Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature - Human readable report to link to from scorecards badge #206

Open
godofredoc opened this issue Sep 9, 2022 · 15 comments
Open

Feature - Human readable report to link to from scorecards badge #206

godofredoc opened this issue Sep 9, 2022 · 15 comments
Assignees
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@godofredoc
Copy link

Is your feature request related to a problem? Please describe.
No, this is a feature request for generating a human readable report rather than printing json when clicking on the scorecard badge.
Describe the solution you'd like
Clicking on the scorecard badge redirects to json output e.g. link. It would be great if a human readable version could be generated from the json.

Describe alternatives you've considered
N/A

Additional context
Users clicking on the scorecard badge need to manually parse the json to understand what the project score means.

@godofredoc godofredoc added the enhancement New feature or request label Sep 9, 2022
naveensrinivasan referenced this issue in ossf/scorecard Sep 9, 2022
- This helps with this issue https://github.com/ossf/scorecard/issues/2243

Signed-off-by: naveensrinivasan <[email protected]>
@azeemshaikh38
Copy link
Contributor

Thanks for the report @godofredoc. Should be doable by using JS to convert the JSON. I'm not too familiar with JS so I might be slow to get this fixed. If anyone else wants to take a shot at this, happy to give it over.

Moving to scorecard-webapp repo for better tracking.

@azeemshaikh38 azeemshaikh38 transferred this issue from ossf/scorecard Sep 14, 2022
@azeemshaikh38 azeemshaikh38 added the good first issue Good for newcomers label Sep 14, 2022
@azeemshaikh38 azeemshaikh38 self-assigned this Sep 14, 2022
@CaseyHillers
Copy link

@godofredoc can you expand on what would make this human readable?

@ditman
Copy link

ditman commented Oct 6, 2022

It seems that badge results are linked to a JSON file.

Instead, it should link to a webpage that like looks part of the https://securityscorecards.dev website, and that's fit for human consumption and maybe, make the JSON file available somewhere from a link there too. Maybe have two links:

@godofredoc
Copy link
Author

Ideally an html table presenting the name, description, score and a link to more docs but having a formatted json may be a good intermediate option.

Note: formatted json may need to go to a new API as there is some tooling that expects the json as a single string. @laurentsimon

@ricardoamador
Copy link

Looking at this more @ditman has the right approach. I can certainly modify the return data but I don't think that is the way to go about it. Better to make a webpage with either that formatted json or something prettier.

@diogoteles08
Copy link

Hello people, just wanted to say that I'm glad this issue already exists and it should be very helpful. I was working to add the badge on the Angular project, and the reason why they have declined the PR seems to be closely related to this issue.

@jakemac53
Copy link

+1 clicking the badge currently does not give you much context as to its meaning. I expected to get linked to a website, and a report. The website would have more information about the general meaning of the badge on it.

@diogoteles08
Copy link

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

@naveensrinivasan
Copy link
Member

We now have the option to redirect the badge to the result of the search on deps.dev. E.g., a possible badge for angular could lead to https://deps.dev/project/github/angular%2Fangular

Would this be a definitive solution, or you are still working on a different one?

@laurentsimon and I were thinking the same. Until Scorecards builds its UI, this is a good solution! Thanks for the suggestion.

@ditman
Copy link

ditman commented Jan 19, 2023

The link to deps.dev is definitely better than the JSON file! Thanks for the message @diogoteles08!

(I think this issue should stay open until it is decided whether the scorecard-webapp will render a pretty output like deps.dev or not.)

((Also not all the repos seem to be available in deps.dev? Can't find flutter/packages for example :/))

@joycebrum
Copy link

Hi, I would like to bring a feedback from a maintainer from systemd (see systemd/systemd#25042 (comment)) that it is really important that the result linked to the badge to be human readable. As mentioned, not all projects are available to be shown through deps.dev (even though they publish the results)

@evverx
Copy link

evverx commented May 5, 2023

it is really important that the result linked to the badge to be human readable

I think that apart from that to make it actually useful numerous scorecard false positives should be addressed as well. The official way of "fixing" them in the security dashboard doesn't work there because those results are raw and unfiltered.

@evverx
Copy link

evverx commented May 6, 2023

With the debug option this feature would be even more important: ossf/scorecard-action#176.

(before I forget it's related to systemd/systemd#27530)

@evverx
Copy link

evverx commented May 9, 2023

Looks like it should be addressed in ossf/scorecard#2979

@ditman
Copy link

ditman commented May 9, 2023

Looks like it should be addressed in ossf/scorecard#2979

It does look pretty!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

10 participants