New check suggestion: Fork; is the repository a fork? #3223
Comments
andrelmbackman
changed the title
|
Thanks for the issue. Given the description of Scorecard in https://github.com/ossf/scorecard#what-is-scorecard, I'm curious if "fork" is a best practice with a remediation for maintainers, or if the goal if mostly to detect malicious repository - which is out of scope of Scorecard. One possibility could be to report the information as part of repository metadata https://github.com/ossf/scorecard/blob/main/pkg/scorecard_result.go#L55 instead. The metadata is a list, and should probably replaced by a map Or, if we want to have backward compatibility, maybe add it in repo https://github.com/ossf/scorecard/blob/main/pkg/scorecard_result.go#L41? |
|
I think we would be reliant on GitHub for detection, and there's ways to make forks without keeping that metadata, so I'm not sure how useful it would be. |
|
This issue is stale because it has been open for 60 days with no activity. |
|
This issue is stale because it has been open for 60 days with no activity. |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
|
Duplicate of #2352 - both may be addressed by starting with an |
Is your feature request related to a problem? Please describe.
It would be nice to have the scorecard evaluate whether or not the repository is a fork, if it has a parent etc.
The security risk is that the project can be forked to a very similar name of the original and malicious code can be added(also called typosquatting).
Describe the solution you'd like
I would simply add a check called Fork which scores high if the repository is not a fork and low if it is. Go-github has a Fork boolean in one of its structs as well as Parent and Source pointers, these would be utilized.
Describe alternatives you've considered
Adding this functionality to the Client. That way it could be implemented in a probe, instead of making a completely new check.
The text was updated successfully, but these errors were encountered: