v5.0.0

What's Changed

We’ll highlight the major changes between v4.13.1 and v5.0.0 below, as well as some of the changes between v5.0.0-rc2 and v5.0.0. For a more complete picture, see the v5.0.0-rc1 and v5.0.0-rc2 changelogs as well.

Structured Results

Structured Results is the main feature from this release. At a high level, structured results involve breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out our documentation (paying attention to lifecycle / stability guarantees). To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details.
Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

For more details on the feature, please check out our blog post or the talk given at Open Source Summit NA 2024: Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies.

Maintainer Annotations

Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices. To see the maintainers annotations for each check, if present, use the --show-annotations option. For example, the not-detected annotation can annotate when a maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified.

For more details, check out our documentation for the feature.

Breaking Changes

API changes

The biggest change is that everything in github.com/ossf/scorecard/v4/pkg now lives in github.com/ossf/scorecard/v5/pkg/scorecard. This allows renaming of some function names and types to be less repetitive.

• RunScorecard is now Run
• ScorecardResult is now Result

Expected changes:

pkg.ScorecardRun() -> scorecard.Run()
pkg.ScorecardResult -> scorecard.Result

The signature of RunScorecard (now called Run) has changed to allow for fewer breaking changes in the future. For full motivation, see the associated issue. There should be fewer setup code needed than before. Callers no longer need to pass in all clients and arguments and can rely on sensible default behavior. Callers that want to customize the analysis can influence the results with our Option types.

A similar change was done with formatting the results, which now accept an option struct pointer. Using a nil pointer will use default values.

Unlikely to cause issues

These changes are technically breaking in a semver sense, but we don’t expect most users to depend on them or require changes.

• Dependency diff functionality has been removed in #4146.
  • For GitHub replacements, consider actions/dependency-review-action which now supports showing Scorecard data.
• clients.Repo must now implement Path in #4104
• clients.RepoClient now returns a read closer in #3912
• Some branch protection types were renamed in #3879
• Some sentinel errors were renamed in #4040

Checks

Binary-Artifacts

• Binary-Artifacts check now supports the new gradle wrapper validation action, and can be pinned to a hash. (#4097, @spencerschrock)

Dependency-Update-Tool

• ✨ Recognize scala-steward as dependency update tool by @raboof in #4130

Fuzzing

• ⚠️ OneFuzz detection removed due to deprecation #3666

License

• 🐛 fix Unlicense detection by @spencerschrock in #4145
• 📖 Improve the REUSE parts of the License check by @mxmehl in #4155

Packaging

• ✨ detect sbt ci-release packaging workflows by @raboof in #4135

Pinned-Dependencies

• Improve Pinned-Dependencies remediation creation performance (#4131, @raboof)
• ✨ Add support for Nuget restore by @balteravishay in #4157

SBOM

• ✨ Add experimental check for published SBOM by @ashearin in #3903

Vulnerabilities

• 🌱 add stack info to osv-scanner error by @Zxilly in #4172

Probes

• ✨ probe: releases with verified provenance by @raghavkaul in #4141

Other

• 🐛 Use direct endpoint instead of search to find repository URL from npm database by @aklevans in #4118
• ✨ move to cgr base image by @naveensrinivasan in #4113
• 🐛 fix: correct sarif json schema url by @Zxilly in #4170

New Contributors

• @petermetz made their first contribution in #4111
• @aklevans made their first contribution in #4118
• @mxmehl made their first contribution in #4155
• @Zxilly made their first contribution in #4170

Full Changelog: v4.13.1...v5.0.0