What's Changed
We’ll highlight the major changes between v4.13.1
and v5.0.0
below, as well as some of the changes between v5.0.0-rc2
and v5.0.0
. For a more complete picture, see the v5.0.0-rc1 and v5.0.0-rc2 changelogs as well.
Structured Results
Structured Results is the main feature from this release. At a high level, structured results involve breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out our documentation (paying attention to lifecycle / stability guarantees). To run individual probes, use the --probes
CLI flag with a comma separated list of names. You must also specify the --format probe
option to see the results. Please run scorecard --help
if you need more details.
Example:
scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe
For more details on the feature, please check out our blog post or the talk given at Open Source Summit NA 2024: Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies.
Maintainer Annotations
Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices. To see the maintainers annotations for each check, if present, use the --show-annotations
option. For example, the not-detected
annotation can annotate when a maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified.
For more details, check out our documentation for the feature.
Breaking Changes
API changes
The biggest change is that everything in github.com/ossf/scorecard/v4/pkg now lives in github.com/ossf/scorecard/v5/pkg/scorecard. This allows renaming of some function names and types to be less repetitive.
RunScorecard
is nowRun
ScorecardResult
is nowResult
Expected changes:
pkg.ScorecardRun() -> scorecard.Run()
pkg.ScorecardResult -> scorecard.Result
The signature of RunScorecard
(now called Run
) has changed to allow for fewer breaking changes in the future. For full motivation, see the associated issue. There should be fewer setup code needed than before. Callers no longer need to pass in all clients and arguments and can rely on sensible default behavior. Callers that want to customize the analysis can influence the results with our Option types.
A similar change was done with formatting the results, which now accept an option struct pointer. Using a nil pointer will use default values.
Unlikely to cause issues
These changes are technically breaking in a semver sense, but we don’t expect most users to depend on them or require changes.
- Dependency diff functionality has been removed in #4146.
- For GitHub replacements, consider actions/dependency-review-action which now supports showing Scorecard data.
clients.Repo
must now implement Path in #4104clients.RepoClient
now returns a read closer in #3912- Some branch protection types were renamed in #3879
- Some sentinel errors were renamed in #4040
Checks
Binary-Artifacts
- Binary-Artifacts check now supports the new gradle wrapper validation action, and can be pinned to a hash. (#4097, @spencerschrock)
Dependency-Update-Tool
Fuzzing
⚠️ OneFuzz detection removed due to deprecation #3666
License
- 🐛 fix Unlicense detection by @spencerschrock in #4145
- 📖 Improve the REUSE parts of the License check by @mxmehl in #4155
Packaging
Pinned-Dependencies
- Improve Pinned-Dependencies remediation creation performance (#4131, @raboof)
- ✨ Add support for Nuget restore by @balteravishay in #4157
SBOM
Vulnerabilities
Probes
- ✨ probe: releases with verified provenance by @raghavkaul in #4141
Other
- 🐛 Use direct endpoint instead of search to find repository URL from npm database by @aklevans in #4118
- ✨ move to cgr base image by @naveensrinivasan in #4113
- 🐛 fix: correct sarif json schema url by @Zxilly in #4170
New Contributors
- @petermetz made their first contribution in #4111
- @aklevans made their first contribution in #4118
- @mxmehl made their first contribution in #4155
- @Zxilly made their first contribution in #4170
Full Changelog: v4.13.1...v5.0.0