{"id":15565571,"url":"https://github.com/jelmer/upstream-ontologist","last_synced_at":"2026-04-10T11:06:53.127Z","repository":{"id":41972207,"uuid":"319801426","full_name":"jelmer/upstream-ontologist","owner":"jelmer","description":"discover information about upstream projects","archived":false,"fork":false,"pushed_at":"2026-04-09T13:59:01.000Z","size":3077,"stargazers_count":19,"open_issues_count":8,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-04-09T15:09:03.052Z","etag":null,"topics":["ontology","upstream"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jelmer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"jelmer"}},"created_at":"2020-12-09T00:55:16.000Z","updated_at":"2026-04-09T13:05:33.000Z","dependencies_parsed_at":"2024-02-10T23:25:24.271Z","dependency_job_id":"0fa08661-80f6-4ddb-b039-d5a552299476","html_url":"https://github.com/jelmer/upstream-ontologist","commit_stats":{"total_commits":635,"total_committers":6,"mean_commits":"105.83333333333333","dds":"0.015748031496062964","last_synced_commit":"8a726a3bc9b7c792b87b399145860f9921b9a7a4"},"previous_names":[],"tags_count":115,"template":false,"template_full_name":null,"purl":"pkg:github/jelmer/upstream-ontologist","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jelmer%2Fupstream-ontologist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jelmer%2Fupstream-ontologist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jelmer%2Fupstream-ontologist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jelmer%2Fupstream-ontologist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jelmer","download_url":"https://codeload.github.com/jelmer/upstream-ontologist/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jelmer%2Fupstream-ontologist/sbom","scorecard":{"id":514758,"data":{"date":"2025-08-11","repo":{"name":"github.com/jelmer/upstream-ontologist","commit":"103a1c407603edbb42f8ed9dbf50c631681155dd"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.1,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/auto-merge.yaml:6","Warn: no topLevel permission defined: .github/workflows/cargo-publish.yaml:1","Warn: no topLevel permission defined: .github/workflows/disperse.yml:1","Warn: no topLevel permission defined: .github/workflows/rust.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/4 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-merge.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/auto-merge.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cargo-publish.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/cargo-publish.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cargo-publish.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/cargo-publish.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/disperse.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/disperse.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/disperse.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/disperse.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/rust.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/jelmer/upstream-ontologist/rust.yml/master?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/rust.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/rust.yml:30","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: RUSTSEC-2021-0139","Warn: Project is vulnerable to: RUSTSEC-2019-0036 / RUSTSEC-2020-0036 / GHSA-jq66-xh47-j9f3 / GHSA-r98r-j25q-rmpr","Warn: Project is vulnerable to: RUSTSEC-2025-0021 / GHSA-2frx-2596-x5r6","Warn: Project is vulnerable to: RUSTSEC-2025-0047 / GHSA-qx2v-8332-m4fv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T01:32:22.614Z","repository_id":41972207,"created_at":"2025-08-20T01:32:22.615Z","updated_at":"2025-08-20T01:32:22.615Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31639526,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-10T07:40:12.752Z","status":"ssl_error","status_checked_at":"2026-04-10T07:40:11.664Z","response_time":98,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ontology","upstream"],"created_at":"2024-10-02T16:59:22.591Z","updated_at":"2026-04-10T11:06:53.108Z","avatar_url":"https://github.com/jelmer.png","language":"Rust","funding_links":["https://github.com/sponsors/jelmer"],"categories":[],"sub_categories":[],"readme":"Upstream Ontologist\n===================\n\nThe upstream ontologist provides a common interface for finding metadata about\nupstream software projects.\n\nIt will gather information from any sources available, prioritize data that it\nhas higher confidence in as well as report the confidence for each of the\nbits of metadata.\n\nThe ontologist originated in Debian and the currently reported metadata fields\nare loosely based on [DEP-12](https://dep-team.pages.debian.net/deps/dep12),\nbut it is meant to be distribution-agnostic.