Review Scorecard Data - Add additional fields?

[scovetta]

These are the fields currently available in the scorecard data extract. All values are boolean (true/false).

Currently in Use

• openssf.scorecard.raw.active
• openssf.scorecard.raw.ci-tests
• openssf.scorecard.raw.code-review
• openssf.scorecard.raw.contributors
• openssf.scorecard.raw.frozen-deps
• openssf.scorecard.raw.fuzzing
• openssf.scorecard.raw.packaging
• openssf.scorecard.raw.pull-requests
• openssf.scorecard.raw.sast
• openssf.scorecard.raw.security-policy
• openssf.scorecard.raw.signed-releases
• openssf.scorecard.raw.signed-tags

Available, but not used right now:

• openssf.scorecard.raw.automatic-dependency-update
• openssf.scorecard.raw.cii-best-practices
• openssf.scorecard.raw.token-permissions

I think we pulled cii-best-practices out since we already have that data direct, but should we include the other two?

[dilanbhalla]

As a follow up to this, we have several unused metrics in the criticality and best-practices data. Thoughts on which should be included?

Unused metrics in criticality:

• Commit frequency
• Closed issues count
• Updated issues count
• Comment frequency
• Org count (however already “multiple orgs” metric exists under scorecard)

There are many unused metrics in best-practices. Here are just a few (the entire list can be found at https://bestpractices.coreinfrastructure.org/en/projects/1):

• Automated test suite
• Publicly known vulnerabilities fixed
• New functionality testing