github-actions[bot] commented on PR #213: URL: https://github.com/apache/incubator-hugegraph-ai/pull/213#issuecomment-2815906553
<h1>Dependency Review</h1> The following issues were found:<ul><li>❌ 1 vulnerable package(s)</li><li>✅ 0 package(s) with incompatible licenses</li><li>✅ 0 package(s) with invalid SPDX license definitions</li><li>⚠️ 1 package(s) with unknown licenses.</li></ul> See the Details below.<h2>Vulnerabilities</h2> <h4><em>hugegraph-ml/requirements.txt</em></h4> <table><tr><th>Name</th><th>Version</th><th>Vulnerability</th><th>Severity</th></tr><tr><td><a href="https://github.com/pytorch/pytorch";>torch</a></td><td>2.6.0</td><td><a href="https://github.com/advisories/GHSA-887c-mr87-cxwp";>PyTorch Improper Resource Shutdown or Release vulnerability</a></td><td>moderate</td></tr><tr><td colspan="2"><td><a href="https://github.com/advisories/GHSA-3749-ghw9-m3mg";>PyTorch susceptible to local Denial of Service</a></td><td>low</td></tr></table> <h2>License Issues</h2> <h4><em>hugegraph-ml/requirements.txt</em></h4> <table><tr><td>Package</td><td>Version</td><td>License</td><td>Issue Type</td></tr><tr><td><a href="https://github.com/pytorch/pytorch";>torch</a></td><td>2.6.0</td><td>Null</td><td>Unknown License</td></tr></table> <blockquote><strong>Denied Licenses</strong>: GPL-3.0, AGPL-1.0, AGPL-3.0, LGPL-2.0, CC-BY-3.0</blockquote> <h2>OpenSSF Scorecard</h2> <table><tr><th>Package</th><th>Version</th><th>Score</th><th>Details</th></tr> <tr><td><a href="https://github.com/pytorch/pytorch";> pip/torch </a></td><td>2.6.0</td> <td>:green_circle: 6.4</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Binary-Artifacts</td><td>:green_circle: 9</td><td>binaries present in source code</td></tr><tr><td>Branch-Protection</td><td>:warning: -1</td><td>internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration</td></tr><tr><td>CI-Tests</td><td>:warning: -1</td><td>no pull request found</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no badge detected</td></tr><tr><td>Code-Review</td><td>:green_circle: 10</td><td>all last 30 commits are reviewed through Prow</td></tr><tr><td>Contributors</td><td>:green_circle: 10</td><td>35 different organizations found -- score normalized to 10</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 10</td><td>no dangerous workflow patterns detected</td></tr><tr><td>Dependency-Update-Tool</td><td>:warning: 0</td><td>no update tool det ected</td></tr><tr><td>Fuzzing</td><td>:warning: 0</td><td>project is not fuzzed</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license file detected</td></tr><tr><td>Maintained</td><td>:green_circle: 10</td><td>30 commit(s) out of 30 and 15 issue activity out of 30 found in the last 90 days -- score normalized to 10</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>no published package detected</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: -1</td><td>internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>no SAST tool detected</td></tr><tr><td>Security-Policy</td><td>:green_circle: 10</td><td>security policy file detected</td></tr><tr><td>Signed-Releases</td><td>:warning: 0</td><td>0 out of 5 artifacts are signed -- score normalized to 0</td></tr><tr><td>Token-Permissions</td><td>:warning: -1</td><td>internal error: error during branchesHan dler.setup: internal error: githubv4.Query: Resource not accessible by integration</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 10</td><td>no vulnerabilities detected</td></tr><tr><td>Webhooks</td><td>:warning: -1</td><td>check is not supported for this request: SCORECARD_V6 is not set, not running the Webhook check</td></tr></table></details></td></tr> </table><h2>Scanned Files</h2> <ul><li>hugegraph-ml/requirements.txt</li></ul> <!-- dependency-review-pr-comment-marker --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
