Skip to content

feat: only have call to action entry if smell is found #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
randomicecube merged 2 commits into from
Jun 2, 2025
Merged

feat: only have call to action entry if smell is found #175

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
04b6df3
feat: only have call to action entry if smell is found
randomicecube May 30, 2025
02845b6
style: format Python code with Black
randomicecube May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions tool/report_static.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -589,15 +589,17 @@ def write_summary(
"""
)

if enabled_checks.get("source_code") or enabled_checks.get("source_code_sha"):
if (enabled_checks.get("source_code") and len(combined_repo_problems_df) > 0) or (
enabled_checks.get("source_code_sha") and len(sha_not_found_df) > 0
):
md_file.write(
"""
\nFor packages **without source code & accessible SHA/release tags**:\n
- **Why?** Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.\n
1. Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging. \n"""
)

if enabled_checks.get("deprecated"):
if enabled_checks.get("deprecated") and len(version_deprecated_df) > 0:
md_file.write(
"""
\nFor **deprecated** packages:\n
Expand All @@ -606,7 +608,7 @@ def write_summary(
2. Check for not deprecated versions"""
)

if enabled_checks.get("code_signature"):
if enabled_checks.get("code_signature") and (len(code_signature_df) > 0 or len(invalid_code_signature_df) > 0):
md_file.write(
"""
\nFor packages **without code signature**:\n
Expand All @@ -617,23 +619,23 @@ def write_summary(
1. It's recommended to verify the code signature and contact the maintainer to fix the issue."""
)

if enabled_checks.get("forks"):
if enabled_checks.get("forks") and len(forked_package_df) > 0:
md_file.write(
"""
\nFor packages **that are forks**:\n
- **Why?** Forked packages may contain malicious code not present in the original repository, and may not receive security updates.\n
1. Inspect the package and its GitHub repository to verify the fork is not malicious."""
)

if enabled_checks.get("provenance"):
if enabled_checks.get("provenance") and len(provenance_df) > 0:
md_file.write(
"""
\nFor packages **without provenance**:\n
- **Why?** Without provenance, there's no way to verify that the package was built from the claimed source code, making supply chain attacks possible.\n
1. Open an issue in the dependency's repository to request the inclusion of provenance and build attestation in the CI/CD pipeline."""
)

if enabled_checks.get("aliased_packages"):
if enabled_checks.get("aliased_packages") and len(aliased_package_df) > 0:
md_file.write(
"""
\nFor packages that are **aliased**:\n
Expand Down