Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Rename OutcomePositive/Negative to something more aligned with the security implication of a probe finding #3866

Closed
pnacht opened this issue Feb 8, 2024 · 2 comments · Fixed by #4017
Closed

Feature: Rename OutcomePositive/Negative to something more aligned with the security implication of a probe finding #3866

pnacht opened this issue Feb 8, 2024 · 2 comments · Fixed by #4017
Labels
kind/enhancement New feature or request needs discussion
Milestone
Structured results

Comments

@pnacht
Copy link
Contributor

pnacht commented Feb 8, 2024

Is your feature request related to a problem? Please describe.
OutcomePositive/Negative are big words for "yes" and "no". There have been various places/discussions requiring added logic to handle the fact that "yes" for one probe means it is safe, but for another probe it means it's dangerous (most recently, #3816 (comment)).

Describe the solution you'd like
Replace OutcomePositive/Negative (i.e. "yes"/"no") with "safe"/"unsafe": OutcomeSafe/Unsafe, OutcomeGood/Bad, etc.

I believe this will be more immediately legible: "ah, I don't even know what this probe is looking for, but apparently the project is safe from it!"

It may also simplify evaluation logic, since we don't need to special-case probes where Positive is a bad thing: OutcomeGood will always increase a project's score, OutcomeBad will always decrease it.

Describe alternatives you've considered
Probes could be renamed so that OutcomePositive always means it's safe. But this can lead to "negative" probe names (doesNotDoX), which doesn't follow the general coding principle that "variables" should be in the affirmative.
@pnacht pnacht added the kind/enhancement New feature or request label Feb 8, 2024
@spencerschrock spencerschrock added this to the Structured results milestone Feb 8, 2024
@spencerschrock
Copy link
Member

See also: #3654

@spencerschrock spencerschrock mentioned this issue Mar 21, 2024
Merged
2 tasks
@spencerschrock
Copy link
Member

OutcomePositive/Negative are big words for "yes" and "no".
It may also simplify evaluation logic, since we don't need to special-case probes where Positive is a bad thing: OutcomeGood will always increase a project's score, OutcomeBad will always decrease it.

Some of the maintainers synced offline and Positive/Negative were intended to be used in the manner you describe using Good/Bad. One downside is Positive / Negative have the unintentional confusion with "yes"/"no" that you mention.

I believe this will be more immediately legible: "ah, I don't even know what this probe is looking for, but apparently the project is safe from it!"

Part of the appeal of structured results is letting the consumer dictate their policy, so declaring certain behavior as safe or unsafe forces our policy on others to some extent. For clearly dangerous things (e.g. script injection), I doubt there will be disagreements. For more opinionated heuristics (commit activity, pinned dependencies, etc), we'd like to avoid imposing our bias.

So we're just going to avoid judgement and stay factual with True/False as a more clear yes/no. Which will let us avoid the weird names /added logic you referred to:

  • notArchived -> archived
  • freeOfBinaryArtifacts -> hasBinaryArtifacts

@spencerschrock spencerschrock mentioned this issue Apr 8, 2024
Merged
2 tasks
@github-project-automation github-project-automation bot moved this from Todo to Done in Scorecard - NEW Apr 8, 2024
This was referenced Apr 10, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request needs discussion
Projects
Scorecard - NEW
Status: Done
Milestone
Structured results
Development

Successfully merging a pull request may close this issue.

⚠️ Replace Positive and Negative outcomes with True and False spencerschrock/scorecard
2 participants
@spencerschrock @pnacht