scorecard: Scorecard fails to detect frozen dependencies in Ruby applications (including Rails apps)

Describe the bug One of scorecard requirements is “frozen dependencies”. In Ruby applications, including Rails, frozen dependencies are implemented via a Gemfile.lock file. However, such Ruby applications (such as the CII Best Practices badge project) are incorrectly marked as not having frozen dependencies.

Reproduction steps Steps to reproduce the behavior:

  1. View the OpenSSF metrics dashboard for the CII Best Practices badge web application
  2. Under Scorecard, Frozen deps, it shows “?”
  3. Yet the CII Best Practices badge application repo clearly shows a Gemfile.lock file (not just a Gemfile).

Expected behavior I expected full credit for having frozen dependencies.

Additional context This is part of a larger effort to get other OpenSSF projects to adopt the scorecard work. We’re starting by looking at the CII Best Practices badge & seeing what’s there, what isn’t, and what could be changed.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (18 by maintainers)

Most upvoted comments

FYI: This PR pins dependencies noted: https://github.com/coreinfrastructure/best-practices-badge/pull/1647

It revealed that scorecard doesn’t check .circleci configuration files for pinned dependencies. That probably should be added (if you care about pinning), but that should be a different issue.

+1
david-a-wheeler on Sep 10, 2021
Read more comments on GitHub
← scorecard: BUG: Parsing errors
srs: Cluster: Origin Cluster for Fault Tolarence and Load Balance. →