project is vulnerable to: GHSA-cgx6-hpwq-fhv5", + "Warn: Project is vulnerable to: GHSA-cr5j-953j-xw5p", + "Warn: Project is vulnerable to: GHSA-crjr-9rc5-ghw8", + "Warn: Project is vulnerable to: GHSA-fq42-c5rg-92c2", + "Warn: Project is vulnerable to: GHSA-gx8x-g87m-h5q6", + "Warn: Project is vulnerable to: GHSA-jc36-42cf-vqwj", + "Warn: Project is vulnerable to: GHSA-jw9f-hh49-cvp9", + "Warn: Project is vulnerable to: GHSA-pxvg-2qj5-37jq", + "Warn: Project is vulnerable to: GHSA-qxcg-xjjg-66mj", + "Warn: Project is vulnerable to: GHSA-r58r-74gx-6wx3", + "Warn: Project is vulnerable to: GHSA-r95h-9x8f-r3f7", + "Warn: Project is vulnerable to: GHSA-v4f8-2847-rwm7", + "Warn: Project is vulnerable to: GHSA-v6gp-9mmm-c6p5", + "Warn: Project is vulnerable to: GHSA-vcc3-rw6f-jv97", + "Warn: Project is vulnerable to: GHSA-vmfx-gcfq-wvm2", + "Warn: Project is vulnerable to: GHSA-vr8q-g5c7-m54m", + "Warn: Project is vulnerable to: GHSA-xc9x-jj77-9p9j", + "Warn: Project is vulnerable to: GHSA-xh29-r2w5-wx8m", + "Warn: Project is vulnerable to: GHSA-xxx9-3xcr-gjj3", + "Warn: Project is vulnerable to: GHSA-33vf-4xgg-9r58 / GHSA-84j7-475p-hp8v", + "Warn: Project is vulnerable to: GHSA-48w2-rm65-62xx", + "Warn: Project is vulnerable to: GHSA-68xg-gqqm-vgj8", + "Warn: Project is vulnerable to: GHSA-7xx3-m584-x994", + "Warn: Project is vulnerable to: GHSA-9hf4-67fc-4vf4", + "Warn: Project is vulnerable to: GHSA-c2f4-cvqm-65w2", + "Warn: Project is vulnerable to: GHSA-h99w-9q5r-gjq9", + "Warn: Project is vulnerable to: GHSA-q28m-8xjw-8vr5", + "Warn: Project is vulnerable to: GHSA-w64w-qqph-5gxm", + "Warn: Project is vulnerable to: GHSA-x7jg-6pwg-fx5h", + "Warn: Project is vulnerable to: GHSA-22f2-v57c-j9cx", + "Warn: Project is vulnerable to: GHSA-3h57-hmj3-gj3p", + "Warn: Project is vulnerable to: GHSA-54rr-7fvw-6x8f", + "Warn: Project is vulnerable to: GHSA-5f9h-9pjv-v6j7", + "Warn: Project is vulnerable to: GHSA-5r2p-j47h-mhpg", + "Warn: Project is vulnerable to: GHSA-65f5-mfpf-vfhj", + "Warn: Project is vulnerable to: GHSA-93pm-5p5f-3ghx", + "Warn: Project is vulnerable to: GHSA-c6qg-cjj8-47qp", + "Warn: Project is vulnerable to: GHSA-hrqr-hxpp-chr3", + "Warn: Project is vulnerable to: GHSA-hxqx-xwvh-44m2", + "Warn: Project is vulnerable to: GHSA-j6w9-fv6q-3q52", + "Warn: Project is vulnerable to: GHSA-rqv2-275x-2jq5", + "Warn: Project is vulnerable to: GHSA-wq4h-7r42-5hrr", + "Warn: Project is vulnerable to: GHSA-xj5v-6v4g-jfw6", + "Warn: Project is vulnerable to: GHSA-5x79-w82f-gw8w", + "Warn: Project is vulnerable to: GHSA-9h9g-93gc-623h", + "Warn: Project is vulnerable to: GHSA-mcvf-2q2m-x72m", + "Warn: Project is vulnerable to: GHSA-pg8v-g4xq-hww9", + "Warn: Project is vulnerable to: GHSA-px3r-jm9g-c8w8", + "Warn: Project is vulnerable to: GHSA-rrfc-7g8p-99q8", + "Warn: Project is vulnerable to: GHSA-pr3h-jjhj-573x", + "Warn: Project is vulnerable to: GHSA-g6wq-qcwm-j5g2", + "Warn: Project is vulnerable to: GHSA-jxhc-q857-3j6g", + "Warn: Project is vulnerable to: GHSA-3xg8-cc8f-9wv2", + "Warn: Project is vulnerable to: GHSA-2m96-52r3-2f3g", + "Warn: Project is vulnerable to: GHSA-cxf7-qrc5-9446", + "Warn: Project is vulnerable to: GHSA-5c5f-7vfq-3732", + "Warn: Project is vulnerable to: GHSA-3x8r-x6xp-q4vm", + "Warn: Project is vulnerable to: GHSA-ggxm-pgc9-g7fp", + "Warn: Project is vulnerable to: GHSA-q3wr-qw3g-3p4h", + "Warn: Project is vulnerable to: GHSA-gc3j-vvwf-4rp8", + "Warn: Project is vulnerable to: GHSA-r8xx-8vm8-x6wj", + "Warn: Project is vulnerable to: GHSA-r9mq-m72x-257g", + "Warn: Project is vulnerable to: GHSA-9hmq-fm33-x4xx", + "Warn: Project is vulnerable to: GHSA-2rxp-v6pw-ch6m", + "Warn: Project is vulnerable to: GHSA-4xqq-m2hx-25v8", + "Warn: Project is vulnerable to: GHSA-5866-49gr-22v4", + "Warn: Project is vulnerable to: GHSA-8cr8-4vfw-mr7h", + "Warn: Project is vulnerable to: GHSA-r55c-59qm-vjw6", + "Warn: Project is vulnerable to: GHSA-vg3r-rm7w-2xgh", + "Warn: Project is vulnerable to: GHSA-vmwr-mc7x-5vc3", + "Warn: Project is vulnerable to: GHSA-3qc2-v3hp-6cv8", + "Warn: Project is vulnerable to: GHSA-grh7-935j-hg6w", + "Warn: Project is vulnerable to: GHSA-jrfj-98qg-qjgv", + "Warn: Project is vulnerable to: GHSA-hxx2-7vcw-mqr3", + "Warn: Project is vulnerable to: GHSA-qp49-3pvw-x4m5", + "Warn: Project is vulnerable to: GHSA-6f62-3596-g6w7", + "Warn: Project is vulnerable to: GHSA-jphg-qwrw-7w9g", + "Warn: Project is vulnerable to: GHSA-8c56-cpmw-89x7", + "Warn: Project is vulnerable to: GHSA-x2fm-93ww-ggvx", + "Warn: Project is vulnerable to: GHSA-mm33-5vfq-3mm3", + "Warn: Project is vulnerable to: GHSA-wwhv-wxv9-rpgw", + "Warn: Project is vulnerable to: GHSA-xp5h-f8jf-rc8q", + "Warn: Project is vulnerable to: GHSA-hq7p-j377-6v63", + "Warn: Project is vulnerable to: GHSA-8h22-8cf7-hq6g", + "Warn: Project is vulnerable to: GHSA-cr5q-6q9f-rq6q", + "Warn: Project is vulnerable to: GHSA-w749-p3v6-hccq", + "Warn: Project is vulnerable to: GHSA-frgf-8jr5-j2jv", + "Warn: Project is vulnerable to: GHSA-fwhr-88qx-h9g7", + "Warn: Project is vulnerable to: GHSA-qphc-hf5q-v8fc", + "Warn: Project is vulnerable to: GHSA-3vfw-7rcp-3xgm", + "Warn: Project is vulnerable to: GHSA-7g65-ghrg-hpf5", + "Warn: Project is vulnerable to: GHSA-92w9-2pqw-rhjj", + "Warn: Project is vulnerable to: GHSA-fcqf-h4h4-695m", + "Warn: Project is vulnerable to: GHSA-ffpv-c4hm-3x6v", + "Warn: Project is vulnerable to: GHSA-hgpp-pp89-4fgf", + "Warn: Project is vulnerable to: GHSA-j838-vfpq-fmf2", + "Warn: Project is vulnerable to: GHSA-jmgw-6vjg-jjwg", + "Warn: Project is vulnerable to: GHSA-q34c-48gc-m9g8", + "Warn: Project is vulnerable to: GHSA-q58j-fmvf-9rq6", + "Warn: Project is vulnerable to: GHSA-q759-hwvc-m3jg", + "Warn: Project is vulnerable to: GHSA-v5jg-558j-q67c", + "Warn: Project is vulnerable to: GHSA-v9v4-7jp6-8c73", + "Warn: Project is vulnerable to: GHSA-xrr4-p6fq-hjg7", + "Warn: Project is vulnerable to: GHSA-9fh3-vh3h-q4g3", + "Warn: Project is vulnerable to: GHSA-h835-75hw-pj89", + "Warn: Project is vulnerable to: GHSA-xgr2-v94m-rc9g", + "Warn: Project is vulnerable to: GHSA-6wj9-77wq-jq7p", + "Warn: Project is vulnerable to: GHSA-fr52-4hqw-p27f", + "Warn: Project is vulnerable to: GHSA-pf6m-fxpq-fg8v", + "Warn: Project is vulnerable to: GHSA-h77x-m5q8-c29h", + "Warn: Project is vulnerable to: GHSA-v6j3-7jrw-hq2p", + "Warn: Project is vulnerable to: GHSA-v882-ccj6-jc48", + "Warn: Project is vulnerable to: GHSA-xc85-32mf-xpv8", + "Warn: Project is vulnerable to: GHSA-48wp-p9qv-4j64", + "Warn: Project is vulnerable to: GHSA-4qw4-jpp4-8gvp", + "Warn: Project is vulnerable to: GHSA-636f-xm5j-pj9m", + "Warn: Project is vulnerable to: GHSA-7vh7-fw88-wj87", + "Warn: Project is vulnerable to: GHSA-fmx4-26r3-wxpf", + "Warn: Project is vulnerable to: GHSA-8c8q-2xw3-j869", + "Warn: Project is vulnerable to: GHSA-5g4r-2qhx-vqfm", + "Warn: Project is vulnerable to: GHSA-2qrg-x229-3v8q", + "Warn: Project is vulnerable to: GHSA-65fg-84f6-3jq3", + "Warn: