Summary
Scorecard's Dependency-Update-Tool check returns score 0 when the dependency-update config file (e.g. renovate.json) is marked export-ignore in .gitattributes, even when the file is present and valid at the repository root.
Root cause
clients/githubrepo/tarball.go (getTarball) downloads the repo via GitHub's /tarball/<ref> endpoint, which honors .gitattributes export-ignore. The downstream check uses OnAllFilesDo (checks/fileparser/listing.go) which iterates only repoClient.ListFiles(...) — i.e., only files present in the tarball. The switch strings.ToLower(name) in checks/raw/dependency_update_tool.go:76 therefore never matches the excluded config, raw.DependencyUpdateToolResults.Tools stays empty, and evaluation.DependencyUpdateTool returns CreateMinScoreResult (score 0).
Repro
- Repo:
github.com/wnstify/docker, commit 6bdb2ba
- Scorecard version: v5.3.0 (via
ossf/scorecard-action@v2.4.3)
.gitattributes line: renovate.json export-ignorerenovate.json is present at repo root, valid JSON, with the standard \$schema reference- Tarball at
https://api.github.com/repos/wnstify/docker/tarball/6bdb2ba returns 69 files; git ls-tree -r returns 87. The 18 missing files all match export-ignore patterns.
- Expected: Dependency-Update-Tool score 10 (renovate.json detected)
- Actual: Dependency-Update-Tool score 0 ("no update tool detected")
Possibly broader scope
This appears to affect any check using OnAllFilesDo over a tarball, since export-ignore exclusion is honored by GitHub's /tarball/ endpoint. Worth an audit by maintainers — I haven't enumerated which other checks share this code path.
Suggested fix
Either:
- (a) Fall back to the git trees API (
/repos/<owner>/<repo>/git/trees/<sha>?recursive=1) when a known-name dependency-update config file is missing from the tarball, OR
- (b) Document
export-ignore as an incompatibility in the check's docs and the README, so users don't silently lose detection.
Workaround
Remove <config-file> export-ignore from .gitattributes. Trade-off: the file appears in release tarballs (typically ~4 KB).
Summary
Scorecard's
Dependency-Update-Toolcheck returns score 0 when the dependency-update config file (e.g.renovate.json) is markedexport-ignorein.gitattributes, even when the file is present and valid at the repository root.Root cause
clients/githubrepo/tarball.go(getTarball) downloads the repo via GitHub's/tarball/<ref>endpoint, which honors.gitattributesexport-ignore. The downstream check usesOnAllFilesDo(checks/fileparser/listing.go) which iterates onlyrepoClient.ListFiles(...)— i.e., only files present in the tarball. Theswitch strings.ToLower(name)inchecks/raw/dependency_update_tool.go:76therefore never matches the excluded config,raw.DependencyUpdateToolResults.Toolsstays empty, andevaluation.DependencyUpdateToolreturnsCreateMinScoreResult(score 0).Repro
github.com/wnstify/docker, commit6bdb2baossf/scorecard-action@v2.4.3).gitattributesline:renovate.json export-ignorerenovate.jsonis present at repo root, valid JSON, with the standard\$schemareferencehttps://api.github.com/repos/wnstify/docker/tarball/6bdb2bareturns 69 files;git ls-tree -rreturns 87. The 18 missing files all matchexport-ignorepatterns.Possibly broader scope
This appears to affect any check using
OnAllFilesDoover a tarball, sinceexport-ignoreexclusion is honored by GitHub's/tarball/endpoint. Worth an audit by maintainers — I haven't enumerated which other checks share this code path.Suggested fix
Either:
/repos/<owner>/<repo>/git/trees/<sha>?recursive=1) when a known-name dependency-update config file is missing from the tarball, ORexport-ignoreas an incompatibility in the check's docs and the README, so users don't silently lose detection.Workaround
Remove
<config-file> export-ignorefrom.gitattributes. Trade-off: the file appears in release tarballs (typically ~4 KB).