Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Scorecard Report (Manually) #981

Merged
merged 1 commit into from
May 12, 2023
Merged

Updated Scorecard Report (Manually) #981

merged 1 commit into from
May 12, 2023

Conversation

UlisesGascon
Copy link
Member

Main changes

  • This new version includes the commit hash in the reports visualization link, thanks @KoolTheba
  • Added updated version for the Scorecard report.

Context

This is related to #977

Analysis

Key repos

Repository Commit Score Date Difference Report Link StepSecurity Link
nodejs/node 12a93ce 7.3 2023-05-10T08:02:33Z 0 Full Report Fix it
nodejs/security-wg b3757f5 8.2 2023-05-09T11:18:48Z 0 Full Report Fix it
nodejs/undici 241dfaf 5.9 2023-05-09T10:24:29Z 0.2 Full Report Fix it

Report Details

Conclusions

  • Node and security-wg same results as per preview review
  • Undici has some "organic" changes:
    • Reduce scoring due CI-Tests Reasoning: 28 out of 29 merged prs checked by a ci test -- score normalized to 9 while previously was Reasoning: 27 out of 27 merged prs checked by a ci test -- score normalized to 10
    • Increase scoring Code-review Reasoning: found 1 unreviewed human changesets while previously was Reasoning: found 5 unreviewed human changesets

Additional context

  • link to the StepSecurty Dashboard for Node.js org

@UlisesGascon UlisesGascon changed the title Updated Scorecard Report Updated Scorecard Report (Manually) May 10, 2023
@UlisesGascon UlisesGascon marked this pull request as ready for review May 10, 2023 11:23
@tniessen
Copy link
Member

I am curious why the report says 7.3 but the Step Security page that you are referring to, as well as deps.dev that the report refers to, both say 6.8. Both claim to use scorecard version 4.10.5 and the analyzed commits are similar enough to not justify the difference. This has probably come up before and I likely just missed some discussions around this :)

@UlisesGascon
Copy link
Member Author

Great question @tniessen :)

The Scorecard API information about Node.js is updated frequently (cron, push to main or manual trigger). In order to make it more accesible for analysis the Scorecard is using the commit hash as a reference to return the scorecard information.

deps.dev and StepSecurity Dashboard are using the last available record about the project and not one specific commit hash on the timeline. The report currently uses OpenSSF Scorecard visualizer as an alternative visualizer that allow us to check the scorecard on a specific commit hash. That way is easier for us to check the evolution between meetings :)

I add here some screenshots in case that you want to check the commit hash in each service:

StepSecurity Dashboard

Captura de pantalla 2023-05-11 a las 13 10 01

deps.dev

Captura de pantalla 2023-05-11 a las 13 09 54

OpenSSF Scorecard visualizer

Captura de pantalla 2023-05-11 a las 13 10 10

BTW @KoolTheba is working in the next version of the tool that will include an option to comparte the differences between 2 commits in terms of Scorecard results

@UlisesGascon UlisesGascon merged commit e088189 into nodejs:main May 12, 2023
This was referenced May 12, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@UlisesGascon @tniessen @RafaelGSS