\n\nProvided Fields\n---------------\n\nStandard fields:\n\n* ``Name``: human name of the upstream project\n* ``Contact``: contact address of some sort of the upstream\n  (e-mail, mailing list URL)\n* ``Repository``: VCS URL\n* ``Repository-Browse``: Web URL for viewing the VCS\n* ``Bug-Database``: Bug database URL (for web viewing, generally)\n* ``Bug-Submit``: URL to use to submit new bugs (either on the web or an e-mail address)\n* ``Screenshots``: List of URLs with screenshots\n* ``Archive``: Archive used - e.g. SourceForge\n* ``Security-Contact``: e-mail or URL with instructions for reporting security issues\n* ``Documentation``: Link to documentation on the web\n* ``Changelog``: URL to the changelog\n* ``FAQ``: URL to the FAQ\n* ``Donation``: URL to a donation page\n* ``Funding``: List of sources of funding for the project\n\nExtensions for upstream-ontologist, not defined in DEP-12:\n\n* ``SourceForge-Project``: sourceforge project name\n* ``Wiki``: Wiki URL\n* ``Summary``: one-line description of the project\n* ``Description``: longer description of the project\n* ``License``: Single line license (e.g. \"GPL 2.0\")\n* ``Copyright``: List of copyright holders\n* ``Version``: Current upstream version\n* ``Security-MD``: URL to markdown file with security policy\n* ``Author``: List of people who contributed to the project\n* ``Maintainer``: The maintainer of the project\n* ``Homepage``: homepage URL (present in ``debian/control`` in Debian packages)\n\nSupported Data Sources\n----------------------\n\nAt the moment, the ontologist can read metadata from the following upstream\ndata sources:\n\n* Python package metadata (PKG-INFO, setup.py, setup.cfg, pyproject.timl)\n* [package.json](https://docs.npmjs.com/cli/v7/configuring-npm/package-json)\n* [composer.json](https://getcomposer.org/doc/04-schema.md)\n* [package.xml](https://pear.php.net/manual/en/guide.developers.package2.dependencies.php)\n* Perl package metadata (dist.ini, META.json, META.yml, Makefile.PL)\n* [Perl POD files](https://perldoc.perl.org/perlpod)\n* GNU configure files\n* [R DESCRIPTION files](https://r-pkgs.org/description.html)\n* [Rust Cargo.toml](https://doc.rust-lang.org/cargo/reference/manifest.html)\n* [Maven pom.xml](https://maven.apache.org/pom.html)\n* [metainfo.xml](https://www.freedesktop.org/software/appstream/docs/chap-Metadata.html)\n* [.git/config](https://git-scm.com/docs/git-config)\n* SECURITY.md\n* [DOAP](https://github.com/ewilderj/doap)\n* [Haskell cabal files](https://cabal.readthedocs.io/en/3.4/cabal-package.html)\n* [go.mod](https://golang.org/doc/modules/gomod-ref)\n* [ruby gemspec files](https://guides.rubygems.org/specification-reference/)\n* [nuspec files](https://docs.microsoft.com/en-us/nuget/reference/nuspec)\n* [OPAM files](https://opam.ocaml.org/doc/Manual.html#Package-definitions)\n* Debian packaging metadata\n  (debian/watch, debian/control, debian/rules, debian/get-orig-source.sh,\n  debian/copyright, debian/patches)\n* Dart's [pubspec.yaml](https://dart.dev/tools/pub/pubspec)\n* meson.build\n\nIt will also scan README and INSTALL for possible upstream repository URLs\n(and will attempt to verify that those match the local repository).\n\nIn addition to local files, it can also consult external directories\nusing their APIs:\n\n* [GitHub](https://github.com/)\n* [SourceForge](https://sourceforge.net/)\n* [repology](https://www.repology.org/)\n* [Launchpad](https://launchpad.net/)\n* [PECL](https://pecl.php.net/)\n* [AUR](https://aur.archlinux.org/)\n\nExample Usage\n-------------\n\nThe easiest way to use the upstream ontologist is by invoking the\n``guess-upstream-metadata`` command in a software project:\n\n```console\n$ guess-upstream-metadata ~/src/dulwich\nSecurity-MD: https://github.com/dulwich/dulwich/tree/HEAD/SECURITY.md\nName: dulwich\nVersion: 0.20.15\nBug-Database: https://github.com/dulwich/dulwich/issues\nRepository: https://www.dulwich.io/code/\nSummary: Python Git Library\nBug-Submit: https://github.com/dulwich/dulwich/issues/new\n```\n\nAlternatively, there is a Python API as part of the [upstream\\_ontologist\nPython package](https://pypi.org/project/upstream-ontologist/). There are also\n``autocodemeta`` and ``autodoap`` commands that\ncan generate output in the [codemeta](https://codemeta.github.io/) and\n[DOAP](https://github.com/ewilderj/doap) formats, respectively.\n\nReporting bugs\n--------------\n\nWhen reporting bugs, please include the observed output of the ``guess-upstream-metadata``\ncommand, the version of the upstream-ontologist package you are using, what\noutput you were expecting, and ideally the location of the upstream source code\nyou are using (e.g. a URL to a Git repository).\n\nIf there are additional metadata fields you would like to see supported, please\nlet us know - either with or without a patch.\n\nSimilarly, if you have a new data source you would like to see supported, please\nfile a bug and we can discuss how to add it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjelmer%2Fupstream-ontologist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjelmer%2Fupstream-ontologist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjelmer%2Fupstream-ontologist/lists"}