From 0e4f5db4e4a908d8b04af70882f5ade96080f4b8 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 22 Jul 2022 15:39:59 +0200 Subject: [PATCH 01/22] remove not used workflow (#2089) Signed-off-by: cpanato --- .github/workflows/ok-to-test.yml | 44 -------------------------------- 1 file changed, 44 deletions(-) delete mode 100644 .github/workflows/ok-to-test.yml diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml deleted file mode 100644 index 40adf0c2cdb..00000000000 --- a/.github/workflows/ok-to-test.yml +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2021 Security Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event -name: Ok To Test - -on: - issue_comment: - types: [created] -permissions: - pull-requests: write -jobs: - ok-to-test: - runs-on: ubuntu-latest - # Only run for PRs, not issue comments - if: ${{ github.event.issue.pull_request }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 # v1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@2afb49dbaafaba8005860648bf7fc178637aca0d # v2.1.3 - env: - TOKEN: ${{ steps.generate_token.outputs.token }} - with: - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # PAT or OAuth token will also work - reaction-token: ${{ secrets.GITHUB_TOKEN }} - issue-type: pull-request - commands: ok-to-test - named-args: true - permission: write From 30e3f646e3f2e2d202836b7c060b542a73cb45ec Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Fri, 22 Jul 2022 18:05:14 -0700 Subject: [PATCH 02/22] =?UTF-8?q?=E2=9C=A8=20Feature:=20Dependency-diff=20?= =?UTF-8?q?API=20optimize:=20var=20re-naming,=20removing=20unused=20JSON?= =?UTF-8?q?=20tags=20(#2090)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * save * save * Update dependencydiff_result.go * save * save * save --- dependencydiff/dependencydiff.go | 71 ++++++++++++++++----------- dependencydiff/dependencydiff_test.go | 4 +- dependencydiff/errors.go | 22 +++++++++ dependencydiff/raw_dependencies.go | 2 +- e2e/dependencydiff_test.go | 38 +++++++------- pkg/dependencydiff_result.go | 29 +++++------ 6 files changed, 98 insertions(+), 68 deletions(-) create mode 100644 dependencydiff/errors.go diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go index 3c18f0cb87e..c4012035d76 100644 --- a/dependencydiff/dependencydiff.go +++ b/dependencydiff/dependencydiff.go @@ -17,12 +17,13 @@ package dependencydiff import ( "context" "fmt" + "strings" "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/checks" "github.com/ossf/scorecard/v4/clients" sce "github.com/ossf/scorecard/v4/errors" - "github.com/ossf/scorecard/v4/log" + sclog "github.com/ossf/scorecard/v4/log" "github.com/ossf/scorecard/v4/pkg" "github.com/ossf/scorecard/v4/policy" ) @@ -30,46 +31,54 @@ import ( // Depdiff is the exported name for dependency-diff. const Depdiff = "Dependency-diff" +// A private context struct used for GetDependencyCheckResults. type dependencydiffContext struct { - logger *log.Logger - ownerName, repoName, baseSHA, headSHA string - ctx context.Context - ghRepo clients.Repo - ghRepoClient clients.RepoClient - ossFuzzClient clients.RepoClient - vulnsClient clients.VulnerabilitiesClient - ciiClient clients.CIIBestPracticesClient - changeTypesToCheck map[pkg.ChangeType]bool - checkNamesToRun []string - dependencydiffs []dependency - results []pkg.DependencyCheckResult + logger *sclog.Logger + ownerName, repoName, base, head string + ctx context.Context + ghRepo clients.Repo + ghRepoClient clients.RepoClient + ossFuzzClient clients.RepoClient + vulnsClient clients.VulnerabilitiesClient + ciiClient clients.CIIBestPracticesClient + changeTypesToCheck map[pkg.ChangeType]bool + checkNamesToRun []string + dependencydiffs []dependency + results []pkg.DependencyCheckResult } // GetDependencyDiffResults gets dependency changes between two given code commits BASE and HEAD // along with the Scorecard check results of the dependencies, and returns a slice of DependencyCheckResult. -// TO use this API, an access token must be set following https://github.com/ossf/scorecard#authentication. +// TO use this API, an access token must be set. See https://github.com/ossf/scorecard#authentication. func GetDependencyDiffResults( - ctx context.Context, ownerName, repoName, baseSHA, headSHA string, scorecardChecksNames []string, - changeTypesToCheck map[pkg.ChangeType]bool) ([]pkg.DependencyCheckResult, error) { - // Fetch the raw dependency diffs. + ctx context.Context, + repoURI string, /* Use the format "ownerName/repoName" as the repo URI, such as "ossf/scorecard". */ + base, head string, /* Two code commits base and head, can use either SHAs or branch names. */ + checksToRun []string, /* A list of enabled check names to run. */ + changeTypesToCheck map[pkg.ChangeType]bool, /* A list of change types for which to surface scorecard results. */ +) ([]pkg.DependencyCheckResult, error) { + + logger := sclog.NewLogger(sclog.DefaultLevel) + ownerAndRepo := strings.Split(repoURI, "/") + if len(ownerAndRepo) != 2 { + return nil, fmt.Errorf("%w: repo uri input", errInvalid) + } + owner, repo := ownerAndRepo[0], ownerAndRepo[1] dCtx := dependencydiffContext{ - logger: log.NewLogger(log.InfoLevel), - ownerName: ownerName, - repoName: repoName, - baseSHA: baseSHA, - headSHA: headSHA, + logger: logger, + ownerName: owner, + repoName: repo, + base: base, + head: head, ctx: ctx, changeTypesToCheck: changeTypesToCheck, - checkNamesToRun: scorecardChecksNames, + checkNamesToRun: checksToRun, } + // Fetch the raw dependency diffs. This API will also handle error cases such as invalid base or head. err := fetchRawDependencyDiffData(&dCtx) if err != nil { return nil, fmt.Errorf("error in fetchRawDependencyDiffData: %w", err) } - - if err != nil { - return nil, fmt.Errorf("error in initRepoAndClientByChecks: %w", err) - } err = getScorecardCheckResults(&dCtx) if err != nil { return nil, fmt.Errorf("error getting scorecard check results: %w", err) @@ -150,10 +159,12 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error { // If the run fails, we leave the current dependency scorecard result empty and record the error // rather than letting the entire API return nil since we still expect results for other dependencies. if err != nil { - depCheckResult.ScorecardResultsWithError.Error = sce.WithMessage(sce.ErrScorecardInternal, - fmt.Sprintf("error running the scorecard checks: %v", err)) + wrappedErr := sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("scorecard running failed for %s: %v", d.Name, err)) + dCtx.logger.Error(wrappedErr, "") + depCheckResult.ScorecardResultWithError.Error = wrappedErr } else { // Otherwise, we record the scorecard check results for this dependency. - depCheckResult.ScorecardResultsWithError.ScorecardResults = &scorecardResult + depCheckResult.ScorecardResultWithError.ScorecardResult = &scorecardResult } } dCtx.results = append(dCtx.results, depCheckResult) diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go index 768d3dc46a1..4767ff2174f 100644 --- a/dependencydiff/dependencydiff_test.go +++ b/dependencydiff/dependencydiff_test.go @@ -40,8 +40,8 @@ func Test_fetchRawDependencyDiffData(t *testing.T) { ctx: context.Background(), ownerName: "no_such_owner", repoName: "repo_not_exist", - baseSHA: "base", - headSHA: clients.HeadSHA, + base: "main", + head: clients.HeadSHA, }, wantEmpty: true, wantErr: true, diff --git a/dependencydiff/errors.go b/dependencydiff/errors.go new file mode 100644 index 00000000000..0bad31b0db5 --- /dev/null +++ b/dependencydiff/errors.go @@ -0,0 +1,22 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dependencydiff + +import "errors" + +// static Errors for mapping +var ( + errInvalid = errors.New("invalid") +) diff --git a/dependencydiff/raw_dependencies.go b/dependencydiff/raw_dependencies.go index 519e560217c..de313375e82 100644 --- a/dependencydiff/raw_dependencies.go +++ b/dependencydiff/raw_dependencies.go @@ -58,7 +58,7 @@ func fetchRawDependencyDiffData(dCtx *dependencydiffContext) error { req, err := ghClient.NewRequest( "GET", path.Join("repos", dCtx.ownerName, dCtx.repoName, - "dependency-graph", "compare", dCtx.baseSHA+"..."+dCtx.headSHA), + "dependency-graph", "compare", dCtx.base+"..."+dCtx.head), nil, ) if err != nil { diff --git a/e2e/dependencydiff_test.go b/e2e/dependencydiff_test.go index d0246293537..fa388ba8efd 100644 --- a/e2e/dependencydiff_test.go +++ b/e2e/dependencydiff_test.go @@ -26,19 +26,16 @@ import ( ) const ( - OWNER = "ossf-tests" - REPO = "scorecard-depdiff" - BASE = "fd2a82b3b735fffbc2d782ed5f50301b879ecc51" - HEAD = "1989568f93e484f6a86f8b276b170e3d6962ce12" + repoURI = "ossf-tests/scorecard-depdiff" + base = "fd2a82b3b735fffbc2d782ed5f50301b879ecc51" + head = "1989568f93e484f6a86f8b276b170e3d6962ce12" ) var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { Context("E2E TEST:Validating use of the dependency-diff API", func() { It("Should return a slice of dependency-diff checking results", func() { ctx := context.Background() - ownerName, repoName := OWNER, REPO - baseSHA, headSHA := BASE, HEAD - scorecardChecksNames := []string{ + checksToRun := []string{ checks.CheckBranchProtection, } changeTypesToCheck := map[pkg.ChangeType]bool{ @@ -46,8 +43,9 @@ var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { } results, err := dependencydiff.GetDependencyDiffResults( ctx, - ownerName, repoName, baseSHA, headSHA, - scorecardChecksNames, + repoURI, + base, head, + checksToRun, changeTypesToCheck, ) Expect(err).Should(BeNil()) @@ -55,10 +53,7 @@ var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { }) It("Should return a valid empty result", func() { ctx := context.Background() - ownerName, repoName := OWNER, REPO - baseSHA, headSHA := BASE, BASE - - scorecardChecksNames := []string{ + checksToRun := []string{ checks.CheckBranchProtection, } changeTypesToCheck := map[pkg.ChangeType]bool{ @@ -66,8 +61,9 @@ var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { } results, err := dependencydiff.GetDependencyDiffResults( ctx, - ownerName, repoName, baseSHA, headSHA, - scorecardChecksNames, + repoURI, + base, base, + checksToRun, changeTypesToCheck, ) Expect(err).Should(BeNil()) @@ -75,17 +71,17 @@ var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { }) It("Should initialize clients corresponding to the checks to run and do not crash", func() { ctx := context.Background() - ownerName, repoName := OWNER, REPO - baseSHA, headSHA := BASE, HEAD - - scorecardChecksNames := []string{} + checksToRun := []string{ + checks.CheckFuzzing, + } changeTypesToCheck := map[pkg.ChangeType]bool{ pkg.Removed: true, } _, err := dependencydiff.GetDependencyDiffResults( ctx, - ownerName, repoName, baseSHA, headSHA, - scorecardChecksNames, + repoURI, + base, head, + checksToRun, changeTypesToCheck, ) Expect(err).Should(BeNil()) diff --git a/pkg/dependencydiff_result.go b/pkg/dependencydiff_result.go index 5208d9812ce..74b5b834b93 100644 --- a/pkg/dependencydiff_result.go +++ b/pkg/dependencydiff_result.go @@ -44,40 +44,41 @@ func (ct *ChangeType) IsValid() bool { } } -// ScorecardResultsWithError is used for the dependency-diff module to record scorecard results and their errors. -type ScorecardResultsWithError struct { - // ScorecardResults is the scorecard result for the dependency repo. - ScorecardResults *ScorecardResult `json:"scorecardResults"` +// ScorecardResultWithError is used for the dependency-diff module to record the scorecard result +// and a potential error field if the Scorecard run fails. +type ScorecardResultWithError struct { + // ScorecardResult is the scorecard result for the dependency repo. + ScorecardResult *ScorecardResult // Error is an error returned when running the scorecard checks. A nil Error indicates the run succeeded. - Error error `json:"scorecardRunTimeError"` + Error error } // DependencyCheckResult is the dependency structure used in the returned results. type DependencyCheckResult struct { // ChangeType indicates whether the dependency is added, updated, or removed. - ChangeType *ChangeType `json:"changeType"` + ChangeType *ChangeType // Package URL is a short link for a package. - PackageURL *string `json:"packageUrl"` + PackageURL *string // SourceRepository is the source repository URL of the dependency. - SourceRepository *string `json:"sourceRepository"` + SourceRepository *string // ManifestPath is the path of the manifest file of the dependency, such as go.mod for Go. - ManifestPath *string `json:"manifestPath"` + ManifestPath *string // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. - Ecosystem *string `json:"ecosystem"` + Ecosystem *string // Version is the package version of the dependency. - Version *string `json:"version"` + Version *string - // ScorecardResultsWithError is the scorecard checking results of the dependency. - ScorecardResultsWithError ScorecardResultsWithError `json:"scorecardResultsWithError"` + // ScorecardResultWithError is the scorecard checking results of the dependency. + ScorecardResultWithError ScorecardResultWithError // Name is the name of the dependency. - Name string `json:"name"` + Name string } // AsJSON for DependencyCheckResult exports the DependencyCheckResult as a JSON object. From e23ee84db0398468a17c41ee9755e0f8ab903e79 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 22 Jul 2022 21:37:17 -0500 Subject: [PATCH 03/22] =?UTF-8?q?=E2=9C=A8=20=20Export=20Scorecards=20resu?= =?UTF-8?q?lts=20for=20API=20(#2081)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * :seedling: Export Scorecards results for API - Exporting the Scorecard results for the scorecard API. - The code exports as result.json without the commit SHA and also with the commit SHA. * Some cleanup and tweaks. * Some cleanup and tweaks. --- clients/githubrepo/client.go | 2 +- clients/localdir/client.go | 2 +- cron/internal/config/config.go | 11 ++++++-- cron/internal/config/config.yaml | 2 ++ cron/internal/config/config_test.go | 21 +++++++++++++-- cron/internal/controller/main.go | 2 +- cron/internal/worker/main.go | 40 +++++++++++++++++++++++++++-- cron/k8s/worker.release.yaml | 2 ++ 8 files changed, 73 insertions(+), 9 deletions(-) diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go index d4706ae492e..c7fef13b6de 100644 --- a/clients/githubrepo/client.go +++ b/clients/githubrepo/client.go @@ -180,7 +180,7 @@ func (client *Client) ListStatuses(ref string) ([]clients.Status, error) { return client.statuses.listStatuses(ref) } -//ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages. +// ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages. func (client *Client) ListProgrammingLanguages() ([]clients.Language, error) { return client.languages.listProgrammingLanguages() } diff --git a/clients/localdir/client.go b/clients/localdir/client.go index 7b58ea8d6fd..e8887bf5d2b 100644 --- a/clients/localdir/client.go +++ b/clients/localdir/client.go @@ -219,7 +219,7 @@ func (client *localDirClient) Close() error { } // ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages. -// TODO: add ListProgrammingLanguages support for local directories +// TODO: add ListProgrammingLanguages support for local directories. func (client *localDirClient) ListProgrammingLanguages() ([]clients.Language, error) { return nil, fmt.Errorf("ListProgrammingLanguages: %w", clients.ErrUnsupportedFeature) } diff --git a/cron/internal/config/config.go b/cron/internal/config/config.go index 30b13ee6f68..4f8ec90b8bf 100644 --- a/cron/internal/config/config.go +++ b/cron/internal/config/config.go @@ -47,6 +47,7 @@ const ( blacklistedChecks string = "SCORECARD_BLACKLISTED_CHECKS" bigqueryTable string = "SCORECARD_BIGQUERY_TABLE" resultDataBucketURL string = "SCORECARD_DATA_BUCKET_URL" + apiResultsBucketURL string = "SCORECARD_API_RESULTS_BUCKET_URL" // Raw results. rawBigqueryTable string = "RAW_SCORECARD_BIGQUERY_TABLE" rawResultDataBucketURL string = "RAW_SCORECARD_DATA_BUCKET_URL" @@ -78,6 +79,7 @@ type config struct { // Raw results. RawResultDataBucketURL string `yaml:"raw-result-data-bucket-url"` RawBigQueryTable string `yaml:"raw-bigquery-table"` + ExportResultsBucketURL string `yaml:"export-results-bucket-url"` } func getParsedConfigFromFile(byteValue []byte) (config, error) { @@ -120,7 +122,6 @@ func getIntConfigValue(envVar string, byteValue []byte, fieldName, configName st return 0, fmt.Errorf("error getting config value %s: %w", configName, err) } - // nolint: exhaustive switch value.Kind() { case reflect.String: //nolint:wrapcheck @@ -137,7 +138,7 @@ func getFloat64ConfigValue(envVar string, byteValue []byte, fieldName, configNam if err != nil { return 0, fmt.Errorf("error getting config value %s: %w", configName, err) } - // nolint: exhaustive + switch value.Kind() { case reflect.String: //nolint: wrapcheck, gomnd @@ -232,3 +233,9 @@ func GetBlacklistedChecks() ([]string, error) { func GetMetricExporter() (string, error) { return getStringConfigValue(metricExporter, configYAML, "MetricExporter", "metric-exporter") } + +// GetBQExportResultsBucketURL returns the bucket URL for storing cron job results. +func GetBQExportResultsBucketURL() (string, error) { + return getStringConfigValue(apiResultsBucketURL, configYAML, + "ExportResultsBucketURL", "export-results-bucket-url") +} diff --git a/cron/internal/config/config.yaml b/cron/internal/config/config.yaml index 02f8d399cdf..205ee9477f1 100644 --- a/cron/internal/config/config.yaml +++ b/cron/internal/config/config.yaml @@ -29,3 +29,5 @@ result-data-bucket-url: gs://ossf-scorecard-data2 # Raw results. raw-result-data-bucket-url: gs://ossf-scorecard-rawdata raw-bigquery-table: scorecard-rawdata +# export-bucket +export-results-bucket-url: gs://ossf-scorecard-cron-releasetest-results diff --git a/cron/internal/config/config_test.go