Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG Mismatch in docs for Webhooks severity #2154

Closed
spencerschrock opened this issue Aug 16, 2022 · 3 comments
Closed

BUG Mismatch in docs for Webhooks severity #2154

spencerschrock opened this issue Aug 16, 2022 · 3 comments
Assignees
Labels
good first issue Good for newcomers kind/bug Something isn't working

Comments

@spencerschrock
Copy link
Member

Describe the bug
The YAML which defines the Webhooks check has a mismatch between the risk (high) and the description (critical). I'm not sure what the proper level is, but it affects what the users see in docs/checks.md and ultimately how the scores will be calculated once the Webhooks check is enabled.

Reproduction steps
N/A

Expected behavior
The risk and the description of the risk should match

Additional context
Add any other context about the problem here.

@leec94
Copy link
Contributor

leec94 commented Jul 21, 2023

I can take this one. Does the risk affect the weighting in the final score? If so, is there somewhere in the code I can check to see whether it's actually programmed as "high" or "critical"?

fwiw in the main readme the webhook check is described as risk "High" in the checks table: https://github.com/ossf/scorecard#checks-1

@spencerschrock
Copy link
Member Author

I can take this one. Does the risk affect the weighting in the final score? If so, is there somewhere in the code I can check to see whether it's actually programmed as "high" or "critical"?

The risk does affect weighting, but it's taken from the check yaml file. So I don't think that helps identify a source of truth.

fwiw in the main readme the webhook check is described as risk "High" in the checks table: https://github.com/ossf/scorecard#checks-1

That was added after the webhook PR landed, so I'm not sure if Laurent just glanced at the checks file and didn't notice the discrepancy. @laurentsimon do you know what the correct one is? My guess would be critical

@laurentsimon
Copy link
Contributor

That was added after the webhook PR landed, so I'm not sure if Laurent just glanced at the checks file and didn't notice the discrepancy. @laurentsimon do you know what the correct one is? My guess would be critical

+1, critical. It allows an external party to connect to the webhook and pretend to be from the repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants