You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We see that the text contains both the scorecard detail text and the location information, concatenated: score is 8: dependency not pinned by hash detected -- score normalized to 8:\nWarn: third-party action not pinned by hash: .github/workflows/scorecards-golang.yml:
I ran scorecard at HEAD and at the v4.1.0 release on the same repo (ossf-tests/scorecard-action), and the results are identical but are different from the results of the run above for golang-staging:
{
"ruleId": "PinnedDependenciesID",
"ruleIndex": 4,
"message": {
"text": "third-party action not pinned by hash\nClick Remediation section below to solve this issue"
},
"locations": [
{
"physicalLocation": {
"region": {
"startLine": 30,
"endLine": 30,
"snippet": {
"text": "ossf/scorecard-action@golang-staging"
}
},
"artifactLocation": {
"uri": ".github/workflows/Scorecards-with-default-GH-Token-golang-staging.yml",
"uriBaseId": "%SRCROOT%"
}
},
"message": {
"text": "third-party action not pinned by hash"
}
}
]
},
You see that the text message only contains the text and the file-based results appear within the locations instead.
@naveensrinivasan can you confirm I'm understanding this correctly? It's possible I missed something
The text was updated successfully, but these errors were encountered:
See results ossf-tests/scorecard-action-results#2
Workflow that generated it is https://github.com/ossf-tests/scorecard-action/runs/6187072538?check_suite_focus=true
The results are odd and wrong. Consider https://github.com/ossf-tests/scorecard-action-results/blob/a61cd2ab16265c0dad77b7fc9eb3fa0e7f7fa6b3/scorecard-action-main.sarif#L271-L311 or more specifically https://github.com/ossf-tests/scorecard-action-results/blob/a61cd2ab16265c0dad77b7fc9eb3fa0e7f7fa6b3/scorecard-action-main.sarif#L274
We see that the text contains both the scorecard detail text and the location information, concatenated:
score is 8: dependency not pinned by hash detected -- score normalized to 8:\nWarn: third-party action not pinned by hash: .github/workflows/scorecards-golang.yml:
I ran scorecard at HEAD and at the v4.1.0 release on the same repo (
ossf-tests/scorecard-action
), and the results are identical but are different from the results of the run above for golang-staging:You see that the text message only contains the text and the file-based results appear within the
locations
instead.@naveensrinivasan can you confirm I'm understanding this correctly? It's possible I missed something
The text was updated successfully, but these errors were encountered: