You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reproduction steps
Steps to reproduce the behavior:
Expand Binary-Artifacts section.
Check paths to the files - most of them are in testData folders which doesn't affect a distribution or an end-user.
Expand Pinned-Dependencies section.
Check paths to the files - most of them are in testData folders which doesn't affect a distribution or an end-user.
Expand Vulnerabilities section.
Check paths to files caused Vulnerabilities findings - most of them are in testData folders which affects neither a distribution nor an end-user. Also most of them are related to Python dependencies although the product itself is predominantly written in Java and Python code is used there for tests.
Expected behavior
There is a way either to exclude paths not affecting an end-user or a product's distribution from the analysis, or to exclude them from scoring so a reader could see issues with a vendor's comment but in a muted form, to have a score reflecting security of an end-user product. Currently, it indicates security of files included in a repo which may have lax connection to security of a final artifact.
The text was updated successfully, but these errors were encountered:
Being able to declare testdata directories (along with other annotations) is something we're currently working on with maintainer annotations (Duplicate of #1907), so stay tuned.
It is one of our items currently being worked on, but I don't have a great timeline, especially when seeing the results in our API.
Note: we currently exclude testdata directories (which is the Go naming convention for test data directories), but our comparison is case-sensitive. Seeing as your directory is named testData, it may be a simpler fix to use a case-insensitive comparison which would ignore your testData directory regardless of the maintainer annotation feature status.
Describe the bug
We have a low security score at https://securityscorecards.dev/viewer/?uri=github.com/JetBrains/intellij-community for Binary-Artifacts and Pinned-Dependencies categories although most of the listed paths are from
../testData/..
directories thus can't influence .Reproduction steps
Steps to reproduce the behavior:
testData
folders which doesn't affect a distribution or an end-user.testData
folders which doesn't affect a distribution or an end-user.testData
folders which affects neither a distribution nor an end-user. Also most of them are related to Python dependencies although the product itself is predominantly written in Java and Python code is used there for tests.Expected behavior
There is a way either to exclude paths not affecting an end-user or a product's distribution from the analysis, or to exclude them from scoring so a reader could see issues with a vendor's comment but in a muted form, to have a score reflecting security of an end-user product. Currently, it indicates security of files included in a repo which may have lax connection to security of a final artifact.
The text was updated successfully, but these errors were encountered: