Bug: misleading result for OSPS-QA-02.01 #145
Description
Expected behavior
Because of the presence of https://github.com/revanite-io/example-osps-baseline-level-1/blob/main/pyproject.toml and https://github.com/revanite-io/example-osps-baseline-level-1/blob/main/uv.lock I'd expect the control to pass.
Observed behavior
The result of the control is:
- requirement-id: OSPS-QA-02.01
applicability:
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
description: When the package management system supports it, the source code repository MUST contain a dependency list that accounts for the direct language dependencies.
result: Failed
message: No dependency manifests found in the repository by the GitHub API
steps:
- github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.verifyDependencyManagement
steps-executed: 1
start: "2025-09-21T13:44:08-04:00"Note the message: No dependency manifests found in the repository by the GitHub API. This is happening because the GraphQL API request made to check for dependency management https://github.com/revanite-io/pvtr-github-repo/blob/main/data/graphql-dependency-manifests.go#L10 depends on the GitHub repository having explicitly enabled the dependency graph feature and this repository has not yet enabled that setting, see:
Metadata
Metadata
Assignees
Labels
No labels