Scorecard - v5.0.0-rc1

[!IMPORTANT]
This is a v5 prerelease candidate. There may be more breaking changes before the official v5.0.0 release.

What's Changed

Structured Results

We invite users to try out a preview of Structured Results, the main feature from this release candidate. For more details on the feature, please check out the first paragraph of our probes README as well as our blog post (coming next week).

At a high level, structured results involves breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out the probes/ directory. To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.

Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

Check Enhancements and Bug Fixes

  • Branch-Protection
  • :sparkles: Branch Protection check now also evaluates if the project requires PRs prior to make changes to the branch. This won't change anything for the users that already require reviews, but will enable score enhancement for those who can't require reviewers. (#3499, @diogoteles08)
  • Dependency-Update-Tool
  • :sparkles: Dependency-Update-Tool now detects Renovate config files in a .gitlab folder. (#3823, @spencerschrock)
  • :bug: Sonatype Lift is no longer recognized as a Dependency-Update-Tool because it is retired. (#3605, @spencerschrock)
  • :bug: Dependency-Update-Tool: ignore search commit data for repo clients which dont support it by @spencerschrock in https://github.com/ossf/scorecard/pull/3756
  • Fuzzing
  • :warning: Remove OneFuzz from fuzzing checks by @DavidKorczynski in https://github.com/ossf/scorecard/pull/3666
  • Pinned-Dependencies
  • :bug: Pinned-Dependencies now continues after encountering runtime errors (#3515, @pnacht)
  • :bug: Scorecard no longer considers unpinned Dockerfiles in vendor and third_party directories. (#3675, @AdamKorcz)
  • :bug: Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash. (#3694, @martincostello)
  • :bug: Shell commands in Dockerfile here-documents are now parsed correctly by the Pinned-Dependencies check (#3774, @jkreileder)
  • Signed-Releases
  • :bug: Fixed a bug which allowed some repos to score higher than 10 in the Signed-Releases check. (#3768, @spencerschrock)
  • :sparkles: Support .sigstore bundles to check for signed releases (#3772, @edgarrmondragon)
  • Vulnerabilities
  • :bug: Projects without dependencies or packages no longer throw an error for the Vulnerabilities check. (#3803, @spencerschrock)
  • :bug: Go stdlib vulns are removed Vulnerabilities check output (#3925, @spencerschrock)

RepoClient Improvements

  • GitHub

  • :bug: Scorecard processes commit activity from large GitHub repos in chunks to avoid timeout issues (#3680, @spencerschrock)

  • GitLab

  • :bug: Fix scanning for GitLab private repositories. (#3596, @gabibguti)
  • :sparkles: Added --commit-depth support for GitLab repos (#3672, @ashearin)
  • :bug: Parse Gitlab Status fields to align w/Github Status and Conclusion by @ashearin in https://github.com/ossf/scorecard/pull/3706
  • :bug: Fix signed release error for empty gitlab repo by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3753
  • :bug: Scorecard no longer crashes on GitLab repos with no commits (#3731, @ashearin)

  • :bug: Fixed a bug which prevented Scorecard from analyzing some self-hosted GitLab repos. (#3819, @spencerschrock)

  • Local Directory

  • :bug: ignore .git folder for localdir by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3943

Other

  • :bug: Fix nils by @naveensrinivasan in https://github.com/ossf/scorecard/pull/3750
  • :sparkles: Added logic to ensure check scores are between 0 and 10 (#3769, @spencerschrock)

Breaking Changes

  • File access through RepoClient now returns an io.ReadCloser, instead of the full file contents. (#3912, @spencerschrock). This enabled fixing two bugs which affect very large repos.
  • :bug: Limit Binary Artifact file reads to first 1024 bytes by @spencerschrock in https://github.com/ossf/scorecard/pull/3923
  • :bug: Avoid reading every file searching for sonar configs by @spencerschrock in https://github.com/ossf/scorecard/pull/3929
  • :warning: refactor: rename fields on Branch Protection Pull Request rules by @diogoteles08 in https://github.com/ossf/scorecard/pull/3879
  • :warning: removerule.Remediation and switch users to probe.Remediation by @spencerschrock in https://github.com/ossf/scorecard/pull/3978

Docs

  • :book: fix typo by @AdamKorcz in https://github.com/ossf/scorecard/pull/3699
  • :book: Added beginner's guide to scorecard checks docs by @ariathaker in https://github.com/ossf/scorecard/pull/3617
  • :book: fixup transposition typos in remediation package copy by @daveworth in https://github.com/ossf/scorecard/pull/3734
  • :book: Update README with zoom meeting info by @leec94 in https://github.com/ossf/scorecard/pull/3739
  • :book: Clarify lack of 2FA check in README by @raghavkaul in https://github.com/ossf/scorecard/pull/3784
  • :book: Add documentation about probes and contributing by @AdamKorcz in https://github.com/ossf/scorecard/pull/3762
  • :book: Spelling by @jsoref in https://github.com/ossf/scorecard/pull/3804
  • :book: Update contributor ladder to reduce duration requirements by @afmarcum in https://github.com/ossf/scorecard/pull/3899
  • :book: Update slack image by @afmarcum in https://github.com/ossf/scorecard/pull/3906
  • :book: Document that .sigstore bundles are part of check for Signed-Releases (#3922, @cpswan)
  • :book: Add survey announcement to readme by @afmarcum in https://github.com/ossf/scorecard/pull/3942
  • :book: Review and update CONTRIBUTING.md by @spencerschrock in https://github.com/ossf/scorecard/pull/4002
  • :book: revert PAT scope change and document Go resources by @spencerschrock in https://github.com/ossf/scorecard/pull/4003

New Contributors

  • @ashearin made their first contribution in https://github.com/ossf/scorecard/pull/3672
  • @ariathaker made their first contribution in https://github.com/ossf/scorecard/pull/3617
  • @daveworth made their first contribution in https://github.com/ossf/scorecard/pull/3734
  • @edgarrmondragon made their first contribution in https://github.com/ossf/scorecard/pull/3772
  • @manishtiwari25 made their first contribution in https://github.com/ossf/scorecard/pull/3732
  • @jkreileder made their first contribution in https://github.com/ossf/scorecard/pull/3774
  • @tuminoid made their first contribution in https://github.com/ossf/scorecard/pull/3783
  • @lelia made their first contribution in https://github.com/ossf/scorecard/pull/3822
  • @jsoref made their first contribution in https://github.com/ossf/scorecard/pull/3804
  • @jitsengupta17 made their first contribution in https://github.com/ossf/scorecard/pull/3302
  • @cpswan made their first contribution in https://github.com/ossf/scorecard/pull/3922
  • @adamdmharvey made their first contribution in https://github.com/ossf/scorecard/pull/3972
  • @fhoeborn made their first contribution in https://github.com/ossf/scorecard/pull/3838

Full Changelog: https://github.com/ossf/scorecard/compare/v4.13.1...v5.0.0-rc1

Details

date
April 12, 2024, 10:10 p.m.
name
v5.0.0-rc1
type
Pre-release
official page
https://github.com/ossf/scorecard/releases/tag/v5.0.0-rc1
👇
Register or login to:
  • 🔍View and search all Scorecard releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or