b/cron/internal/config/config_test.go index aa473f58bca..669eccd30f2 100644 --- a/cron/internal/config/config_test.go +++ b/cron/internal/config/config_test.go @@ -37,8 +37,9 @@ const ( prodShardSize int = 10 prodMetricExporter string = "stackdriver" // Raw results. - prodRawBucket = "gs://ossf-scorecard-rawdata" - prodRawBigQueryTable = "scorecard-rawdata" + prodRawBucket = "gs://ossf-scorecard-rawdata" + prodRawBigQueryTable = "scorecard-rawdata" + prodBigQueryExportsBucketURL = "gs://ossf-scorecard-cron-releasetest-results" ) func getByteValueFromFile(filename string) ([]byte, error) { @@ -74,6 +75,7 @@ func TestYAMLParsing(t *testing.T) { MetricExporter: prodMetricExporter, RawResultDataBucketURL: prodRawBucket, RawBigQueryTable: prodRawBigQueryTable, + ExportResultsBucketURL: prodBigQueryExportsBucketURL, }, }, @@ -344,3 +346,18 @@ func TestGetMetricExporter(t *testing.T) { } }) } + +//nolint:paralleltest // Since os.Setenv is used. +func TestGetBigQueryExportsBucketURL(t *testing.T) { + t.Run("GetBigQueryExportsBucketURL", func(t *testing.T) { + bigqueryExportsBucketURL := apiResultsBucketURL + os.Unsetenv(bigqueryExportsBucketURL) + bucket, err := GetBQExportResultsBucketURL() + if err != nil { + t.Errorf("failed to get production bucket URL from config: %v", err) + } + if bucket != prodBigQueryExportsBucketURL { + t.Errorf("test failed: expected - %s, got = %s", prodBigQueryExportsBucketURL, bucket) + } + }) +} diff --git a/cron/internal/controller/main.go b/cron/internal/controller/main.go index 7b5ff9d3d83..d80f2ef7425 100644 --- a/cron/internal/controller/main.go +++ b/cron/internal/controller/main.go @@ -133,7 +133,7 @@ func main() { ShardLoc: new(string), CommitSha: new(string), } - *metadata.NumShard = (shardNum + 1) + *metadata.NumShard = shardNum + 1 *metadata.ShardLoc = bucket + "/" + data.GetBlobFilename("", t) *metadata.CommitSha = version.GetVersionInfo().GitCommit metadataJSON, err := protojson.Marshal(&metadata) diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go index e539a8c20a8..689bb9347d1 100644 --- a/cron/internal/worker/main.go +++ b/cron/internal/worker/main.go @@ -48,7 +48,7 @@ var ignoreRuntimeErrors = flag.Bool("ignoreRuntimeErrors", false, "if set to tru // nolint: gocognit func processRequest(ctx context.Context, batchRequest *data.ScorecardBatchRequest, - blacklistedChecks []string, bucketURL, rawBucketURL string, + blacklistedChecks []string, bucketURL, rawBucketURL, exportBucketURL string, checkDocs docs.Doc, repoClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, @@ -101,6 +101,7 @@ func processRequest(ctx context.Context, for _, check := range blacklistedChecks { delete(checksToRun, check) } + result, err := pkg.RunScorecards(ctx, repo, commitSHA, checksToRun, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) if errors.Is(err, sce.ErrRepoUnreachable) { @@ -128,11 +129,41 @@ func processRequest(ctx context.Context, if err := format.AsJSON2(&result, true /*showDetails*/, log.InfoLevel, checkDocs, &buffer2); err != nil { return fmt.Errorf("error during result.AsJSON2: %w", err) } + // these are for exporting results to GCS for API consumption + var exportBuffer bytes.Buffer + var exportRawBuffer bytes.Buffer + + if err := format.AsJSON2(&result, true /*showDetails*/, log.InfoLevel, checkDocs, &exportBuffer); err != nil { + return fmt.Errorf("error during result.AsJSON2 for export: %w", err) + } + if err := format.AsRawJSON(&result, &exportRawBuffer); err != nil { + return fmt.Errorf("error during result.AsRawJSON for export: %w", err) + } + exportPath := fmt.Sprintf("%s/result.json", repo.URI()) + exportCommitSHAPath := fmt.Sprintf("%s/%s/result.json", repo.URI(), result.Repo.CommitSHA) + exportRawPath := fmt.Sprintf("%s/raw.json", repo.URI()) + exportRawCommitSHAPath := fmt.Sprintf("%s/%s/raw.json", repo.URI(), result.Repo.CommitSHA) // Raw result. if err := format.AsRawJSON(&result, &rawBuffer); err != nil { return fmt.Errorf("error during result.AsRawJSON: %w", err) } + + // These are results without the commit SHA which represents the latest commit. + if err := data.WriteToBlobStore(ctx, exportBucketURL, exportPath, exportBuffer.Bytes()); err != nil { + return fmt.Errorf("error during writing to exportBucketURL: %w", err) + } + // Export result based on commitSHA. + if err := data.WriteToBlobStore(ctx, exportBucketURL, exportCommitSHAPath, exportBuffer.Bytes()); err != nil { + return fmt.Errorf("error during exportBucketURL with commit SHA: %w", err) + } + // Export raw result. + if err := data.WriteToBlobStore(ctx, exportBucketURL, exportRawPath, exportRawBuffer.Bytes()); err != nil { + return fmt.Errorf("error during writing to exportBucketURL for raw results: %w", err) + } + if err := data.WriteToBlobStore(ctx, exportBucketURL, exportRawCommitSHAPath, exportRawBuffer.Bytes()); err != nil { + return fmt.Errorf("error during exportBucketURL for raw results with commit SHA: %w", err) + } } if err := data.WriteToBlobStore(ctx, bucketURL, filename, buffer2.Bytes()); err != nil { @@ -207,6 +238,11 @@ func main() { panic(err) } + exportBucketURL, err := config.GetBQExportResultsBucketURL() + if err != nil { + panic(err) + } + logger := log.NewLogger(log.InfoLevel) repoClient := githubrepo.CreateGithubRepoClient(ctx, logger) ciiClient := clients.BlobCIIBestPracticesClient(ciiDataBucketURL) @@ -242,7 +278,7 @@ func main() { break } if err := processRequest(ctx, req, blacklistedChecks, - bucketURL, rawBucketURL, checkDocs, + bucketURL, rawBucketURL, exportBucketURL, checkDocs, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, logger); err != nil { // TODO(log): Previously Warn. Consider logging an error here. logger.Info(fmt.Sprintf("error processing request: %v", err)) diff --git a/cron/k8s/worker.release.yaml b/cron/k8s/worker.release.yaml index a3b3c69de9e..4812411b86f 100644 --- a/cron/k8s/worker.release.yaml +++ b/cron/k8s/worker.release.yaml @@ -42,6 +42,8 @@ spec: value: "printer" - name: GITHUB_AUTH_SERVER value: "10.4.4.210:80" + - name: "SCORECARD_API_RESULTS_BUCKET_URL" + value: "gs://ossf-scorecard-cron-releasetest-results" resources: requests: memory: 5Gi From 1e3f3251ebb4f463276a6ad518d9f0f16ba11c0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Jul 2022 03:09:45 +0000 Subject: [PATCH 04/22] :seedling: Bump cloud.google.com/go/pubsub from 1.23.1 to 1.24.0 Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.23.1...pubsub/v1.24.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 660de789654..dfa80e165b6 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( require ( cloud.google.com/go/bigquery v1.35.0 cloud.google.com/go/monitoring v1.4.0 // indirect - cloud.google.com/go/pubsub v1.23.1 + cloud.google.com/go/pubsub v1.24.0 cloud.google.com/go/trace v1.2.0 // indirect contrib.go.opencensus.io/exporter/stackdriver v0.13.12 github.com/bombsimon/logrusr/v2 v2.0.1 diff --git a/go.sum b/go.sum index 114a68415c0..cb8504880b3 100644 --- a/go.sum +++ b/go.sum @@ -77,8 +77,8 @@ cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+ cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/pubsub v1.19.0/go.mod h1:/O9kmSe9bb9KRnIAWkzmqhPjHo6LtzGOBYd/kr06XSs= -cloud.google.com/go/pubsub v1.23.1 h1:eVtkabVa+1M5ai67fGU+idws0hVb/KEPXiDmSS17+qc= -cloud.google.com/go/pubsub v1.23.1/go.mod h1:ttM6nEGYK/2CnB36ndNySU3ZxPwpBk8cXM6+iOlxH9U= +cloud.google.com/go/pubsub v1.24.0 h1:aCS6wSMzrc602OeXUMA66KGlyXxpdkHdwN+FSBv/sUg= +cloud.google.com/go/pubsub v1.24.0/go.mod h1:rWv09Te1SsRpRGPiWOMDKraMQTJyJps4MkUCoMGUgqw= cloud.google.com/go/secretmanager v1.3.0/go.mod h1:+oLTkouyiYiabAQNugCeTS3PAArGiMJuBqvJnJsyH+U= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= From 96835aae83a77a8d5159e10f47c0ff0ee302109f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Jul 2022 03:27:59 +0000 Subject: [PATCH 05/22] :seedling: Bump actions/stale from 5.0.0 to 5.1.0 Bumps [actions/stale](https://github.com/actions/stale) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/3cc123766321e9f15a6676375c154ccffb12a358...532554b8a8498a0e006fbcde824b048728c4178f) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ca399e9dd21..7bff5462582 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -31,7 +31,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/stale@3cc123766321e9f15a6676375c154ccffb12a358 # v3.0.18 + - uses: actions/stale@532554b8a8498a0e006fbcde824b048728c4178f # v3.0.18 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' From b945eb36387c139bedeace9105e27c9c5a12aceb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Jul 2022 04:15:02 +0000 Subject: [PATCH 06/22] :seedling: Bump cloud.google.com/go/bigquery from 1.35.0 to 1.36.0 Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.35.0...bigquery/v1.36.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index dfa80e165b6..3d8fa52fff2 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( ) require ( - cloud.google.com/go/bigquery v1.35.0 + cloud.google.com/go/bigquery v1.36.0 cloud.google.com/go/monitoring v1.4.0 // indirect cloud.google.com/go/pubsub v1.24.0 cloud.google.com/go/trace v1.2.0 // indirect @@ -37,7 +37,7 @@ require ( gocloud.dev v0.25.0 golang.org/x/text v0.3.7 golang.org/x/tools v0.1.11 - google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 + google.golang.org/genproto v0.0.0-20220714211235-042d03aeabc9 google.golang.org/protobuf v1.28.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 @@ -112,7 +112,7 @@ require ( golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect - google.golang.org/api v0.86.0 // indirect + google.golang.org/api v0.87.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/grpc v1.47.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index cb8504880b3..3ae90d756f4 100644 --- a/go.sum +++ b/go.sum @@ -47,8 +47,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/bigquery v1.35.0 h1:VTPcaApKiOXMqMEqKKJvOr+wi15egvreNLeFQX1GWEo= -cloud.google.com/go/bigquery v1.35.0/go.mod h1:lfJA66SOzluyfw7evgXMvt6UTjIDGrcYHlv1Ja7sgzE= +cloud.google.com/go/bigquery v1.36.0 h1:sTAW05tQycLEDbxod+zgH8LTKDkPbbb30NROx2I9XVs= +cloud.google.com/go/bigquery v1.36.0/go.mod h1:oEa/Pzgr6NNExtYYs26JiwMmllr1sYu1wPIJdxFX+fg= cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= cloud.google.com/go/compute v1.2.0/go.mod h1:xlogom/6gr8RJGBe7nT2eGsQYAFUbbv8dbC29qE3Xmw= cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= @@ -2209,8 +2209,8 @@ google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6r google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= -google.golang.org/api v0.86.0 h1:ZAnyOHQFIuWso1BodVfSaRyffD74T9ERGFa3k1fNk/U= -google.golang.org/api v0.86.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.87.0 h1:pUQVF/F+X7Tl1lo4LJoJf5BOpjtmINU80p9XpYTU2p4= +google.golang.org/api v0.87.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2328,8 +2328,8 @@ google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljW google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 h1:W70HjnmXFJm+8RNjOpIDYW2nKsSi/af0VvIZUtYkwuU= -google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220714211235-042d03aeabc9 h1:zfXhTgBfGlIh3jMXN06W8qbhFGsh6MJNJiYEuhTddOI= +google.golang.org/genproto v0.0.0-20220714211235-042d03aeabc9/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= From d77f59f0ef8a75e52fd11a4ae34cb4b5990ca2e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Jul 2022 05:42:10 -0500 Subject: [PATCH 07/22] :seedling: Bump sigstore/cosign-installer from 1.2.1 to 2.4.1 (#2021) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 1.2.1 to 2.4.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/f700e6fbbab82f6897758a3af7a8dede4e308656...48866aa521d8bf870604709cd43ec2f602d03ff2) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/publishimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 20f4c22de1b..8a3176df2fb 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -60,7 +60,7 @@ jobs: make install make scorecard-ko - name: Install Cosign - uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 + uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 - name: Sign image run: | cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }} From 8f96d6ba25175cddeda57c5b7c1811a073a0765d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Jul 2022 09:28:08 -0500 Subject: [PATCH 08/22] :seedling: Bump crazy-max/ghaction-import-gpg from 5.0.0 to 5.1.0 (#2091) Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md) - [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/34ea557550c84ea665cae5c61c3b084feac7e042...c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1) --- updated-dependencies: - dependency-name: crazy-max/ghaction-import-gpg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/goreleaser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 73c1f18daa6..d64b68ed83e 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -50,7 +50,7 @@ jobs: - name: Import GPG key id: import_gpg - uses: crazy-max/ghaction-import-gpg@34ea557550c84ea665cae5c61c3b084feac7e042 # v3.1.0 + uses: crazy-max/ghaction-import-gpg@c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1 # v3.1.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} From 66708ba3b7316f04e9bf42bb85856d9fc8a00032 Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Mon, 25 Jul 2022 10:51:10 -0700 Subject: [PATCH 09/22] =?UTF-8?q?=E2=9C=A8=20Feature:=20Dependency-diff=20?= =?UTF-8?q?ecosystem=20naming=20convention=20mapping=20(GitHub=20->=20OSV)?= =?UTF-8?q?=20(#2088)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * save * save * save * save * save * save --- dependencydiff/dependencydiff.go | 25 ++++++++ dependencydiff/dependencydiff_test.go | 64 +++++++++++++++++++ dependencydiff/errors.go | 3 +- dependencydiff/mapping.go | 89 +++++++++++++++++++++++++++ dependencydiff/raw_dependencies.go | 5 ++ pkg/dependencydiff_result.go | 8 +-- 6 files changed, 189 insertions(+), 5 deletions(-) create mode 100644 dependencydiff/mapping.go diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go index c4012035d76..5d77f341c7c 100644 --- a/dependencydiff/dependencydiff.go +++ b/dependencydiff/dependencydiff.go @@ -79,6 +79,11 @@ func GetDependencyDiffResults( if err != nil { return nil, fmt.Errorf("error in fetchRawDependencyDiffData: %w", err) } + // Map the ecosystem naming convention from GitHub to OSV. + err = mapDependencyEcosystemNaming(dCtx.dependencydiffs) + if err != nil { + return nil, fmt.Errorf("error in mapDependencyEcosystemNaming: %w", err) + } err = getScorecardCheckResults(&dCtx) if err != nil { return nil, fmt.Errorf("error getting scorecard check results: %w", err) @@ -86,6 +91,22 @@ func GetDependencyDiffResults( return dCtx.results, nil } +func mapDependencyEcosystemNaming(deps []dependency) error { + for i := range deps { + if deps[i].Ecosystem == nil { + continue + } + mappedEcosys, err := toEcosystem(*deps[i].Ecosystem) + if err != nil { + wrappedErr := fmt.Errorf("error mapping dependency ecosystem: %w", err) + return wrappedErr + } + deps[i].Ecosystem = asPointer(string(mappedEcosys)) + + } + return nil +} + func initRepoAndClientByChecks(dCtx *dependencydiffContext, dSrcRepo string) error { repo, repoClient, ossFuzzClient, ciiClient, vulnsClient, err := checker.GetClients( dCtx.ctx, dSrcRepo, "", dCtx.logger, @@ -171,3 +192,7 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error { } return nil } + +func asPointer(s string) *string { + return &s +} diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go index 4767ff2174f..d8f4694351b 100644 --- a/dependencydiff/dependencydiff_test.go +++ b/dependencydiff/dependencydiff_test.go @@ -16,6 +16,7 @@ package dependencydiff import ( "context" + "errors" "path" "testing" @@ -158,3 +159,66 @@ func Test_getScorecardCheckResults(t *testing.T) { }) } } + +func Test_mapDependencyEcosystemNaming(t *testing.T) { + t.Parallel() + //nolint + tests := []struct { + name string + deps []dependency + errWanted error + }{ + { + name: "error invalid github ecosystem", + deps: []dependency{ + { + Name: "dependency_1", + Ecosystem: asPointer("not_supported"), + }, + { + Name: "dependency_2", + Ecosystem: asPointer("gomod"), + }, + }, + errWanted: errInvalid, + }, + { + name: "error cannot find mapping", + deps: []dependency{ + { + Name: "dependency_3", + Ecosystem: asPointer("actions"), + }, + }, + errWanted: errInvalid, + }, + { + name: "correct mapping", + deps: []dependency{ + { + Name: "dependency_4", + Ecosystem: asPointer("gomod"), + }, + { + Name: "dependency_5", + Ecosystem: asPointer("pip"), + }, + { + Name: "dependency_6", + Ecosystem: asPointer("cargo"), + }, + }, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + err := mapDependencyEcosystemNaming(tt.deps) + if tt.errWanted != nil && errors.Is(tt.errWanted, err) { + t.Errorf("not a wanted error, want:%v, got:%v", tt.errWanted, err) + return + } + }) + } +} diff --git a/dependencydiff/errors.go b/dependencydiff/errors.go index 0bad31b0db5..6541cc53964 100644 --- a/dependencydiff/errors.go +++ b/dependencydiff/errors.go @@ -18,5 +18,6 @@ import "errors" // static Errors for mapping var ( - errInvalid = errors.New("invalid") + errMappingNotFound = errors.New("ecosystem mapping not found") + errInvalid = errors.New("invalid") ) diff --git a/dependencydiff/mapping.go b/dependencydiff/mapping.go new file mode 100644 index 00000000000..445676b3b6b --- /dev/null +++ b/dependencydiff/mapping.go @@ -0,0 +1,89 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dependencydiff + +import ( + "fmt" +) + +// Ecosystem is a package ecosystem supported by OSV, GitHub, etc. +type ecosystem string + +// OSV ecosystem naming data source: https://ossf.github.io/osv-schema/#affectedpackage-field +// nolint +const ( + // The Go ecosystem. + ecosystemGo ecosystem = "Go" + + // The NPM ecosystem. + ecosystemNpm ecosystem = "npm" + + // The Android ecosystem + ecosystemAndroid ecosystem = "Android" // nolint:unused + + // The crates.io ecosystem for RUST. + ecosystemCrates ecosystem = "crates.io" + + // For reports from the OSS-Fuzz project that have no more appropriate ecosystem. + ecosystemOssFuzz ecosystem = "OSS-Fuzz" // nolint:unused + + // The Python PyPI ecosystem. PyPI is the main package source of pip. + ecosystemPyPI ecosystem = "PyPI" + + // The RubyGems ecosystem. + ecosystemRubyGems ecosystem = "RubyGems" + + // The PHP package manager ecosystem. Packagist is the main Composer repository. + ecosystemPackagist ecosystem = "Packagist" + + // The Maven Java package ecosystem. + ecosystemMaven ecosystem = "Maven" + + // The NuGet package ecosystem. + ecosystemNuGet ecosystem = "Nuget" + + // The Linux kernel. + ecosystemLinux ecosystem = "Linux" // nolint:unused + + // The Debian package ecosystem. + ecosystemDebian ecosystem = "Debian" // nolint:unused + + // Hex is the package manager of Erlang. + // TODO: GitHub doesn't support hex as the ecosystem for Erlang yet. Add this to the map in the future. + ecosystemHex ecosystem = "Hex" // nolint:unused +) + +var ( + //gitHubToOSV defines the ecosystem naming mapping relationship between GitHub and others. + gitHubToOSV = map[string]ecosystem{ + // GitHub ecosystem naming data source: https://docs.github.com/en/code-security/supply-chain-security/ + // understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems + "gomod": ecosystemGo, /* go.mod and go.sum */ + "cargo": ecosystemCrates, + "pip": ecosystemPyPI, /* pip and poetry */ + "npm": ecosystemNpm, /* npm and yarn */ + "maven": ecosystemMaven, + "composer": ecosystemPackagist, + "rubygems": ecosystemRubyGems, + "nuget": ecosystemNuGet, + } +) + +func toEcosystem(e string) (ecosystem, error) { + if ecosystemOSV, found := gitHubToOSV[e]; found { + return ecosystemOSV, nil + } + return "", fmt.Errorf("%w for github entry %s", errMappingNotFound, e) +} diff --git a/dependencydiff/raw_dependencies.go b/dependencydiff/raw_dependencies.go index de313375e82..39194535d51 100644 --- a/dependencydiff/raw_dependencies.go +++ b/dependencydiff/raw_dependencies.go @@ -68,5 +68,10 @@ func fetchRawDependencyDiffData(dCtx *dependencydiffContext) error { if err != nil { return fmt.Errorf("error parsing the dependency-diff reponse: %w", err) } + for _, d := range dCtx.dependencydiffs { + if !d.ChangeType.IsValid() { + return fmt.Errorf("%w: change type", errInvalid) + } + } return nil } diff --git a/pkg/dependencydiff_result.go b/pkg/dependencydiff_result.go index 74b5b834b93..c8608ef74b7 100644 --- a/pkg/dependencydiff_result.go +++ b/pkg/dependencydiff_result.go @@ -35,8 +35,8 @@ const ( ) // IsValid determines if a ChangeType is valid. -func (ct *ChangeType) IsValid() bool { - switch *ct { +func (ct ChangeType) IsValid() bool { + switch ct { case Added, Updated, Removed: return true default: @@ -45,7 +45,7 @@ func (ct *ChangeType) IsValid() bool { } // ScorecardResultWithError is used for the dependency-diff module to record the scorecard result -// and a potential error field if the Scorecard run fails. +// and a error field to record potential errors when the Scorecard run fails. type ScorecardResultWithError struct { // ScorecardResult is the scorecard result for the dependency repo. ScorecardResult *ScorecardResult @@ -74,7 +74,7 @@ type DependencyCheckResult struct { // Version is the package version of the dependency. Version *string - // ScorecardResultWithError is the scorecard checking results of the dependency. + // ScorecardResultWithError is the scorecard checking result of the dependency. ScorecardResultWithError ScorecardResultWithError // Name is the name of the dependency. From 93a0206329760323f0c03ac341240321d7752238 Mon Sep 17 00:00:00 2001 From: Pedro Nacht Date: Tue, 26 Jul 2022 16:13:47 -0300 Subject: [PATCH 10/22] =?UTF-8?q?=F0=9F=93=96=20Minor=20typos=20and=20copy?= =?UTF-8?q?-editing=20to=20checks/write.md=20(#2071)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Minor typos and copy-editing to checks/write.md * Undo hyphen, remove "both" * Reflow item 7 --- checks/write.md | 50 ++++++++++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/checks/write.md b/checks/write.md index 383f8830087..fc0bc9e6c95 100644 --- a/checks/write.md +++ b/checks/write.md @@ -1,14 +1,14 @@ # Requirements for a check -If you'd like to add a check, make sure it is something that meets the following -criteria and then create a new GitHub Issue to discuss with the team: +If you'd like to add a check, make sure it meets the following criteria and then +create a new GitHub Issue to discuss with the team: - The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more - secure than a project with say 50 contributors. But, having two maintainers + secure than a project with 50 contributors. But, having two maintainers might be preferable to only having one - the larger bus factor and ability to provide code reviews is objectively better. -- The scorecard criteria can be as specific as possible and not limited +- The scorecard criteria can be as specific as possible and are not limited to general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase. - The scorecard can be populated for any open source project without any work @@ -24,13 +24,13 @@ criteria and then create a new GitHub Issue to discuss with the team: # How to write a check -The steps to writting a check are as follow: +The steps to writing a check are as follows: -1. Create a file under `checks/` folder, say `checks/mycheck.go` +1. Create a file under the `checks/` folder, say `checks/mycheck.go` 2. Give the check a name and register the check: - ``` - // Note: export the name: start its name with an upper-case letter. + ```go + // Note: export the name by starting it with an upper-case letter. const CheckMyCheckName string = "My-Check" func init() { @@ -38,46 +38,44 @@ The steps to writting a check are as follow: } ``` -3. Log information that is benfical to the user using `checker.DetailLogger`: +3. Log useful information with `checker.DetailLogger`: * Use `checker.DetailLogger.Warn()` to provide detail on low-score - results. This is showed when the user supplies the `show-results` - option. + results. This is shown when the user supplies the `show-results` option. * Use `checker.DetailLogger.Info()` to provide detail on high-score - results. This is showed when the user supplies the `show-results` - option. + results. This is shown when the user supplies the `show-results` option. * Use `checker.DetailLogger.Debug()` to provide detail in verbose mode: - this is showed only when the user supplies the `--verbosity Debug` + this is shown only when the user supplies the `--verbosity Debug` option. * If your message relates to a file, try to provide information such as the `Path`, line number `Offset` and `Snippet`. -4. If the checks fails in a way that is irrecoverable, return a result with - `checker.CreateRuntimeErrorResult()` function: For example, if an error is - returned from an API you call, use the function. +4. If the check fails in a way that is irrecoverable, return a result with the + `checker.CreateRuntimeErrorResult()` function. For example, if an error is + returned from an API you call, use this function. -5. Create the result of the check as follow: +5. Create the result of the check as follows: - * Always provide a high-level sentence explaining the result/score of the - check. + * Always provide a high-level sentence explaining the check's + result/score. * If the check runs properly but is unable to determine a score, use - `checker.CreateInconclusiveResult()` function. + `checker.CreateInconclusiveResult()`. * For proportional results, use `checker.CreateProportionalScoreResult()`. - * For maximum score, use `checker.CreateMaxScoreResult()`; for min score - use `checker.CreateMinScoreResult()`. + * For maximum and minimum scores, use `checker.CreateMaxScoreResult()` and + `checker.CreateMinScoreResult()`, respectively. * If you need more flexibility and need to set a specific score, use `checker.CreateResultWithScore()` with one of the constants declared, such as `checker.HalfResultScore`. 6. Dealing with errors: see [errors/errors.md](/errors/errors.md). -7. Create unit tests for both low, high and inconclusive score. Put them in a - file `checks/mycheck_test.go`. +7. Create unit tests for low, high and inconclusive scores. Put them in a file + `checks/mycheck_test.go`. 8. Create e2e tests in `e2e/mycheck_test.go`. Use a dedicated repo that will not change over time, so that it's reliable for the tests. -9. Update the `checks/checks.yaml` with the description of your check. +9. Update the `checks/checks.yaml` with a description of your check. 