scorecard: BUG: Parsing errors

Noticing many parsing errors during cron job. Not blocking cron job, but good to fix since otherwise we just return ErrScorecardInternal. Some examples to reproduce shown below:

scorecard --repo=github.com/ufal/udpipe --checks=Pinned-Dependencies

scorecard --repo=github.com/ubisoft/Sharpmake --checks=Pinned-Dependencies

scorecard --repo=github.com/uber/okbuck --checks=Pinned-Dependencies

scorecard --repo=github.com/uber/NullAway --checks=Pinned-Dependencies

scorecard --repo=github.com/aliyun/aliyun-odps-python-sdk --checks=Token-Permissions,Pinned-Dependencies

scorecard --repo=github.com/alibaba/GraphScope --checks=Token-Permissions

scorecard --repo=github.com/u-boot/u-boot --checks=Pinned-Dependencies

There might be more cases. Will add as I find them. Would be good to fix these and add these repos to cron/data/projects.release.csv as and when we fix them.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 32 (32 by maintainers)

Most upvoted comments

Parsing errors that showed up with the new actionlint parser:

./scorecard --repo=github.com/containous/maesh --checks=Pinned-Dependencies
./scorecard --repo=github.com/mahmoud/boltons --checks=Pinned-Dependencies

It would be good if we put a system in place to monitor for these warnings

+1. See https://github.com/ossf/scorecard/blob/main/stats/views.go#L50. You can use that to record/monitor these parse errors.

We can start with this to get a sense of how bad the problem is and then decide on whether we should log a warning and continue.

sounds like a reasonable approach. Also verify that if if: runner.os == 'Windows' is present, at least one windows os is specified in runs-on