{"date":"2026-05-14T01:22:56Z","repo":{"name":"github.com/Samsung/LPVS","commit":"a0cfa084de29d9e97d113392addfeb3543936046"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":9.2,"checks":[{"name":"Maintained","score":10,"reason":"29 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:10","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:11","Info: jobLevel 'actions' permission set to 'read': .github/workflows/publish-release.yml:91","Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish-release.yml:129","Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish-release.yml:153","Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/cflite_batch.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-docker.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/findbugs.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/java-format-checker.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-documentation.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-suite.yml:10","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/Samsung/LPVS/publish-release.yml/main?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/java-format-checker.yml:28","Info:  26 out of  26 GitHub-owned GitHubAction dependencies pinned","Info:  25 out of  26 third-party GitHubAction dependencies pinned","Info:   3 out of   3 containerImage dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   1 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":10,"reason":"badge detected: Gold","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-release.yml:125"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":10,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Samsung/LPVS/releases/tag/v2.2.3","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Samsung/LPVS/releases/tag/v2.2.2","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Samsung/LPVS/releases/tag/v2.2.1","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Samsung/LPVS/releases/tag/v2.2.0","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Samsung/LPVS/releases/tag/v2.1.4"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Branch-Protection","score":10,"reason":"branch protection is fully enabled on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Info: required approving review count is 2 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: ClusterFuzzLite integration found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":0,"reason":"56 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-5wmx-573v-2qwq","Warn: Project is vulnerable to: GHSA-5239-wwwm-4pmq","Warn: Project is vulnerable to: GHSA-mf9v-mfxr-j63j","Warn: Project is vulnerable to: GHSA-qccp-gfcp-xxvc","Warn: Project is vulnerable to: GHSA-25qh-j22f-pwp8","Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv","Warn: Project is vulnerable to: GHSA-qqpg-mvqg-649v","Warn: Project is vulnerable to: GHSA-72hv-8253-57qq","Warn: Project is vulnerable to: GHSA-xwmg-2g98-w7v9","Warn: Project is vulnerable to: GHSA-pq2g-wx69-c263","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-24j9-x2wg-9qv6","Warn: Project is vulnerable to: GHSA-25xr-qj8w-c4vf","Warn: Project is vulnerable to: GHSA-27hp-xhwr-wr2m","Warn: Project is vulnerable to: GHSA-3p2h-wqq4-wf4h","Warn: Project is vulnerable to: GHSA-42wg-hm62-jcwg","Warn: Project is vulnerable to: GHSA-5j33-cvvr-w245","Warn: Project is vulnerable to: GHSA-83qj-6fr2-vhqg","Warn: Project is vulnerable to: GHSA-95jq-rwvf-vjx4","Warn: Project is vulnerable to: GHSA-9m3c-qcxr-9x87","Warn: Project is vulnerable to: GHSA-ff77-26x5-69cr","Warn: Project is vulnerable to: GHSA-fpj8-gq4v-p354","Warn: Project is vulnerable to: GHSA-gqp3-2cvr-x8m3","Warn: Project is vulnerable to: GHSA-h2fw-rfh5-95r3","Warn: Project is vulnerable to: GHSA-h3gc-qfqq-6h8f","Warn: Project is vulnerable to: GHSA-hgrr-935x-pq79","Warn: Project is vulnerable to: GHSA-mgp5-rv84-w37q","Warn: Project is vulnerable to: GHSA-qq5r-98hh-rxc9","Warn: Project is vulnerable to: GHSA-rv64-5gf8-9qq8","Warn: Project is vulnerable to: GHSA-vfww-5hm6-hx2j","Warn: Project is vulnerable to: GHSA-wc4r-xq3c-5cf3","Warn: Project is vulnerable to: GHSA-wmwf-9ccg-fff5","Warn: Project is vulnerable to: GHSA-wr62-c79q-cv37","Warn: Project is vulnerable to: GHSA-x4m4-345f-5h5g","Warn: Project is vulnerable to: GHSA-rc42-6c7j-7h5r","Warn: Project is vulnerable to: GHSA-wwpq-f5c3-7hvx","Warn: Project is vulnerable to: GHSA-8v5q-rhf3-jphm","Warn: Project is vulnerable to: GHSA-9pp5-9c7g-4r83","Warn: Project is vulnerable to: GHSA-hh3m-g4qj-4835","Warn: Project is vulnerable to: GHSA-vxf7-qj7q-83fh","Warn: Project is vulnerable to: GHSA-x2wq-9x2f-fhj7","Warn: Project is vulnerable to: GHSA-mg83-c7gq-rv5c","Warn: Project is vulnerable to: GHSA-cvc6-q2cp-2xhw","Warn: Project is vulnerable to: GHSA-mf92-479x-3373","Warn: Project is vulnerable to: GHSA-4wp7-92pw-q264","Warn: Project is vulnerable to: GHSA-jmp9-x22r-554x","Warn: Project is vulnerable to: GHSA-6r3c-xf4w-jxjm","Warn: Project is vulnerable to: GHSA-4773-3jfm-qmx3","Warn: Project is vulnerable to: GHSA-6hcq-hmm3-jj3c","Warn: Project is vulnerable to: GHSA-6p4f-wcwh-5vvm","Warn: Project is vulnerable to: GHSA-r936-gwx5-v52f","Warn: Project is vulnerable to: GHSA-wg35-8jpf-2xv3","Warn: Project is vulnerable to: GHSA-c9ph-gxww-7744","Warn: Project is vulnerable to: GHSA-r4v4-5mwr-2fwr","Warn: Project is vulnerable to: GHSA-xjw8-8c5c-9r79"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: found contributions from: Samsung, samsung, samsung r&d institute ukraine (srukr)"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]}