-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: re-visit outcome definition in findings #2928
Comments
From a discussion: Should probes have a numeric value? e.g number of contributors for the contributor check. or number of minimum reviewers in code review check. |
/cc @AdamKorcz |
The checks that do proportional scoring will benefit from this, as the corresponding probes will need to return a numeric value. The checks that do proportional scoring are: In most of the cases, the probes can handle this by themselves. For example. they can return the number of findings corresponding to a numeric value, however it does increase complexity in the probes, especially regarding understanding the probe outcomes; Some probes can return the number of findings, some probes can only return the number of findings in certain cases, other probes will not return the number of cases. A numeric field in the A related question is how we should use the
From a high level, this is useful for probes that consider whether one/how many of SOMETHING is/are a security risk or not. Two checks that I can think of do that:
If a project has either no webhooks or workflows, Scorecard cannot evaluate whether any of them are a risk. I could imagine that there can be more of these in the future, whether publicly maintained or not; For example, some users might want to check integrations with 3rd-party apps - for the sake of argument let's say an integration with Slack: A scorecard check could be whether this integration is set up securely or insecurely, however, you can only evaluate it if the project actually has a Slack integration. Another example could be fuzzing: Scorecard could consider it positive if non-security findings from OSS-Fuzz are auto-created as a Github issue, however, if the project is not on Github, then Scorecard cannot evaluate this. This could also be relevant to specific types of projects. For example, whether cloud-native projects have configured their |
Following up on the discussion we had this morning:
Sounds useful. Maybe we define an outcome structure like: type Outcome Struct {
Type enum {Int, Bool}
Value interface{}
} The thing to keep in mind is that we will ultimately allow end-users to define their own checks using a (hopefully simple) config file. See an example https://github.com/laurentsimon/scorecard/blob/mvp/flexible-checks/evaluation/policy.yml If we can keep the evaluation engine simple, it's better. I think @AdamKorcz will write up a short proposal about what he thinks is an appropriate solution.
Not a blocker, there was consensus among the maintainers that this is useful Am I missing anything from today's conversation? |
This is in my opinion the optimal way to add the option for numeric return values from probes. I am keeping this text short and am focusing on the details of what I see as the best solution, and am not including trade offs between different types of solutions. Please let me know if I should add more context. I consider type Finding struct {
Probe string `json:"probe"`
Outcome Outcome `json:"outcome"`
Message string `json:"message"`
Location *Location `json:"location,omitempty"`
Remediation *probe.Remediation `json:"remediation,omitempty"`
Values
} I consider the best data structure to be a I don’t see a need for creating nested maps now or in the near future. As such, the complete, changed type Finding struct {
Probe string `json:"probe"`
Outcome Outcome `json:"outcome"`
Message string `json:"message"`
Location *Location `json:"location,omitempty"`
Remediation *probe.Remediation `json:"remediation,omitempty"`
Values map[string]int `json:”values,omitempty”`
} With this change, there is no need for returning multiple findings from each probe. By adding the option to return a numeric value, we should make the following high-level changes to the existing (already merged) probes:
Please scrutinize this suggestion. |
I think there's still value in multiple findings, namely because their location differs. Consider any of the checks that evaluate file contents. There can be more than one dangerous workflow, unpinned dependency, etc. |
Fair point, but wouldn't the number of dangerous workflows and unpinned dependencies be placed in the numeric fields, ie. the map? |
There seems to be no way to do debug messages with findings? Is this something we are expecting? Should all debug logging be done at the raw results level? One discussion was at https://github.com/ossf/scorecard/pull/3486/files#r1366854736 |
In #2919 (comment), Laurent declared Changing the outcome type from int to string would make the current results more consumer friendly: {
"probe": "hasOSVVulnerabilities",
"message": "Project does not contain OSV vulnerabilities",
"outcome": 12
} After {
"probe": "hasOSVVulnerabilities",
"message": "Project does not contain OSV vulnerabilities",
"outcome": "Positive"
} |
The text was updated successfully, but these errors were encountered: