Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

would it be possible to disable binary-artifact checks for gradle and mvnw wrapper jars? #782

Open
pjfanning opened this issue Aug 1, 2022 · 1 comment
Open

would it be possible to disable binary-artifact checks for gradle and mvnw wrapper jars? #782

pjfanning opened this issue Aug 1, 2022 · 1 comment

Comments

@pjfanning
Copy link

pjfanning commented Aug 1, 2022
edited

Example failure:
https://github.com/pjfanning/excel-streaming-reader/security/code-scanning/1

These jars are commonly checked in to make building easier. If it is the OSSF's aim to discourage this common practice, then that's ok. It's just that up until now, it has not been regarded as major issue.
@laurentsimon
Copy link
Contributor

laurentsimon commented Aug 4, 2022
edited

Scorecard now ignores gradle wrappers ossf/scorecard@dd8fbc0, so the next release should not complain.

Scorecard now looks for the "gradle wrapper" GitHub action that verifies whether binaries have the same hash pubished by gradle's official repo. If the action is installed, scorecard ignores the binary. Is there something similar for maven?

/cc ethanent who wrote the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjfanning @laurentsimon