Project is vulnerable to: GHSA-f7vh-qwp3-x37m", + "Warn: Project is vulnerable to: GHSA-fp5r-v3w9-4333", + "Warn: Project is vulnerable to: GHSA-w9p3-5cr8-m3jj" + ], + "documentation": { + "short": "Determines if the project has open, known unfixed vulnerabilities.", + "url": "https://github.com/ossf/scorecard/blob/51f31c9882b6e5998e0df571096147a99842092b/docs/checks.md#vulnerabilities" + } + } + ] +} \ No newline at end of file diff --git a/scanpipe/tests/regen_test_data.py b/scanpipe/tests/regen_test_data.py index 0b8bddd1b..acd856bc7 100644 --- a/scanpipe/tests/regen_test_data.py +++ b/scanpipe/tests/regen_test_data.py @@ -26,6 +26,8 @@ from django.core.management import call_command from django.test import TestCase +import requests + from scanpipe.models import Project from scanpipe.pipes import codebase from scanpipe.pipes import input @@ -149,3 +151,32 @@ def test_regen_asgiref_test_files(self): "package": True, }, ) + + def test_regenerate_scorecard_data(self): + """ + Regenerate and save scorecard data by directly calling the OSSF Scorecard + API + """ + scorecard_data_file = self.data / "scorecode" / "scorecard_response.json" + platform, org, repo = "github.com", "nexB", "scancode-toolkit" + + OSSF_SCORECARD_API_URL = "https://api.securityscorecards.dev" + + url = f"{OSSF_SCORECARD_API_URL}/projects/{platform}/{org}/{repo}" + + try: + # Fetch the scorecard data from the API + response = requests.get(url, timeout=10) + response.raise_for_status() + scorecard_data = response.json() + + scorecard_data_file.parent.mkdir(parents=True, exist_ok=True) + + scorecard_data_file.write_text(json.dumps(scorecard_data, indent=2)) + + print(f"Scorecard data successfully saved to {scorecard_data_file}") + + except requests.exceptions.Timeout: + print("The request timed out.") + except requests.exceptions.RequestException as e: + print(f"Error fetching scorecard data: {e}") diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py index befe3b652..83ad85942 100644 --- a/scanpipe/tests/test_models.py +++ b/scanpipe/tests/test_models.py @@ -54,12 +54,14 @@ from packageurl import PackageURL from requests.exceptions import RequestException from rq.job import JobStatus +from scorecode.models import PackageScore from scancodeio import __version__ as scancodeio_version from scanpipe.models import CodebaseRelation from scanpipe.models import CodebaseResource from scanpipe.models import DiscoveredDependency from scanpipe.models import DiscoveredPackage +from scanpipe.models import DiscoveredPackageScore from scanpipe.models import Project from scanpipe.models import ProjectMessage from scanpipe.models import Run @@ -84,6 +86,7 @@ from scanpipe.tests import mocked_now from scanpipe.tests import package_data1 from scanpipe.tests import package_data2 +from scanpipe.tests import scorecard_data from scanpipe.tests.pipelines.do_nothing import DoNothing scanpipe_app = apps.get_app_config("scanpipe") @@ -2401,6 +2404,7 @@ def test_scanpipe_package_model_integrity_with_toolkit_package_model(self): "resolved_from_dependencies", "parent_packages", "children_packages", + "discovered_packages_score", "notes", ] @@ -2495,6 +2499,29 @@ def test_scanpipe_codebase_resource_queryset_elfs(self): self.assertTrue("e" in paths) self.assertTrue("a" in paths) + def test_scorecard_models(self): + package = DiscoveredPackage.create_from_data(self.project1, package_data1) + scorecard_obj = PackageScore.from_data(scorecard_data) + package_score = DiscoveredPackageScore.create_from_package_and_scorecard( + package=package, scorecard_data=scorecard_obj + ) + + self.assertIsNotNone(package_score) + self.assertEqual( + package_score.scoring_tool, DiscoveredPackageScore.ScoringTool.OSSF + ) + self.assertGreaterEqual(float(package_score.score), -1) + + checks = package_score.discovered_packages_score_checks.all() + self.assertGreaterEqual(checks.count(), 1) + + for check in checks: + self.assertIsInstance(check.check_name, str) + if check.check_score == "-1": + self.assertEqual(check.check_score, "-1") + else: + self.assertRegex(check.check_score, r"^\d+(\.\d+)?$") + def test_scanpipe_model_codebase_resource_compliance_alert_queryset_mixin(self): severities = CodebaseResource.Compliance make_resource_file(self.project1, path="none") diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py index 5c864a8f7..45e2924b5 100644 --- a/scanpipe/tests/test_pipelines.py +++ b/scanpipe/tests/test_pipelines.py @@ -1235,6 +1235,39 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration( expected = vulnerability_data[0]["affected_by_vulnerabilities"] self.assertEqual(expected, package1.affected_by_vulnerabilities) + @mock.patch("scorecode.ossf_scorecard.is_available") + def test_scanpipe_get_scorecard_info_packages_integration(self, mock_is_available): + pipeline_name = "fetch_scorecode_info" + project1 = Project.objects.create(name="Analysis") + package1 = DiscoveredPackage.create_from_data(project1, package_data1) + package1.vcs_url = "https://github.com/ossf/scorecard" + package1.save() + + run = project1.add_pipeline(pipeline_name) + pipeline = run.make_pipeline_instance() + mock_is_available.return_value = False + exitcode, out = pipeline.execute() + self.assertEqual(1, exitcode, msg=out) + self.assertIn("scorecode service is not available.", out) + + run = project1.add_pipeline(pipeline_name) + pipeline = run.make_pipeline_instance() + # mock_is_configured.return_value = True + mock_is_available.return_value = True + + exitcode, out = pipeline.execute() + self.assertEqual(0, exitcode, msg=out) + + package1.refresh_from_db() + self.assertIsNotNone( + package1.discovered_packages_score.filter(scoring_tool="ossf-scorecard")[ + 0 + ].score, + msg=out, + ) + + self.assertEqual("https://github.com/ossf/scorecard", package1.vcs_url) + def test_scanpipe_resolve_dependencies_pipeline_integration(self): pipeline_name = "resolve_dependencies" project1 = Project.objects.create(name="Analysis") diff --git a/setup.cfg b/setup.cfg index db8704907..68bc0a4b7 100644 --- a/setup.cfg +++ b/setup.cfg @@ -100,6 +100,8 @@ install_requires = fontawesomefree==6.6.0 # MatchCode-toolkit matchcode-toolkit==7.0.0 + # ScoreCode + scorecode==0.0.2 # Univers univers==30.12.1 # Markdown @@ -128,6 +130,7 @@ dev = android_analysis = android_inspector==0.0.1 + [options.entry_points] console_scripts = scanpipe = scancodeio:command_line @@ -143,6 +146,7 @@ scancodeio_pipelines = collect_symbols_tree_sitter = scanpipe.pipelines.collect_symbols_tree_sitter:CollectSymbolsTreeSitter enrich_with_purldb = scanpipe.pipelines.enrich_with_purldb:EnrichWithPurlDB find_vulnerabilities = scanpipe.pipelines.find_vulnerabilities:FindVulnerabilities + fetch_scorecode_info = scanpipe.pipelines.fetch_scorecode_info:FetchScoreCodeInfo inspect_elf_binaries = scanpipe.pipelines.inspect_elf_binaries:InspectELFBinaries inspect_packages = scanpipe.pipelines.inspect_packages:InspectPackages load_inventory = scanpipe.pipelines.load_inventory:LoadInventory