{"id":34108757,"url":"https://github.com/fedora-static-analysis/firehose","last_synced_at":"2026-03-17T20:13:31.307Z","repository":{"id":6414901,"uuid":"7653260","full_name":"fedora-static-analysis/firehose","owner":"fedora-static-analysis","description":"Interchange format for results for static analysis tools","archived":false,"fork":false,"pushed_at":"2024-04-27T10:34:42.000Z","size":303,"stargazers_count":63,"open_issues_count":8,"forks_count":18,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-12-17T01:47:49.784Z","etag":null,"topics":["file-format","python","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fedora-static-analysis.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-01-16T20:29:01.000Z","updated_at":"2023-11-29T08:59:37.000Z","dependencies_parsed_at":"2025-09-08T12:47:08.028Z","dependency_job_id":"8a1c6462-4788-4019-aed5-24a76ffd6c08","html_url":"https://github.com/fedora-static-analysis/firehose","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/fedora-static-analysis/firehose","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedora-static-analysis%2Ffirehose","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedora-static-analysis%2Ffirehose/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedora-static-analysis%2Ffirehose/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedora-static-analysis%2Ffirehose/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fedora-static-analysis","download_url":"https://codeload.github.com/fedora-static-analysis/firehose/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedora-static-analysis%2Ffirehose/sbom","scorecard":{"id":395467,"data":{"date":"2025-08-11","repo":{"name":"github.com/fedora-static-analysis/firehose","commit":"b7b950508f8f13aefc231d465f87695494cc235a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/23 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2013-22 / GHSA-27x4-j476-jp5f","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5","Warn: Project is vulnerable to: PYSEC-2022-43012 / GHSA-r9hx-vwmv-q579"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":-1,"reason":"internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e502 Bad Gateway\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e502 Bad Gateway\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\\r\\n\u003c/body\u003e\\r\\n\u003c/html\u003e\\r\\n\"","details":null,"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T18:53:17.867Z","repository_id":6414901,"created_at":"2025-08-18T18:53:17.867Z","updated_at":"2025-08-18T18:53:17.867Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30630300,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T17:32:55.572Z","status":"ssl_error","status_checked_at":"2026-03-17T17:32:38.732Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["file-format","python","static-analysis"],"created_at":"2025-12-14T18:21:50.311Z","updated_at":"2026-03-17T20:13:31.299Z","avatar_url":"https://github.com/fedora-static-analysis.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\"firehose\" is a Python package intended for managing the results from\ncode analysis tools (e.g. compiler warnings, static analysis, linters,\netc).\n\nIt currently provides parsers for the output of gcc, clang-analyzer, cppcheck,\nand findbugs.  These parsers convert the results into a common data model of\nPython objects, with methods for lossless roundtrips through a provided\nXML format.  There is also a JSON equivalent.\n\nIt is available on pypi here:\n  https://pypi.python.org/pypi/firehose\n\nand via git from:\n  https://github.com/fedora-static-analysis/firehose\n\nThe mailing list is:\n  https://admin.fedoraproject.org/mailman/listinfo/firehose-devel\n  \nDocumentation can be read here:\n  http://firehose.readthedocs.io/en/latest/\n\nFirehose is Free Software, licensed under the LGPLv2.1 or (at your\noption) any later version.\n\nIt requires Python 2.7 or 3.2 onwards, and has been successfully tested\nwith PyPy.\n\nIt is currently of alpha quality.\n\nThe API and serialization formats are not yet set in stone (and we're\nkeen on hearing feedback before we lock things down more).\n\nMotivation: http://lists.fedoraproject.org/pipermail/devel/2012-December/175232.html\n\nI want to slurp the results from static code analysis into a database,\nwhich means coercing all of the results into some common interchange format,\ncodenamed \"firehose\" (which could also be the name of the database).\n\nThe idea is a common XML format that all tools can emit that:\n  * describes a warning\n  * gives source-code location of the warning: filename, function,\n    line number.\n  * optionally with a `CWE \u003chttp://cwe.mitre.org/about/index.html\u003e`_\n    identifier\n  * potentially with other IDs and URLs, e.g. the ID \"SIG30-C\" with URL\n    https://www.securecoding.cert.org/confluence/display/seccode/SIG30-C.+Call+only+asynchronous-safe+functions+within+signal+handlers\n  * optionally describes code path to get there (potentially\n    interprocedural across source files), potentially with \"state\"\n    annotations (e.g. in the case of a reference-counting bug, it's useful\n    to be able to annotate the changes to the refcount).\n\ntogether with a simple Python API for working with the format as a\ncollection of Python objects (creating, write to XML, read from XML,\nmodification, etc)\n\nI initially considered using JSON, but went with XML because if multiple\ntools are going to emit this, it's good to be able to validate things\nagainst a schema (see\n`firehose.rng \u003chttps://github.com/fedora-static-analysis/firehose/blob/master/firehose.rng\u003e`_,\na RELAX-NG schema).\n\nReferences to source files in the format can include a hash of the source\nfile itself (e.g. SHA-1) so that you can uniquely identify which source file\nyou were talking about.\n\nThis format would be slurped into the DB for the web UI, and can have other\nthings done to it without needing a server:\ne.g.:\n\n  * convert it to the textual form of a gcc compilation error, so that\n    Emacs etc can parse it and take you to the source\n  * be turned into a simple HTML report locally on your workstation\n\nProjects using Firehose:\n\n  * `mock-with-analysis \u003chttps://github.com/fedora-static-analysis/mock-with-analysis\u003e`_\n    can rebuild a source RPM, capturing the results of 4 different code\n    analysis tools in Firehose format (along with all source files that\n    were mentioned in any report).\n  * The `\"firehose\" branch\n    \u003chttp://git.fedorahosted.org/cgit/gcc-python-plugin.git/log/?h=firehose\u003e`_\n    of\n    `cpychecker \u003chttps://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html\u003e`_\n    can natively emit Firehose XML reports\n  * https://github.com/paultag/storz/blob/master/wrappers/storz-lintian\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedora-static-analysis%2Ffirehose","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffedora-static-analysis%2Ffirehose","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedora-static-analysis%2Ffirehose/lists"}