✨ Return inconclusive result if no fuzzing is detected

[laurentsimon]

Return inconclusive result if no fuzzing is detected
No breaking changes

Return inconclusive result if no fuzzing is detected

[azeemshaikh38]

Let's make the message explicit - project not fuzzed through any platforms recognizable by Scorecard: oss-fuzz, CFLite. File a support request [here](https://github.com/ossf/scorecard/issues/897) if you would like support for other fuzzing platforms.. Can even keep this as a failing case instead of inconclusive.

[laurentsimon]

If we want to have a generic message File a support request, I think we should do this in a another PR and for all checks. The details has the details on which platforms are not found

[laurentsimon]

mhh, the details don't have this but it should. Ill update this PR to fix tat too

[evverx]

FWIW I think the fuzzing check is kind of broken at this point because projects integrated into OSS-Fuzz along with CIFuzz/CFLite and actually maintained receive lower scores due to the "unpinned" dependencies and bogus "vulnerabilities" that end up in the OSV database triggering the "vulnerabilities" check. scorecard on the other hand has been failing to even build on OSS-Fuzz for more than a month and scorecard still thinks that it's fuzzed.

[laurentsimon]

FWIW I think the fuzzing check is kind of broken at this point because projects integrated into OSS-Fuzz along with CIFuzz/CFLite and actually maintained receive lower scores due to the "unpinned" dependencies and bogus "vulnerabilities" that end up in the OSV database triggering the "vulnerabilities" check.

Can you explain what the "bogus" OSV entries are?

/cc @oliverchang

scorecard on the other hand has been failing to even build on OSS-Fuzz for more than a month and scorecard still thinks that it's fuzzed.

Can you elaborate on been failing to even build on OSS-Fuzz?

[evverx]

Can you explain what the "bogus" OSV entries are?

I think the latest examples would be https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016161.html and google/oss-fuzz#7434

Can you elaborate on been failing to even build on OSS-Fuzz?

According to https://oss-fuzz-build-logs.storage.googleapis.com/index.html#ossf-scorecard scorecard has been failing to compile on OSS-Fuzz with

Step #3 - "compile-libfuzzer-address-x86_64": github.com/ossf/scorecard/v4/policy
Step #3 - "compile-libfuzzer-address-x86_64": github.com/ossf/scorecard/v4/policy
Step #3 - "compile-libfuzzer-address-x86_64": Running go-fuzz -tags gofuzz -func FuzzParseFromYAML -o fuzz_parse_from_yaml.a github.com/ossf/scorecard/v4/policy
Step #3 - "compile-libfuzzer-address-x86_64": # github.com/ossf/scorecard/v4/policy
Step #3 - "compile-libfuzzer-address-x86_64": policy/yaml_fuzzer.go:19:9: undefined: ParseFromYAML
Step #3 - "compile-libfuzzer-address-x86_64": 2022/04/18 11:52:44 failed to build packages:exit status 2
Step #3 - "compile-libfuzzer-address-x86_64": ********************************************************************************
Step #3 - "compile-libfuzzer-address-x86_64": Failed to build.
Step #3 - "compile-libfuzzer-address-x86_64": To reproduce, run:
Step #3 - "compile-libfuzzer-address-x86_64": python infra/helper.py build_image ossf-scorecard
Step #3 - "compile-libfuzzer-address-x86_64": python infra/helper.py build_fuzzers --sanitizer address --engine libfuzzer --architecture x86_64 ossf-scorecard
Step #3 - "compile-libfuzzer-address-x86_64": ********************************************************************************
Finished Step #3 - "compile-libfuzzer-address-x86_64"

for almost two months.

[github-actions]

Stale pull request message