Skip to content

✨ Add experimental Changelog check#5017

Open
kehoecj wants to merge 3 commits intoossf:mainfrom
kehoecj:add-changelog-check
Open

✨ Add experimental Changelog check#5017
kehoecj wants to merge 3 commits intoossf:mainfrom
kehoecj:add-changelog-check

Conversation

@kehoecj
Copy link
Copy Markdown

@kehoecj kehoecj commented Apr 13, 2026
edited
Loading

What kind of change does this PR introduce?

Feature — a new experimental Changelog check.

What is the current behavior?

Scorecard has no check for whether a project maintains a changelog or descriptive release notes. There is no measurement for OSPS-BR-04 compliance ("all releases MUST provide a descriptive log of functional and security modifications").

What is the new behavior (if this is a feature change)?

A new experimental Changelog check with two scoring paths:

Path A — Changelog file exists (max 10/10):

  • 3 points for having a changelog file (CHANGELOG, CHANGES, NEWS, HISTORY, RELEASE-NOTES, or RELEASE_NOTES with .md, .txt, .rst, .adoc extensions)
  • Up to 7 points proportional to how many of the last 5 releases have corresponding version entries with substantive content in the changelog file

Path B — No changelog file, but releases have notes (max 10/10):

  • Up to 10 points proportional to how many of the last 5 releases have substantive body text (GitHub/GitLab release notes)
  • Auto-generated boilerplate (e.g. **Full Changelog** links) is excluded

Neither: Inconclusive

Version entries in changelog files are validated for substantive content — empty headers or headers with only sub-headers do not count.

Gated behind SCORECARD_EXPERIMENTAL like SBOM and Webhooks.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4824

Special notes for your reviewer

This PR includes a small infrastructure change: a Body field added to clients.Release, mapped from GitHub's GetBody() and GitLab's Description. This is a one-line addition to each client with no behavioral change to existing checks — the field is only read by the new Changelog check.

Known limitations:

  • Release body boilerplate filtering only covers GitHub's **Full Changelog** pattern. GitLab and other tool-generated boilerplate may pass through.
  • Local repos (--local) cannot evaluate release coverage since ListReleases is unsupported for the local client.
  • Version extraction uses heuristics across common formats (Keep a Changelog, GNU NEWS, Python RST, Apache). Unconventional formats may not be detected.
  • Only the first changelog file is parsed if multiple exist.

The version parsing is intentionally heuristic-based and may need refinement as the check gets real-world usage, which is what the experimental lifecycle is for.

Does this PR introduce a user-facing change?

Add experimental Changelog check that evaluates whether a project maintains descriptive logs of changes for its releases.

@kehoecj
✨ Add experimental Changelog check
f293fab 
Add a new experimental Changelog check that evaluates whether a project
maintains descriptive logs of changes for its releases, aligning with
OSPS-BR-04 requirements.

The check supports two scoring paths:

Path A - Changelog file exists (max 10/10):
  - 3 points for having a changelog file (CHANGELOG, CHANGES, NEWS,
    HISTORY, RELEASE-NOTES, or RELEASE_NOTES with common extensions)
  - Up to 7 points proportional to how many of the last 5 releases
    have corresponding version entries with substantive content

Path B - No file, but releases have notes (max 10/10):
  - Up to 10 points proportional to how many of the last 5 releases
    have substantive body text (GitHub/GitLab release notes)
  - Auto-generated boilerplate (e.g. Full Changelog links) is excluded

If neither a changelog file nor releases are found, the check returns
inconclusive.

Infrastructure changes:
  - Add Body field to clients.Release struct
  - Map GetBody() in GitHub client and Description in GitLab client

New probes:
  - hasChangelogFile: detects changelog files at the repo root
  - releasesHaveChangelog: checks release documentation coverage

Gated behind SCORECARD_EXPERIMENTAL like SBOM and Webhooks.

Fixes: ossf#4824
Signed-off-by: Clayton Kehoe <clayton.j.kehoe@boeing.com>
@kehoecj kehoecj marked this pull request as ready for review April 13, 2026 18:03
@kehoecj kehoecj requested a review from a team as a code owner April 13, 2026 18:03
@kehoecj kehoecj requested review from jeffmendoza and spencerschrock and removed request for a team April 13, 2026 18:03
@dosubot dosubot Bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Apr 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions Bot added the Stale label Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

@spencerschrock spencerschrock Awaiting requested review from spencerschrock spencerschrock is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XL This PR changes 500-999 lines, ignoring generated files. Stale

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: New Check: Check if the project has and maintains a CHANGELOG

1 participant

@kehoecj