{"date":"2024-03-16T10:38:53Z","repo":{"name":"github.com/opensourceways/sbom-service","commit":"9b2d5e9150ec4dd07e9fba46a50ba0b5f6432e52"},"scorecard":{"version":"v4.11.0","commit":"4edb07802fdad892fa8d10f8fd47666b6ccc27c9"},"score":6.8,"checks":[{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: gradle/wrapper/gradle-wrapper.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"23 out of 23 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"0 different organizations found -- score normalized to 0","details":["Warn: no contributors have an org or company"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: tool 'RenovateBot' is used: renovate.json:1","Warn: tool 'Dependabot' is not used: Follow the instructions from https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates. (Low effort)","Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)","Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#license"}},{"name":"Maintained","score":5,"reason":"7 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"no published package detected","details":["Warn: no GitHub/GitLab publishing workflow detected"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: pipCommand not pinned by hash: Dockerfile:3-8","Info: GitHub-owned GitHubActions are pinned","Info: Third-party GitHubActions are pinned","Info: Dockerfile dependencies are pinned","Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles","Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commmits","details":["Warn: 0 commits out of 30 are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":null,"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":10,"reason":"2 out of 2 artifacts are signed or have provenance","details":["Info: provenance for release artifact: sbom-service-1.1.3.war.intoto.jsonl: https://api.github.com/repos/opensourceways/sbom-service/releases/assets/118884084","Info: provenance for release artifact: sbom-service-1.1.2.war.intoto.jsonl: https://api.github.com/repos/opensourceways/sbom-service/releases/assets/102686595"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"tokens are read-only in GitHub workflows","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/generator-generic-ossf-slsa3-publish.yml:20","Info: jobLevel 'actions' permission set to 'read': .github/workflows/generator-generic-ossf-slsa3-publish.yml:95","Info: topLevel 'contents' permission set to 'read': .github/workflows/gradle.yml:17","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":0,"reason":"199 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-8489-44mv-ggj8","Warn: Project is vulnerable to: GHSA-p6xc-xr62-6r2g","Warn: Project is vulnerable to: GHSA-288c-cq4h-88gq","Warn: Project is vulnerable to: GHSA-57j2-w4cx-62h2","Warn: Project is vulnerable to: GHSA-5949-rw7g-wx7w","Warn: Project is vulnerable to: GHSA-5r5r-6hpj-8gg9","Warn: Project is vulnerable to: GHSA-89qr-369f-5m5x","Warn: Project is vulnerable to: GHSA-8c4j-34r4-xr8g","Warn: Project is vulnerable to: GHSA-8w26-6f25-cm9x","Warn: Project is vulnerable to: GHSA-9gph-22xh-8x98","Warn: Project is vulnerable to: GHSA-9m6f-7xcq-8vf8","Warn: Project is vulnerable to: GHSA-c265-37vj-cwcc","Warn: Project is vulnerable to: GHSA-c2q3-4qrh-fm48","Warn: Project is vulnerable to: GHSA-cvm9-fjm9-3572","Warn: Project is vulnerable to: GHSA-f9xh-2qgp-cq57","Warn: Project is vulnerable to: GHSA-h3cw-g4mq-c5x2","Warn: Project is vulnerable to: GHSA-j823-4qch-3rgm","Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff","Warn: Project is vulnerable to: GHSA-m6x4-97wx-4q27","Warn: Project is vulnerable to: GHSA-mc6h-4qgp-37qh","Warn: Project is vulnerable to: GHSA-qjw2-hr98-qgfh","Warn: Project is vulnerable to: GHSA-r3gr-cxrf-hg25","Warn: Project is vulnerable to: GHSA-r695-7vr9-jgc2","Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4","Warn: Project is vulnerable to: GHSA-v585-23hc-c647","Warn: Project is vulnerable to: GHSA-vfqx-33qm-g869","Warn: Project is vulnerable to: GHSA-wh8g-3j2c-rqj5","Warn: Project is vulnerable to: GHSA-4gg5-vx3j-xwc7","Warn: Project is vulnerable to: GHSA-77rm-9x9h-xj3g","Warn: Project is vulnerable to: GHSA-g5ww-5jh7-63cx","Warn: Project is vulnerable to: GHSA-h4h5-3hr4-j3g2","Warn: Project is vulnerable to: GHSA-wrvw-hg22-4m67","Warn: Project is vulnerable to: GHSA-4jrv-ppp4-jm57","Warn: Project is vulnerable to: GHSA-4g9r-vxhx-9pgx","Warn: Project is vulnerable to: GHSA-7hfm-57qf-j43q","Warn: Project is vulnerable to: GHSA-crv7-7245-f45f","Warn: Project is vulnerable to: GHSA-mc84-pj99-q6hh","Warn: Project is vulnerable to: GHSA-xqfj-vm6h-2x34","Warn: Project is vulnerable to: GHSA-g3wg-6mcf-8jj6","Warn: Project is vulnerable to: GHSA-7r82-7xv7-xcpj","Warn: Project is vulnerable to: GHSA-cj7v-27pg-wf7q","Warn: Project is vulnerable to: GHSA-hmr7-m48g-48f6","Warn: Project is vulnerable to: GHSA-3f7h-mf4q-vrm4","Warn: Project is vulnerable to: GHSA-5mg8-w23w-74h3","Warn: Project is vulnerable to: GHSA-7g45-4rm6-3mm3","Warn: Project is vulnerable to: GHSA-58qw-p7qm-5rvh","Warn: Project is vulnerable to: GHSA-rhrv-645h-fjfh","Warn: Project is vulnerable to: GHSA-493p-pfq6-5258","Warn: Project is vulnerable to: GHSA-v528-7hrm-frqp","Warn: Project is vulnerable to: GHSA-gwrp-pvrq-jmwv","Warn: Project is vulnerable to: GHSA-5mcr-gq6c-3hq2","Warn: Project is vulnerable to: GHSA-9vjp-v76f-g363","Warn: Project is vulnerable to: GHSA-cqqj-4p63-rrmm","Warn: Project is vulnerable to: GHSA-f256-j965-7f32 / GHSA-wm47-8v5p-wjpj","Warn: Project is vulnerable to: GHSA-grg4-wf29-r9vv","Warn: Project is vulnerable to: GHSA-p2v9-g2qv-p635","Warn: Project is vulnerable to: GHSA-wx5j-54mm-rqqq","Warn: Project is vulnerable to: GHSA-56h3-78gp-v83r","Warn: Project is vulnerable to: GHSA-7rf3-mqpx-h7xg","Warn: Project is vulnerable to: GHSA-grr4-wv38-f68w","Warn: Project is vulnerable to: GHSA-q6g2-g7f3-rr83","Warn: Project is vulnerable to: GHSA-x27m-9w8j-5vcw","Warn: Project is vulnerable to: GHSA-55g7-9cwv-5qfv","Warn: Project is vulnerable to: GHSA-fjpj-2g6w-x25r","Warn: Project is vulnerable to: GHSA-pqr6-cmr2-h8hf","Warn: Project is vulnerable to: GHSA-qcwq-55hx-v3vh","Warn: Project is vulnerable to: GHSA-2qrg-x229-3v8q","Warn: Project is vulnerable to: GHSA-65fg-84f6-3jq3","Warn: Project is vulnerable to: GHSA-f7vh-qwp3-x37m","Warn: Project is vulnerable to: GHSA-fp5r-v3w9-4333","Warn: Project is vulnerable to: GHSA-w9p3-5cr8-m3jj","Warn: Project is vulnerable to: GHSA-c27h-mcmw-48hv","Warn: Project is vulnerable to: GHSA-r6j9-8759-g62w","Warn: Project is vulnerable to: GHSA-26vr-8j45-3r4w","Warn: Project is vulnerable to: GHSA-86wm-rrjm-8wh8","Warn: Project is vulnerable to: GHSA-m394-8rww-3jr7","Warn: Project is vulnerable to: GHSA-m6cp-vxjx-65j6","Warn: Project is vulnerable to: GHSA-p26g-97m4-6q7c","Warn: Project is vulnerable to: GHSA-qw69-rqj8-6qw8","Warn: Project is vulnerable to: GHSA-cgp8-4m63-fhh5","Warn: Project is vulnerable to: GHSA-2hw2-62cp-p9p7","Warn: Project is vulnerable to: GHSA-7286-pgfv-vxvh","Warn: Project is vulnerable to: GHSA-gvpg-vgmx-xg6w","Warn: Project is vulnerable to: GHSA-hxp5-8pgq-mgv9","Warn: Project is vulnerable to: GHSA-fj2m-w3wv-x9pr","Warn: Project is vulnerable to: GHSA-qvxv-pmq9-4q7g","Warn: Project is vulnerable to: GHSA-hrmr-f5m6-m9pq","Warn: Project is vulnerable to: GHSA-p979-4mfw-53vg","Warn: Project is vulnerable to: GHSA-42xw-p62x-hwcf","Warn: Project is vulnerable to: GHSA-rcjc-c4pj-xxrp","Warn: Project is vulnerable to: GHSA-g2fg-mr77-6vrm","Warn: Project is vulnerable to: GHSA-rj7p-rfgp-852x","Warn: Project is vulnerable to: GHSA-vx85-mj8c-4qm6","Warn: Project is vulnerable to: GHSA-wjxj-f8rg-99wx","Warn: Project is vulnerable to: GHSA-7cwj-j333-x7f7","Warn: Project is vulnerable to: GHSA-ccqf-c5hq-77mp","Warn: Project is vulnerable to: GHSA-24rp-q3w6-vc56","Warn: Project is vulnerable to: GHSA-88cc-g835-76rp","Warn: Project is vulnerable to: GHSA-r38f-c4h4-hqq2","Warn: Project is vulnerable to: GHSA-v7wg-cpwc-24m4","Warn: Project is vulnerable to: GHSA-2jc4-r94c-rp7h","Warn: Project is vulnerable to: GHSA-94rr-4jr5-9h2p","Warn: Project is vulnerable to: GHSA-wv7w-rj2x-556x","Warn: Project is vulnerable to: GHSA-6x9x-8qw9-9pp6","Warn: Project is vulnerable to: GHSA-7vx9-xjhr-rw6h","Warn: Project is vulnerable to: GHSA-84q7-p226-4x5w","Warn: Project is vulnerable to: GHSA-9rgv-h7x4-qw8g","Warn: Project is vulnerable to: GHSA-h2f4-v4c4-6wx4","Warn: Project is vulnerable to: GHSA-r28m-g6j9-r2h5","Warn: Project is vulnerable to: GHSA-vgg8-72f2-qm23","Warn: Project is vulnerable to: GHSA-xc67-hjx6-cgg6","Warn: Project is vulnerable to: GHSA-4p6w-m9wc-c9c9","Warn: Project is vulnerable to: GHSA-5v34-g2px-j4fw","Warn: Project is vulnerable to: GHSA-f62v-xpxf-3v68","Warn: Project is vulnerable to: GHSA-q5r4-cfpx-h6fh","Warn: Project is vulnerable to: GHSA-27xj-rqx5-2255","Warn: Project is vulnerable to: GHSA-4gq5-ch57-c2mg","Warn: Project is vulnerable to: GHSA-4w82-r329-3q67","Warn: Project is vulnerable to: GHSA-58pp-9c76-5625","Warn: Project is vulnerable to: GHSA-5p34-5m6p-p58g","Warn: Project is vulnerable to: GHSA-5ww9-j83m-q7qx","Warn: Project is vulnerable to: GHSA-645p-88qh-w398","Warn: Project is vulnerable to: GHSA-6fpp-rgj9-8rwc","Warn: Project is vulnerable to: GHSA-6wqp-v4v6-c87c","Warn: Project is vulnerable to: GHSA-758m-v56v-grj4","Warn: Project is vulnerable to: GHSA-85cw-hj65-qqv9","Warn: Project is vulnerable to: GHSA-95cm-88f5-f2c7","Warn: Project is vulnerable to: GHSA-9mxf-g3x6-wv74","Warn: Project is vulnerable to: GHSA-9vvp-fxw6-jcxr","Warn: Project is vulnerable to: GHSA-c8hm-7hpq-7jhg","Warn: Project is vulnerable to: GHSA-cf6r-3wgc-h863","Warn: Project is vulnerable to: GHSA-cjjf-94ff-43w7","Warn: Project is vulnerable to: GHSA-cmfg-87vq-g5g4","Warn: Project is vulnerable to: GHSA-f3j5-rmmp-3fc5","Warn: Project is vulnerable to: GHSA-f9hv-mg5h-xcw9","Warn: Project is vulnerable to: GHSA-fmmc-742q-jg75","Warn: Project is vulnerable to: GHSA-fqwf-pjwf-7vqv","Warn: Project is vulnerable to: GHSA-gjmw-vf9h-g25v","Warn: Project is vulnerable to: GHSA-gwp4-hfv6-p7hw","Warn: Project is vulnerable to: GHSA-gww7-p5w4-wrfv","Warn: Project is vulnerable to: GHSA-h4rc-386g-6m85","Warn: Project is vulnerable to: GHSA-h822-r4r5-v8jg","Warn: Project is vulnerable to: GHSA-mph4-vhrx-mv67","Warn: Project is vulnerable to: GHSA-mx7p-6679-8g3q","Warn: Project is vulnerable to: GHSA-mx9v-gmh4-mgqw","Warn: Project is vulnerable to: GHSA-p43x-xfjf-5jhr","Warn: Project is vulnerable to: GHSA-q93h-jc49-78gg","Warn: Project is vulnerable to: GHSA-qmqc-x3r4-6v39","Warn: Project is vulnerable to: GHSA-qr7j-h6gg-jmgc","Warn: Project is vulnerable to: GHSA-rf6r-2c4q-2vwg","Warn: Project is vulnerable to: GHSA-rpr3-cw39-3pxh","Warn: Project is vulnerable to: GHSA-v3xw-c963-f5hc","Warn: Project is vulnerable to: GHSA-x2w5-5m2g-7h5m","Warn: Project is vulnerable to: GHSA-7rjr-3q55-vv33","Warn: Project is vulnerable to: GHSA-jfh8-c2jp-5v3q","Warn: Project is vulnerable to: GHSA-vwqq-5vrc-xw9h","Warn: Project is vulnerable to: GHSA-6mqq-8r44-vmjc","Warn: Project is vulnerable to: GHSA-8cw6-5qvp-q3wj","Warn: Project is vulnerable to: GHSA-fp5j-3fpf-mhj5","Warn: Project is vulnerable to: GHSA-phg2-9c5g-m4q7","Warn: Project is vulnerable to: GHSA-w4r4-65mg-45x2","Warn: Project is vulnerable to: GHSA-c43q-5hpj-4crv","Warn: Project is vulnerable to: GHSA-8qv5-68g4-248j","Warn: Project is vulnerable to: GHSA-3x8x-79m2-3w2w","Warn: Project is vulnerable to: GHSA-3gh6-v5v9-6v9j","Warn: Project is vulnerable to: GHSA-gwcr-j4wh-j3cq","Warn: Project is vulnerable to: GHSA-6mjq-h674-j845","Warn: Project is vulnerable to: GHSA-599f-7c49-w659","Warn: Project is vulnerable to: GHSA-r978-9m6m-6gm6","Warn: Project is vulnerable to: GHSA-mvr2-9pj6-7w5j","Warn: Project is vulnerable to: GHSA-4265-ccf5-phj5","Warn: Project is vulnerable to: GHSA-jgxc-8mwq-9xqw","Warn: Project is vulnerable to: GHSA-vr64-r9qj-h27f","Warn: Project is vulnerable to: GHSA-cfh5-3ghh-wfjx","Warn: Project is vulnerable to: GHSA-fmj5-wv96-r2ch","Warn: Project is vulnerable to: GHSA-w7f5-jrpr-5c2m","Warn: Project is vulnerable to: GHSA-gf2v-9hp6-44qg","Warn: Project is vulnerable to: GHSA-rxmr-c9jm-7mm8","Warn: Project is vulnerable to: GHSA-cggj-fvv3-cqwv","Warn: Project is vulnerable to: GHSA-7q56-mp4c-gggg","Warn: Project is vulnerable to: GHSA-8r28-r8cp-g6cp","Warn: Project is vulnerable to: GHSA-8wm5-8h9c-47pc","Warn: Project is vulnerable to: GHSA-f8vc-wfc8-hxqh","Warn: Project is vulnerable to: GHSA-g48f-ff5h-5f64","Warn: Project is vulnerable to: GHSA-gx2c-fvhc-ph4j","Warn: Project is vulnerable to: GHSA-h24p-qwf4-84q8","Warn: Project is vulnerable to: GHSA-mf7c-35mq-75pj","Warn: Project is vulnerable to: GHSA-rmpj-7c96-mrg8","Warn: Project is vulnerable to: GHSA-rrfq-g5fq-fc9c","Warn: Project is vulnerable to: GHSA-wr69-g62g-2r9h","Warn: Project is vulnerable to: GHSA-pr9x-qmp5-j3rr","Warn: Project is vulnerable to: GHSA-qm7f-r83w-3p46","Warn: Project is vulnerable to: GHSA-3832-9276-x7gf","Warn: Project is vulnerable to: GHSA-334p-wv2m-w3vp","Warn: Project is vulnerable to: GHSA-7j4h-8wpf-rqfh","Warn: Project is vulnerable to: GHSA-h65f-jvqw-m9fj","Warn: Project is vulnerable to: GHSA-vmqm-g3vh-847m","Warn: Project is vulnerable to: GHSA-w4jq-qh47-hvjq","Warn: Project is vulnerable to: GHSA-58jx-f5rf-qgqf"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#vulnerabilities"}}]}