BUG: Dividing Integers by Integers Leads to Incorrect Score Calculation

[jspeed-meyers]

In issue #22, it was pointed out that:

Package version score does not correspond to the % of package versions found? Am I misunderstanding what the correlation should be? If 97% have versions then shouldn't the package version score be higher?

After some testing, the bug seems to be here:

sbom-scorecard/pkg/spdx/spdx_report.go

Lines 74 to 84 in c3d4dd8

	func (r *SpdxReport) PackageVersions() scorecard.ReportValue {
	if r.totalPackages == 0 {
	return scorecard.ReportValue{
	Ratio: 0,
	Reasoning: "No packages",
	}
	}
	return scorecard.ReportValue{
	Ratio: float32(r.hasPackVer / r.totalPackages),
	}
	}

Line 82 should be:

Ratio: float32(r.hasPackVer)  / float32(r.totalPackages),

Dividing an integer by an integer leads to zero, which is not the intended behavior, IIUC.

Here is a small snippet of Go code (in the Go Playground) explaining this bug: https://go.dev/play/p/gybFsSduxZa

Proposal: Fix all Ratio: lines to use the proper division in which both numbers are converted to a float32. This fix will encompass more than just the "package version" logic. I'm glad to put in a PR. Just LMK.

[justinabrahms]

PR welcome, @jspeed-meyers. Thanks for the debugging.