would it be possible to disable binary-artifact checks for gradle and mvnw wrapper jars?

[pjfanning]

• https://docs.gradle.org/current/userguide/gradle_wrapper.html
• https://maven.apache.org/wrapper/

Example failure:
https://github.com/pjfanning/excel-streaming-reader/security/code-scanning/1

These jars are commonly checked in to make building easier. If it is the OSSF's aim to discourage this common practice, then that's ok. It's just that up until now, it has not been regarded as major issue.

[laurentsimon]

Scorecard now ignores gradle wrappers ossf/scorecard@dd8fbc0, so the next release should not complain.

Scorecard now looks for the "gradle wrapper" GitHub action that verifies whether binaries have the same hash pubished by gradle's official repo. If the action is installed, scorecard ignores the binary. Is there something similar for maven?

/cc ethanent who wrote the PR

[fab1an]

This needs to be updated, since Gradle-wrapper-validation action changed it's name (https://github.com/gradle/wrapper-validation-action):

Users are encouraged to update their workflows, replacing:

uses: gradle/wrapper-validation-action@v3

with

uses: gradle/actions/wrapper-validation@v3