You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These jars are commonly checked in to make building easier. If it is the OSSF's aim to discourage this common practice, then that's ok. It's just that up until now, it has not been regarded as major issue.
The text was updated successfully, but these errors were encountered:
Scorecard now ignores gradle wrappers ossf/scorecard@dd8fbc0, so the next release should not complain.
Scorecard now looks for the "gradle wrapper" GitHub action that verifies whether binaries have the same hash pubished by gradle's official repo. If the action is installed, scorecard ignores the binary. Is there something similar for maven?
Example failure:
https://github.com/pjfanning/excel-streaming-reader/security/code-scanning/1
These jars are commonly checked in to make building easier. If it is the OSSF's aim to discourage this common practice, then that's ok. It's just that up until now, it has not been regarded as major issue.
The text was updated successfully, but these errors were encountered: