Starting [Signed-Releases] Starting [Branch-Protection] Starting [Token-Permissions] Starting [Packaging] Starting [Maintained] Starting [Security-Policy] Starting [Code-Review] Starting [SAST] Starting [Vulnerabilities] Starting [CII-Best-Practices] Starting [Pinned-Dependencies] Starting [Dependency-Update-Tool] Starting [Binary-Artifacts] Starting [CI-Tests] Starting [Contributors] Starting [Fuzzing] RESULTS ------- Aggregate score: 5.1 / 10 Check scores: Finished [Pinned-Dependencies] Finished [Dependency-Update-Tool] Finished [Binary-Artifacts] Finished [CI-Tests] Finished [Contributors] Finished [Fuzzing] Finished [Signed-Releases] Finished [Branch-Protection] Finished [Token-Permissions] Finished [Packaging] Finished [Maintained] Finished [Security-Policy] Finished [Code-Review] Finished [SAST] Finished [Vulnerabilities] Finished [CII-Best-Practices] |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | Binary-Artifacts | binaries present in source | Warn: binary detected: .mvn/wrapper/maven-wrapper.jar Warn: binary detected: | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#binary-artifacts | | | | code | log4j-core/src/test/resources/org/apache/logging/log4j/core/impl/ForceNoDefClassFoundError.class | | | | | | Warn: binary detected: src/ide/Intellij/13/IntellijSettings.jar Warn: binary detected: | | | | | | src/ide/Intellij/2016/CodeStyle.jar | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#branch-protection | | | | on development/release | enabled for branch 'master' | | | | | branches | | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 4 / 10 | CI-Tests | 12 out of 30 merged PRs | | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#ci-tests | | | | checked by a CI test -- score | | | | | | normalized to 4 | | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | CII-Best-Practices | no badge detected | | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#cii-best-practices | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 2 / 10 | Code-Review | GitHub code reviews found for | Info: Gerrit code reviews | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#code-review | | | | 8 commits out of the last 30 | found for 0 commits out of | | | | | -- score normalized to 2 | the last 30 Info: Prow code | | | | | | reviews found for 0 commits | | | | | | out of the last 30 | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Contributors | 25 different companies found | Info: contributors work for: | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#contributors | | | | -- score normalized to 10 | nextiva,apple,palantir,opendi,grobmeier-solutions,apache | | | | | | <3,apache software foundation,bolcom,yupiik,zgphp,WebCampZg,big | | | | | | fish software,huawei,iconparc gmbh,apache,grobmeier | | | | | | solutions gmbh,forge,cukespace,česká spořitelna | | | | | | a.s.,timeandbill,jenkinsci-cert,jekyll,bigfishsoftware,pkware,jenkinsci | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Dependency-Update-Tool | update tool detected | Info: dependabot detected: | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#dependency-update-tool | | | | | .github/dependabot.yml:1 | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Fuzzing | project is fuzzed in OSS-Fuzz | | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#fuzzing | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Maintained | 30 commit(s) out of 30 and 0 | | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#maintained | | | | issue activity out of 0 found | | | | | | in the last 90 days -- score | | | | | | normalized to 10 | | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | ? | Packaging | no published package detected | Warn: no GitHub publishing | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#packaging | | | | | workflow detected | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 6 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned dependency not pinned by hash (job 'run'): .github/workflows/benchmark.yml:37 | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#pinned-dependencies | | | | detected -- score normalized | Warn: GitHub-owned dependency not pinned by hash (job 'run'): .github/workflows/benchmark.yml:40 | | | | | to 6 | Warn: GitHub-owned dependency not pinned by hash (job 'run'): .github/workflows/benchmark.yml:62 | | | | | | Warn: GitHub-owned dependency not pinned by hash (job 'index'): .github/workflows/benchmark.yml:179 | | | | | | Warn: GitHub-owned dependency not pinned by hash (job 'index'): .github/workflows/benchmark.yml:184 | | | | | | Warn: GitHub-owned dependency not pinned by hash (job 'build'): .github/workflows/main.yml:17 | | | | | | Warn: GitHub-owned dependency not pinned by hash (job 'build'): .github/workflows/main.yml:20 Warn: | | | | | | third-party dependency not pinned by hash (job 'build'): .github/workflows/main.yml:62 Warn: GitHub-owned | | | | | | dependency not pinned by hash (job 'build'): .github/workflows/main.yml:72 Warn: dependency not | | | | | | pinned by hash: 'openjdk:8': Dockerfile:16 Warn: dependency not pinned by hash: 'openjdk:11-jdk-slim': | | | | | | log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/Dockerfile:19 | | | | | | Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles Info: no insecure (not pinned by | | | | | | hash) dependency downloads found in shell scripts Info: no insecure (not pinned by hash) dependency downloads found in | | | | | | GitHub workflows | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | SAST | SAST tool is not run on all | Warn: 0 commits out of 30 are | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#sast | | | | commits -- score normalized to | checked with a SAST tool Warn: | | | | | 0 | CodeQL tool not detected | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Security-Policy | security policy file detected | Info: security policy | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#security-policy | | | | | detected: SECURITY.md:1 | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | ? | Signed-Releases | no releases found | Warn: no GitHub releases found | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#signed-releases | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 0 / 10 | Token-Permissions | non read-only tokens detected | Warn: no top level | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#token-permissions | | | | in GitHub workflows | permission defined: | | | | | | .github/workflows/benchmark.yml:1 | | | | | | Warn: no top level | | | | | | permission defined: | | | | | | .github/workflows/main.yml:1 | | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Vulnerabilities | no vulnerabilities detected | | https://github.com/ossf/scorecard/blob/f991fee32da59b6de1b339cc0376062297463b2f/docs/checks.md#vulnerabilities | |---------|------------------------|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|