Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feedback on Scorecard result data #792

Open
azeemshaikh38 opened this issue Jul 30, 2021 · 8 comments
Open

Feedback on Scorecard result data #792

azeemshaikh38 opened this issue Jul 30, 2021 · 8 comments
Labels
kind/enhancement New feature or request

Comments

@azeemshaikh38
Copy link
Contributor

I had a conversation with Jose Duart from Google and he had some interesting observations on Scorecard data from BQ that he analyzed.

  1. Some repos may be pretty well established (e.g https://github.com/yaml/pyyaml), so not a lot of commits will be happening. We mark these repos as Not Active, which is unexpected from a users POV. We probably need better signals to understand if repos are Active or improve how we score these repos.
  2. The Vulnerabilities check simply tells if there is an open vulnerability or not. This is not a strong signal when considering a package as a dependency. A stronger signal might be something like - how long do the repo owners take on average to fix vulnerabilities once they become known.

These might be interesting points to discuss in our next meeting, so creating an issue.
@laurentsimon
Copy link
Contributor

I had a conversation with Jose Duart from Google and he had some interesting observations on Scorecard data from BQ that he analyzed.

  1. Some repos may be pretty well established (e.g https://github.com/yaml/pyyaml), so not a lot of commits will be happening. We mark these repos as Not Active, which is unexpected from a users POV. We probably need better signals to understand if repos are Active or improve how we score these repos.

in addition to whether issues are closed or commented on, etc I think when the repo has dependabot installed we would get some PRs merged once in a while.

@laurentsimon
Copy link
Contributor

the statistics API may be useful to assess the activity of a repo https://docs.github.com/en/rest/reference/repos#statistics

@laurentsimon
Copy link
Contributor

increasing the time period may also be useful - related to #1025

@laurentsimon
Copy link
Contributor

laurentsimon commented Oct 28, 2021
edited
Loading

this API may also be useful https://docs.github.com/en/rest/reference/activity

@laurentsimon
Copy link
Contributor

another idea is to use the list of transitive deps, see if some have been updated and if the project has accepted dependabot PRs. That's pretty involved, though

@azeemshaikh38 azeemshaikh38 mentioned this issue Nov 12, 2021
Merged
2 tasks
@github-actions
Copy link

github-actions bot commented Jan 9, 2022

Stale issue message

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 7, 2023

This issue is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Nov 7, 2023
@justaugustus
Copy link
Member

Still relevant:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justaugustus @azeemshaikh38 @laurentsimon