{"date":"2024-08-16T02:30:56Z","repo":{"name":"github.com/flutter/flutter","commit":"bced008679afc72e43f8c93b2528ef13ca5bae8d"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 16 contributing companies or organizations","details":["Info: google contributor org/company found, google @flutter contributor org/company found, dart-lang contributor org/company found, CodedConsultants contributor org/company found, flutter contributor org/company found, codemagic-ci-cd contributor org/company found, coded consultants ltd contributor org/company found, w3c contributor org/company found, KhronosGroup contributor org/company found, monome-community contributor org/company found, fuchsia-mirror contributor org/company found, whatwg contributor org/company found, Dart-Code contributor org/company found, nexus-xyz contributor org/company found, serverpod contributor org/company found, googlers contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: BSD 3-Clause \"New\" or \"Revised\" License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   7 out of   7 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":1,"reason":"SAST tool is not run on all commits -- score normalized to 1","details":["Warn: 4 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/flutter/.github/SECURITY.md:1","Info: Found linked content: github.com/flutter/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/flutter/.github/SECURITY.md:1","Info: Found text in security policy: github.com/flutter/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/minimal.yml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards-analysis.yml:19","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards-analysis.yml:20","Info: topLevel permissions set to 'read-all': .github/workflows/coverage.yml:14","Warn: topLevel permissions set to 'write-all': .github/workflows/easy-cp.yml:12"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":0,"reason":"52 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-5mg8-w23w-74h3","Warn: Project is vulnerable to: GHSA-7g45-4rm6-3mm3","Warn: Project is vulnerable to: GHSA-4gg5-vx3j-xwc7","Warn: Project is vulnerable to: GHSA-g5ww-5jh7-63cx","Warn: Project is vulnerable to: GHSA-h4h5-3hr4-j3g2","Warn: Project is vulnerable to: GHSA-gwrp-pvrq-jmwv","Warn: Project is vulnerable to: GHSA-6628-q6j9-w8vg","Warn: Project is vulnerable to: GHSA-9hxf-ppjv-w6rq","Warn: Project is vulnerable to: GHSA-cfgp-2977-2fmm","Warn: Project is vulnerable to: GHSA-269q-hmxg-m83q / GHSA-5mcr-gq6c-3hq2","Warn: Project is vulnerable to: GHSA-5jpm-x58v-624v","Warn: Project is vulnerable to: GHSA-xpw8-rcwv-8f8p","Warn: Project is vulnerable to: GHSA-6mjq-h674-j845","Warn: Project is vulnerable to: GHSA-4265-ccf5-phj5","Warn: Project is vulnerable to: GHSA-4g9r-vxhx-9pgx","Warn: Project is vulnerable to: GHSA-6qvw-249j-h44c","Warn: Project is vulnerable to: GHSA-7g24-qg88-p43q","Warn: Project is vulnerable to: GHSA-jgvc-jfgh-rjvv","Warn: Project is vulnerable to: GHSA-8xfc-gm6g-vgpv","Warn: Project is vulnerable to: GHSA-hr8g-6v94-x4m9","Warn: Project is vulnerable to: GHSA-m44j-cfrm-g8qc","Warn: Project is vulnerable to: GHSA-v435-xc8x-wvr9","Warn: Project is vulnerable to: GHSA-wjxj-5m7g-mg7q","Warn: Project is vulnerable to: GHSA-h65f-jvqw-m9fj","Warn: Project is vulnerable to: GHSA-3x8x-79m2-3w2w","Warn: Project is vulnerable to: GHSA-57j2-w4cx-62h2","Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff","Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4","Warn: Project is vulnerable to: GHSA-3f7h-mf4q-vrm4","Warn: Project is vulnerable to: GHSA-4jrv-ppp4-jm57","Warn: Project is vulnerable to: GHSA-g5vf-v6wf-7w2r","Warn: Project is vulnerable to: GHSA-77rm-9x9h-xj3g","Warn: Project is vulnerable to: GHSA-wrvw-hg22-4m67","Warn: Project is vulnerable to: GHSA-9vjp-v76f-g363","Warn: Project is vulnerable to: GHSA-grg4-wf29-r9vv","Warn: Project is vulnerable to: GHSA-cqqj-4p63-rrmm","Warn: Project is vulnerable to: GHSA-wx5j-54mm-rqqq","Warn: Project is vulnerable to: GHSA-f256-j965-7f32 / GHSA-wm47-8v5p-wjpj","Warn: Project is vulnerable to: GHSA-mm9x-g8pc-w292","Warn: Project is vulnerable to: GHSA-p2v9-g2qv-p635","Warn: Project is vulnerable to: GHSA-7hfm-57qf-j43q","Warn: Project is vulnerable to: GHSA-crv7-7245-f45f","Warn: Project is vulnerable to: GHSA-mc84-pj99-q6hh","Warn: Project is vulnerable to: GHSA-xqfj-vm6h-2x34","Warn: Project is vulnerable to: GHSA-7r82-7xv7-xcpj","Warn: Project is vulnerable to: GHSA-6xx3-rg99-gc3p","Warn: Project is vulnerable to: GHSA-72m5-fvvv-55m6","Warn: Project is vulnerable to: GHSA-2qp4-g3q3-f92w","Warn: Project is vulnerable to: GHSA-3vqj-43w4-2q58","Warn: Project is vulnerable to: GHSA-4jq9-2xhw-jpx7","Warn: Project is vulnerable to: GHSA-gp7f-rwcx-9369","Warn: Project is vulnerable to: GHSA-m72m-mhq2-9p6c"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]}