Add more options for Pinned-Dependencies #3618
Comments
gabibguti
added
kind/enhancement
|
This issue is stale because it has been open for 60 days with no activity. |
|
Please include Cargo dependencies as requested above. I just viewed the score card of the clap project and noticed, that it scored 0 at pinned dependecies inspite of having pinned dependecies. In my opinion this is a bug of the scorecard tool and I was about to write a report when I found this issue. I further suggest not using a score of 0 when the scorecard tool is not able to detect whether dependencies are pinned or not, but using a question mark instead like it is used in other places (e.g. the branch protection score of clap's scorecard). The score of a open source project should not decrease just because of the limitations of the scorecard tool. |
quick note: we do do this now, though Scorecard is detecting the GitHub Action ecosystem in the repo as well, which is avoiding the inconclusive result. Of course detecting Cargo dependencies would improve the repository's Pinned-Dependency score. |
Thank you for clarification. I didn't noticed Github Actions earlier. But this makes perfectly sence. Looking at the details of the Pinned-Depecencies reveals the reason for the score and explictly mentions GitHub Actions. Sorry for not noticing ealier. |
Is your feature request related to a problem? Please describe.
I would like to start a discussion to add more options for Pinned-Dependencies. Currently we check dependencies of:
I would like to mention the possibility of including Cargo dependencies and leave the issue open if more dependencies of other ecossystems are needed.
Describe the solution you'd like
Including Cargo dependencies to provide better support for Rust projects.
Describe alternatives you've considered
None.
Additional context
Related to: ossf/scorecard-action#1017 (comment)
The text was updated successfully, but these errors were encountered: