New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot link in alert is 404, and false positive #1903
Comments
Thanks, Would you be interested in fixing it by sending a PR? |
If I'm not mistaken, there are different settings:
So although these are all called "dependabot", they are different features, IIUC. I think you need both to have a comprehensive dependabot installation. We currently only check for option 1. @josepalafox will have a better understanding. Let's amend our documentation and improve the check once we have clarification. |
Thanks, @naveensrinivasan I'd be happy to, but I'm not actually finding it right now in a search. I do see a commit 062e33b that seems related, but haven't tracked down how that fits into the logic, or even if that is fixed but not deployed, or what. |
@laurentsimon - good description of the subtleties. It would indeed help to be clearer about that in the docs. The text "no update tool detected" was easy for me to interpret as the absence of any sort of "security update" tool to scan for issues during updates, though it does make more sense as a tool to automate the offering of PRs to update dependencies. Clarifying that Scorecard checks for both (as it indeed should) would be most helpful. Github could also be clearer about how to verify this and the benefits of the active update options. After lots of digging I wasn't very clear on it. For more context, I'm looking at About Dependabot alerts - GitHub Docs. It has a checklist of sorts:
It seemed like a false positive because I looked at the Security tab overview, and it says "Dependabot alerts — Active". Then when I view "Dependabot alerts" it just says "Welcome to Dependabot alerts!" - again, no suggestion that it isn't fully configured and active. Digging into the GitHub "Insights" tab, I look at the "Dependency graph" and it notes that my dependencies are defined in |
This isn't applicable anymore. This has been addressed. |
Describe the bug
A
Dependency-Update-Tool
alert contains a link tohttps://dependabot.com/docs/config-file/
which now redirects to
https://github.com/docs/config-file/
which is 404.
Expected behavior
Perhaps a link to https://github.com/dependabot would be appropriate though it seems different based on the URL.
Additional context
I have configured dependabot via GItHub's Security tab, but my project is still failing the
Dependency-Update-Tool
check. GitHub didn't ask me to put a config file anywhere. How does Scorecard detect such uses of dependabot?This is a bit old but may be relevant:
GitHub acquires Dependabot - 2019-05-23 - Crunchbase Acquisition Profile
The text was updated successfully, but these errors were encountered: