-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"dependency not pinned by hash detected -- score normalized to 5" does not distinguish dev-time dependencies #2518
Comments
Thanks for the report. Can you walk me thru your installation process? Typically we expect users to use requirements.txt, but I don't see one in your repo. Can you tell me the alert reported by scorecard? if you ran the CLI tool, please add |
Thanks for taking a look at this.
You can find these here: https://github.com/jab/bidict/tree/main/dev-deps As such, these dependencies are only installed when linting or testing (etc.). See the lines like
When I view https://deps.dev/pypi/bidict and expand "Pinned Dependencies", I get the alert I quoted in the issue description, "dependency not pinned by hash detected -- score normalized to 5". Here is a screenshot:
I had not run the CLI tool, but I just did and confirmed that the same alert and resulting score appears in that output:
In this case, it looks like it's actually the lack of pinning-by-hash in files like |
I think this is a good fit for Annotations, a previously proposed feature that could in this case tell scorecard to skip certain files for the Pinned-Dependencies check. |
Maybe I'm misunderstanding, but rather than hard-coding a list of files to skip, ideally the tool would recognize that this is a Python package, and as such, look for its dependencies in standard locations, see e.g. https://packaging.python.org/en/latest/specifications/declaring-project-metadata/. For my project, the tool should see |
Had the same issue and trying to understand whether the scanner expects the use of I'm using two variations in different dev deps and both got flagged:
|
This one may be a false positive. iiuc, the
this one expects a |
I moved everything to --require-hashes to get the job done and just reached 9.1 ;) Thanks a lot for confirming @laurentsimon! Only two unrelated items left for us to get to 10 - separate to this regardless:
|
@gabibguti fyi |
My project has no build-time or run-time dependencies, it only has development-time dependencies (test runners, linters, etc.).
(I pin the dev-time dependencies to exact versions. But until pip-tools adds better support for hashes, pinning to hashes incurs prohibitively expensive maintenance costs. In return, pinning to hashes provides little to no benefit to users of my project, for whom none of these dependencies actually get pulled in transitively.)
Nonetheless, it looks like my project's score is being unfairly penalized with "dependency not pinned by hash detected -- score normalized to 5", which is as large a penalty as if these were runtime dependencies that did get pulled in for users, rather than the dev-time dependencies that they actually are.
Can the scoring system please be improved to take this into account, so projects like mine aren't penalized unfairly?
The text was updated successfully, but these errors were encountered: