Comments (8)
dlorenc
commented on June 12, 2024
- Provide a scorecard network service that collects results for projects periodically.
This is the approach we've taken so far. There's a cron that runs every day on ~100 projects and publishes the results in GCS/BigQuery.
I'd be happy to add the envoy deps into that list, it's here: https://github.com/ossf/scorecard/blob/main/cron/projects.txt
from scorecard.
dlorenc
commented on June 12, 2024
Adding the envoy deps here: #84
from scorecard.
naveensrinivasan
commented on June 12, 2024
GitHub API supports conditional requests https://docs.github.com/en/rest/overview/resources-in-the-rest-api#conditional-requests
Most responses return an ETag header. Many responses also return a Last-Modified header. You can use the values of these headers to make subsequent requests to those resources using the If-None-Match and If-Modified-Since headers, respectively. If the resource has not changed, the server will return a 304 Not Modified.
Making a conditional request and receiving a 304 response does not count against your Rate Limit, so we encourage you to use it whenever possible.
Making a conditional request and receiving a 304 response does not count against your Rate Limit, so we encourage you to use it whenever possible.
https://github.com/google/go-github supports Conditional requests https://github.com/google/go-github#conditional-requests
As we are scaling more and more projects this would add a lot of value.
https://github.com/gregjones/httpcache
from scorecard.
naveensrinivasan
commented on June 12, 2024
A visual representation of the proposed solution.
k8s cron jobruns on a schedule.- Initial run fetches information using
httpcacheas a middleware, which caches the HTTP response initially in a large disk (PVC), probably move to Redis later as a cache instead of disk. - Subsequent
cron runswill utilize thehttpcachefor checking content modification and load it from the cache if it isn't modified, which reduces the hitting the Rate Limit of the GitHub API.
from scorecard.
dlorenc
commented on June 12, 2024
Awesome! What would the cache keys be? URLs?
from scorecard.
naveensrinivasan
commented on June 12, 2024
Awesome! What would the cache keys be? URLs?
Here it is.
https://github.com/gregjones/httpcache/blob/901d90724c7919163f472a9812253fb26761123d/httpcache.go#L42
from scorecard.
naveensrinivasan
commented on June 12, 2024
This should reduce the GitHub API usage #227
from scorecard.
azeemshaikh38
commented on June 12, 2024
Close this, since the solution is being tracked/implemented in #318
from scorecard.
Related Issues (20)
- BUG: OSS-Fuzz detection fails if project.yaml URL points to subfolder
- Issue: scorecard to detect Binary Artifacts from local directory in command line (terminal)
- Evaluate our use of "golang.org/x/tools/go/vcs" (deprecated) HOT 1
- ✨ Feature: probe: unique code-reviewers HOT 3
- Feature: Detect CI-Tests and releases made through BAZEL CI
- Feature: Dangerous workflow warns when script injection + secrets used
- License check does not check License folder
- ✨ Feature: probe: regular releases
- Some GitLab integration tests run during GitHub integration tests
- BUG
- BUG
- Feature: Pinned-Dependencies should only care about Dockerfiles that are called in CI/CD
- Feature: Pinned-Dependencies should ignore Dockerfiles and scripts in test folders
- BUG: Runtime error on Pinned-Dependencies check causes a -1 on its score
- Feature
- Feature: Trim down security policy remediation steps
- Feature: Branch-Protection check should include Repository Rules HOT 9
- BUG: Apache 2.0 license not recognized HOT 4
- Feature: Better logic to determine vulnerabilities HOT 2
- BUG: Pinned-Dependencies fails to handle Dockerfiles with here-docs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scorecard.