10. Generate `docs/check.md` using `make generate-docs`. This will validate and generate `docs/check.md`. From baedf8408224737c976b709404ea9b0c4f15b5cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 12:44:30 -0500 Subject: [PATCH 11/22] :seedling: Bump imjasonh/setup-ko from 0.4 to 0.5 (#2096) Bumps [imjasonh/setup-ko](https://github.com/imjasonh/setup-ko) from 0.4 to 0.5. - [Release notes](https://github.com/imjasonh/setup-ko/releases) - [Commits](https://github.com/imjasonh/setup-ko/compare/2c3450ca27f6e6f2b02e72a40f2163c281a1f675...78eea08f10db87a7a23a666a4a6fe2734f2eeb8d) --- updated-dependencies: - dependency-name: imjasonh/setup-ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/publishimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 8a3176df2fb..6f9fdc8e52f 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -48,7 +48,7 @@ jobs: with: go-version: ${{ env.GO_VERSION }} - name: install ko - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 + uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d - name: publishimage uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c with: From 4f30e02a2493f185179efd90941e99c3aa7ebd8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 17:45:21 +0000 Subject: [PATCH 12/22] :seedling: Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/48866aa521d8bf870604709cd43ec2f602d03ff2...09a077b27eb1310dcfb21981bee195b30ce09de0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/publishimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index 6f9fdc8e52f..1658a48fafb 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -60,7 +60,7 @@ jobs: make install make scorecard-ko - name: Install Cosign - uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 + uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0 - name: Sign image run: | cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }} From c581062fe72d5f4138f2ed66a5237367b477cd22 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 27 Jul 2022 15:04:07 -0400 Subject: [PATCH 13/22] Enable Scorecard badge (#2097) Co-authored-by: Azeem Shaikh --- .github/workflows/scorecard-analysis.yml | 3 ++- README.md | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 29d126ef6dd..93bf7f1f04a 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -19,6 +19,7 @@ jobs: runs-on: ubuntu-latest permissions: security-events: write + token-id: write steps: - name: Harden Runner @@ -30,7 +31,7 @@ jobs: uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: "Run analysis" - uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564 + uses: ossf/scorecard-action@3155d134e59d8f47261b1ae9d143034c69572227 # v2.0.0-beta.1 with: results_file: results.sarif results_format: sarif diff --git a/README.md b/README.md index 7c2c5abb906..abedbd5efba 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # Security Scorecards +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621) ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main) ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main) From d7cb711207ef00f9c78e10a873b051fca46a0357 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 27 Jul 2022 17:09:28 -0400 Subject: [PATCH 14/22] Fix bug in Scorecard analysis CI (#2099) Co-authored-by: Azeem Shaikh --- .github/workflows/scorecard-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 93bf7f1f04a..0563b20c615 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest permissions: security-events: write - token-id: write + id-token: write steps: - name: Harden Runner From 5fa75960db687dc54c05c45dcefd6eb6cabb0b4f Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Wed, 27 Jul 2022 18:32:37 -0400 Subject: [PATCH 15/22] Scorecard runs fail with any unrecognized steps (#2103) Co-authored-by: Azeem Shaikh --- .github/workflows/scorecard-analysis.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 0563b20c615..ac8279871e8 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -22,11 +22,6 @@ jobs: id-token: write steps: - - name: Harden Runner - uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 # v1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: "Checkout code" uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b From 384c79d511225e439f74b501c2471df2f97fec2e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Jul 2022 09:25:15 -0500 Subject: [PATCH 16/22] :seedling: Bump actions/stale from 5.1.0 to 5.1.1 (#2106) Bumps [actions/stale](https://github.com/actions/stale) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/532554b8a8498a0e006fbcde824b048728c4178f...9c1b1c6e115ca2af09755448e0dbba24e5061cc8) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 7bff5462582..2b7690ac564 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -31,7 +31,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/stale@532554b8a8498a0e006fbcde824b048728c4178f # v3.0.18 + - uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8 # v3.0.18 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' From 8118e5db125ea3bf18f652ebc16cb42a76caf1c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Jul 2022 14:26:39 +0000 Subject: [PATCH 17/22] :seedling: Bump golang.org/x/tools from 0.1.11 to 0.1.12 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.11 to 0.1.12. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.1.11...v0.1.12) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 13 +++++++++---- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 3d8fa52fff2..91f4dfe3f76 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( go.opencensus.io v0.23.0 gocloud.dev v0.25.0 golang.org/x/text v0.3.7 - golang.org/x/tools v0.1.11 + golang.org/x/tools v0.1.12 google.golang.org/genproto v0.0.0-20220714211235-042d03aeabc9 google.golang.org/protobuf v1.28.0 gopkg.in/yaml.v2 v2.4.0 @@ -107,10 +107,10 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect - golang.org/x/net v0.0.0-20220708220712-1185a9018129 // indirect + golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect - golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect + golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect google.golang.org/api v0.87.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 3ae90d756f4..421428ff39d 100644 --- a/go.sum +++ b/go.sum @@ -1570,6 +1570,7 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.12/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -1819,8 +1820,9 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220708220712-1185a9018129 h1:vucSRfWwTsoXro7P+3Cjlr6flUMtzCwzlvkxEQtHHB0= golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1864,8 +1866,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2012,8 +2015,9 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -2138,8 +2142,9 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= -golang.org/x/tools v0.1.11 h1:loJ25fNOEhSXfHrpoGj91eCUThwdNX6u24rO1xnNteY= golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= +golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 1e0e44a0e8433b01ae749993e00da53579784d3d Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Thu, 28 Jul 2022 11:26:23 -0700 Subject: [PATCH 18/22] =?UTF-8?q?=F0=9F=90=9B=20Bug=20fixing:=20recurring?= =?UTF-8?q?=20results=20of=20the=20scorecard=20fuzzing=20check=20for=20go?= =?UTF-8?q?=20built-in=20fuzzers=20(#2101)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * save * save * save * save * save --- checks/raw/fuzzing.go | 15 ++--- checks/raw/fuzzing_test.go | 110 ++++++++++++++++++++++++++++++++++++- e2e/fuzzing_test.go | 21 +++++++ 3 files changed, 138 insertions(+), 8 deletions(-) diff --git a/checks/raw/fuzzing.go b/checks/raw/fuzzing.go index c051a733307..d9d54cf8a7d 100644 --- a/checks/raw/fuzzing.go +++ b/checks/raw/fuzzing.go @@ -98,7 +98,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) { return checker.FuzzingData{}, fmt.Errorf("cannot get langs of repo: %w", err) } prominentLangs := getProminentLanguages(langs) - for _, lang := range prominentLangs { usingFuzzFunc, files, e := checkFuzzFunc(c, lang) if e != nil { @@ -224,18 +223,20 @@ func getProminentLanguages(langs []clients.Language) []clients.LanguageName { return nil } totalLoC := 0 + // Use a map to record languages and their lines of code to drop potential duplicates. + langMap := map[clients.LanguageName]int{} for _, l := range langs { totalLoC += l.NumLines + langMap[l.Name] += l.NumLines } - // Var avgLoC calculates the average lines of code in the current repo, - // and it can stay as an int, no need for a float value. + // Calculate the average lines of code in the current repo. + // This var can stay as an int, no need for a precise float value. avgLoC := totalLoC / numLangs - // Languages that have lines of code above average will be considered prominent. ret := []clients.LanguageName{} - for _, l := range langs { - if l.NumLines >= avgLoC { - lang := clients.LanguageName(strings.ToLower(string(l.Name))) + for lName, loC := range langMap { + if loC >= avgLoC { + lang := clients.LanguageName(strings.ToLower(string(lName))) ret = append(ret, lang) } } diff --git a/checks/raw/fuzzing_test.go b/checks/raw/fuzzing_test.go index 65c811c8b9b..bdca1346223 100644 --- a/checks/raw/fuzzing_test.go +++ b/checks/raw/fuzzing_test.go @@ -242,7 +242,6 @@ func Test_checkFuzzFunc(t *testing.T) { fileContent string }{ { - // TODO: more test cases needed. @aidenwang9867 name: "Test_checkFuzzFunc failure", want: false, wantErr: false, @@ -286,3 +285,112 @@ func Test_checkFuzzFunc(t *testing.T) { }) } } + +func Test_getProminentLanguages(t *testing.T) { + t.Parallel() + //nolint + tests := []struct { + name string + languages []clients.Language + expected []clients.LanguageName + }{ + { + name: "case1", + languages: []clients.Language{ + { + Name: clients.Go, + NumLines: 1000, + }, + { + Name: clients.Python, + NumLines: 40, + }, { + Name: clients.JavaScript, + NumLines: 800, + }, + }, + expected: []clients.LanguageName{ + clients.Go, clients.JavaScript, + }, + }, + { + // This test case simulates the situation when the GitHub language API returns + // duplicated languages, but we can still drop them and get the correct result. + name: "case2: drop duplicates", + languages: []clients.Language{ + { + Name: clients.Go, + NumLines: 1000, + }, + { + Name: clients.Python, + NumLines: 40, + }, { + Name: clients.JavaScript, + NumLines: 800, + }, + { + Name: clients.Go, + NumLines: 1000, + }, + { + Name: clients.Python, + NumLines: 40, + }, { + Name: clients.JavaScript, + NumLines: 800, + }, + { + Name: clients.Go, + NumLines: 1000, + }, + { + Name: clients.Python, + NumLines: 40, + }, { + Name: clients.JavaScript, + NumLines: 800, + }, + }, + expected: []clients.LanguageName{ + clients.Go, clients.JavaScript, + }, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + got := getProminentLanguages(tt.languages) + if !unorderedEqual(got, tt.expected) { + t.Errorf( + "got (%s) != expected (%s)", + got, tt.expected, + ) + } + + }) + } +} + +func unorderedEqual(l1, l2 []clients.LanguageName) bool { + if len(l1) != len(l2) { + return false + } + l1Map, l2Map := map[clients.LanguageName]bool{}, map[clients.LanguageName]bool{} + for _, l := range l1 { + l1Map[l] = true + } + for _, l := range l2 { + l2Map[l] = true + if !l1Map[l] { + return false + } + } + for k := range l1Map { + if !l2Map[k] { + return false + } + } + return true +} diff --git a/e2e/fuzzing_test.go b/e2e/fuzzing_test.go index 15c6def89e1..eadab88a29d 100644 --- a/e2e/fuzzing_test.go +++ b/e2e/fuzzing_test.go @@ -22,6 +22,7 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/checks" + "github.com/ossf/scorecard/v4/checks/raw" "github.com/ossf/scorecard/v4/clients" "github.com/ossf/scorecard/v4/clients/githubrepo" scut "github.com/ossf/scorecard/v4/utests" @@ -113,6 +114,26 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() { Expect(repoClient.Close()).Should(BeNil()) Expect(ossFuzzRepoClient.Close()).Should(BeNil()) }) + It("Should return an expected number of GoBuiltInFuzzers", func() { + dl := scut.TestDetailLogger{} + repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-fuzzing-golang") + Expect(err).Should(BeNil()) + repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger) + err = repoClient.InitRepo(repo, clients.HeadSHA) + Expect(err).Should(BeNil()) + ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger) + Expect(err).Should(BeNil()) + req := checker.CheckRequest{ + Ctx: context.Background(), + RepoClient: repoClient, + OssFuzzRepo: ossFuzzRepoClient, + Repo: repo, + Dlogger: &dl, + } + rawData, err := raw.Fuzzing(&req) + Expect(err).Should(BeNil()) + Expect(len(rawData.Fuzzers) == 1).Should(BeTrue()) + }) It("Should return no fuzzing", func() { dl := scut.TestDetailLogger{} repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-packaging-e2e") From 6813ed1981fe2749bb814127e710c0813b911336 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Jul 2022 10:27:52 -0500 Subject: [PATCH 19/22] :seedling: Bump google.golang.org/protobuf in /tools (#2110) Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/protocolbuffers/protobuf-go/releases) - [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash) - [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/go.mod | 2 +- tools/go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/go.mod b/tools/go.mod index 4810a392aac..ee90f5f9146 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -10,7 +10,7 @@ require ( github.com/goreleaser/goreleaser v1.6.3 github.com/naveensrinivasan/stunning-tribble v0.4.2 github.com/onsi/ginkgo/v2 v2.1.4 - google.golang.org/protobuf v1.28.0 + google.golang.org/protobuf v1.28.1 ) require ( diff --git a/tools/go.sum b/tools/go.sum index 9710e38f9df..c94b3fb860f 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -3356,8 +3356,9 @@ google.golang.org/protobuf v1.25.1-0.20200805231151-a709e31e5d12/go.mod h1:9JNX7 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= From 89163cc4d47c5cab3eb1864f91719dc69c3a76b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Jul 2022 15:29:19 +0000 Subject: [PATCH 20/22] :seedling: Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/protocolbuffers/protobuf-go/releases) - [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash) - [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 91f4dfe3f76..091aedb04b1 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( golang.org/x/text v0.3.7 golang.org/x/tools v0.1.12 google.golang.org/genproto v0.0.0-20220714211235-042d03aeabc9 - google.golang.org/protobuf v1.28.0 + google.golang.org/protobuf v1.28.1 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 mvdan.cc/sh/v3 v3.5.1 diff --git a/go.sum b/go.sum index 421428ff39d..5e272ec64c8 100644 --- a/go.sum +++ b/go.sum @@ -2389,8 +2389,9 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 69eb1ccf1d0cf8c5b291044479f18672bf250325 Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Sun, 31 Jul 2022 07:59:56 -0400 Subject: [PATCH 21/22] Fix a bug in cron API data exporting (#2112) Co-authored-by: Azeem Shaikh --- cron/internal/config/config.go | 8 ++++---- cron/internal/config/config.yaml | 4 ++-- cron/internal/config/config_test.go | 16 ++++++++-------- cron/internal/worker/main.go | 27 ++++++++++++++++----------- 4 files changed, 30 insertions(+), 25 deletions(-) diff --git a/cron/internal/config/config.go b/cron/internal/config/config.go index 4f8ec90b8bf..35cb0bb47c0 100644 --- a/cron/internal/config/config.go +++ b/cron/internal/config/config.go @@ -79,7 +79,7 @@ type config struct { // Raw results. RawResultDataBucketURL string `yaml:"raw-result-data-bucket-url"` RawBigQueryTable string `yaml:"raw-bigquery-table"` - ExportResultsBucketURL string `yaml:"export-results-bucket-url"` + APIResultsBucketURL string `yaml:"api-results-bucket-url"` } func getParsedConfigFromFile(byteValue []byte) (config, error) { @@ -234,8 +234,8 @@ func GetMetricExporter() (string, error) { return getStringConfigValue(metricExporter, configYAML, "MetricExporter", "metric-exporter") } -// GetBQExportResultsBucketURL returns the bucket URL for storing cron job results. -func GetBQExportResultsBucketURL() (string, error) { +// GetAPIResultsBucketURL returns the bucket URL for storing cron job results. +func GetAPIResultsBucketURL() (string, error) { return getStringConfigValue(apiResultsBucketURL, configYAML, - "ExportResultsBucketURL", "export-results-bucket-url") + "APIResultsBucketURL", "api-results-bucket-url") } diff --git a/cron/internal/config/config.yaml b/cron/internal/config/config.yaml index 205ee9477f1..f4d822a8fb3 100644 --- a/cron/internal/config/config.yaml +++ b/cron/internal/config/config.yaml @@ -29,5 +29,5 @@ result-data-bucket-url: gs://ossf-scorecard-data2 # Raw results. raw-result-data-bucket-url: gs://ossf-scorecard-rawdata raw-bigquery-table: scorecard-rawdata -# export-bucket -export-results-bucket-url: gs://ossf-scorecard-cron-releasetest-results +# API results bucket +api-results-bucket-url: gs://ossf-scorecard-cron-results diff --git a/cron/internal/config/config_test.go b/cron/internal/config/config_test.go index 669eccd30f2..1919b996e64 100644 --- a/cron/internal/config/config_test.go +++ b/cron/internal/config/config_test.go @@ -37,9 +37,9 @@ const ( prodShardSize int = 10 prodMetricExporter string = "stackdriver" // Raw results. - prodRawBucket = "gs://ossf-scorecard-rawdata" - prodRawBigQueryTable = "scorecard-rawdata" - prodBigQueryExportsBucketURL = "gs://ossf-scorecard-cron-releasetest-results" + prodRawBucket = "gs://ossf-scorecard-rawdata" + prodRawBigQueryTable = "scorecard-rawdata" + prodAPIBucketURL = "gs://ossf-scorecard-cron-results" ) func getByteValueFromFile(filename string) ([]byte, error) { @@ -75,7 +75,7 @@ func TestYAMLParsing(t *testing.T) { MetricExporter: prodMetricExporter, RawResultDataBucketURL: prodRawBucket, RawBigQueryTable: prodRawBigQueryTable, - ExportResultsBucketURL: prodBigQueryExportsBucketURL, + APIResultsBucketURL: prodAPIBucketURL, }, }, @@ -348,16 +348,16 @@ func TestGetMetricExporter(t *testing.T) { } //nolint:paralleltest // Since os.Setenv is used. -func TestGetBigQueryExportsBucketURL(t *testing.T) { +func TestGetAPIResultsBucketURL(t *testing.T) { t.Run("GetBigQueryExportsBucketURL", func(t *testing.T) { bigqueryExportsBucketURL := apiResultsBucketURL os.Unsetenv(bigqueryExportsBucketURL) - bucket, err := GetBQExportResultsBucketURL() + bucket, err := GetAPIResultsBucketURL() if err != nil { t.Errorf("failed to get production bucket URL from config: %v", err) } - if bucket != prodBigQueryExportsBucketURL { - t.Errorf("test failed: expected - %s, got = %s", prodBigQueryExportsBucketURL, bucket) + if bucket != prodAPIBucketURL { + t.Errorf("test failed: expected - %s, got = %s", prodAPIBucketURL, bucket) } }) } diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go index 689bb9347d1..231ce073c9f 100644 --- a/cron/internal/worker/main.go +++ b/cron/internal/worker/main.go @@ -43,12 +43,17 @@ import ( "github.com/ossf/scorecard/v4/stats" ) +const ( + resultsFile = "results.json" + rawResultsFile = "raw.json" +) + var ignoreRuntimeErrors = flag.Bool("ignoreRuntimeErrors", false, "if set to true any runtime errors will be ignored") // nolint: gocognit func processRequest(ctx context.Context, batchRequest *data.ScorecardBatchRequest, - blacklistedChecks []string, bucketURL, rawBucketURL, exportBucketURL string, + blacklistedChecks []string, bucketURL, rawBucketURL, apiBucketURL string, checkDocs docs.Doc, repoClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, @@ -139,10 +144,10 @@ func processRequest(ctx context.Context, if err := format.AsRawJSON(&result, &exportRawBuffer); err != nil { return fmt.Errorf("error during result.AsRawJSON for export: %w", err) } - exportPath := fmt.Sprintf("%s/result.json", repo.URI()) - exportCommitSHAPath := fmt.Sprintf("%s/%s/result.json", repo.URI(), result.Repo.CommitSHA) - exportRawPath := fmt.Sprintf("%s/raw.json", repo.URI()) - exportRawCommitSHAPath := fmt.Sprintf("%s/%s/raw.json", repo.URI(), result.Repo.CommitSHA) + exportPath := fmt.Sprintf("%s/%s", repo.URI(), resultsFile) + exportCommitSHAPath := fmt.Sprintf("%s/%s/%s", repo.URI(), result.Repo.CommitSHA, resultsFile) + exportRawPath := fmt.Sprintf("%s/%s", repo.URI(), rawResultsFile) + exportRawCommitSHAPath := fmt.Sprintf("%s/%s/%s", repo.URI(), result.Repo.CommitSHA, rawResultsFile) // Raw result. if err := format.AsRawJSON(&result, &rawBuffer); err != nil { @@ -150,18 +155,18 @@ func processRequest(ctx context.Context, } // These are results without the commit SHA which represents the latest commit. - if err := data.WriteToBlobStore(ctx, exportBucketURL, exportPath, exportBuffer.Bytes()); err != nil { + if err := data.WriteToBlobStore(ctx, apiBucketURL, exportPath, exportBuffer.Bytes()); err != nil { return fmt.Errorf("error during writing to exportBucketURL: %w", err) } // Export result based on commitSHA. - if err := data.WriteToBlobStore(ctx, exportBucketURL, exportCommitSHAPath, exportBuffer.Bytes()); err != nil { + if err := data.WriteToBlobStore(ctx, apiBucketURL, exportCommitSHAPath, exportBuffer.Bytes()); err != nil { return fmt.Errorf("error during exportBucketURL with commit SHA: %w", err) } // Export raw result. - if err := data.WriteToBlobStore(ctx, exportBucketURL, exportRawPath, exportRawBuffer.Bytes()); err != nil { + if err := data.WriteToBlobStore(ctx, apiBucketURL, exportRawPath, exportRawBuffer.Bytes()); err != nil { return fmt.Errorf("error during writing to exportBucketURL for raw results: %w", err) } - if err := data.WriteToBlobStore(ctx, exportBucketURL, exportRawCommitSHAPath, exportRawBuffer.Bytes()); err != nil { + if err := data.WriteToBlobStore(ctx, apiBucketURL, exportRawCommitSHAPath, exportRawBuffer.Bytes()); err != nil { return fmt.Errorf("error during exportBucketURL for raw results with commit SHA: %w", err) } } @@ -238,7 +243,7 @@ func main() { panic(err) } - exportBucketURL, err := config.GetBQExportResultsBucketURL() + apiBucketURL, err := config.GetAPIResultsBucketURL() if err != nil { panic(err) } @@ -278,7 +283,7 @@ func main() { break } if err := processRequest(ctx, req, blacklistedChecks, - bucketURL, rawBucketURL, exportBucketURL, checkDocs, + bucketURL, rawBucketURL, apiBucketURL, checkDocs, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, logger); err != nil { // TODO(log): Previously Warn. Consider logging an error here. logger.Info(fmt.Sprintf("error processing request: %v", err)) From 7de97139f6c98abff9b09c3d1a3065b71f707d00 Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Mon, 1 Aug 2022 10:58:46 -0700 Subject: [PATCH 22/22] =?UTF-8?q?=E2=9C=A8=20Enhancement:=20adding=20new?= =?UTF-8?q?=20entries=20for=20GH=20actions=20&=20Pub=20as=20ecosystems,=20?= =?UTF-8?q?typo=20fixes=20(#2109)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * save * save * Update mapping.go * save * save * save --- dependencydiff/dependencydiff.go | 22 +--------------- dependencydiff/dependencydiff_test.go | 16 +++++++----- dependencydiff/mapping.go | 37 ++++++++++++++++++++++++++- 3 files changed, 47 insertions(+), 28 deletions(-) diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go index 5d77f341c7c..37aa419b29c 100644 --- a/dependencydiff/dependencydiff.go +++ b/dependencydiff/dependencydiff.go @@ -79,7 +79,7 @@ func GetDependencyDiffResults( if err != nil { return nil, fmt.Errorf("error in fetchRawDependencyDiffData: %w", err) } - // Map the ecosystem naming convention from GitHub to OSV. + // Map the ecosystem naming convention from GitHub to OSV. err = mapDependencyEcosystemNaming(dCtx.dependencydiffs) if err != nil { return nil, fmt.Errorf("error in mapDependencyEcosystemNaming: %w", err) @@ -91,22 +91,6 @@ func GetDependencyDiffResults( return dCtx.results, nil } -func mapDependencyEcosystemNaming(deps []dependency) error { - for i := range deps { - if deps[i].Ecosystem == nil { - continue - } - mappedEcosys, err := toEcosystem(*deps[i].Ecosystem) - if err != nil { - wrappedErr := fmt.Errorf("error mapping dependency ecosystem: %w", err) - return wrappedErr - } - deps[i].Ecosystem = asPointer(string(mappedEcosys)) - - } - return nil -} - func initRepoAndClientByChecks(dCtx *dependencydiffContext, dSrcRepo string) error { repo, repoClient, ossFuzzClient, ciiClient, vulnsClient, err := checker.GetClients( dCtx.ctx, dSrcRepo, "", dCtx.logger, @@ -192,7 +176,3 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error { } return nil } - -func asPointer(s string) *string { - return &s -} diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go index d8f4694351b..75814ec79e2 100644 --- a/dependencydiff/dependencydiff_test.go +++ b/dependencydiff/dependencydiff_test.go @@ -21,7 +21,7 @@ import ( "testing" "github.com/ossf/scorecard/v4/clients" - "github.com/ossf/scorecard/v4/log" + sclog "github.com/ossf/scorecard/v4/log" ) // Test_fetchRawDependencyDiffData is a test function for fetchRawDependencyDiffData. @@ -37,7 +37,7 @@ func Test_fetchRawDependencyDiffData(t *testing.T) { { name: "error response", dCtx: dependencydiffContext{ - logger: log.NewLogger(log.InfoLevel), + logger: sclog.NewLogger(sclog.InfoLevel), ctx: context.Background(), ownerName: "no_such_owner", repoName: "repo_not_exist", @@ -82,7 +82,7 @@ func Test_initRepoAndClientByChecks(t *testing.T) { { name: "error creating repo", dCtx: dependencydiffContext{ - logger: log.NewLogger(log.InfoLevel), + logger: sclog.NewLogger(sclog.InfoLevel), ctx: context.Background(), checkNamesToRun: []string{}, }, @@ -140,7 +140,7 @@ func Test_getScorecardCheckResults(t *testing.T) { name: "empty response", dCtx: dependencydiffContext{ ctx: context.Background(), - logger: log.NewLogger(log.InfoLevel), + logger: sclog.NewLogger(sclog.InfoLevel), ownerName: "owner_not_exist", repoName: "repo_not_exist", }, @@ -187,10 +187,10 @@ func Test_mapDependencyEcosystemNaming(t *testing.T) { deps: []dependency{ { Name: "dependency_3", - Ecosystem: asPointer("actions"), + Ecosystem: asPointer("foobar"), }, }, - errWanted: errInvalid, + errWanted: errMappingNotFound, }, { name: "correct mapping", @@ -207,6 +207,10 @@ func Test_mapDependencyEcosystemNaming(t *testing.T) { Name: "dependency_6", Ecosystem: asPointer("cargo"), }, + { + Name: "dependency_7", + Ecosystem: asPointer("actions"), + }, }, }, } diff --git a/dependencydiff/mapping.go b/dependencydiff/mapping.go index 445676b3b6b..05181e55587 100644 --- a/dependencydiff/mapping.go +++ b/dependencydiff/mapping.go @@ -52,7 +52,7 @@ const ( ecosystemMaven ecosystem = "Maven" // The NuGet package ecosystem. - ecosystemNuGet ecosystem = "Nuget" + ecosystemNuGet ecosystem = "NuGet" // The Linux kernel. ecosystemLinux ecosystem = "Linux" // nolint:unused @@ -63,6 +63,15 @@ const ( // Hex is the package manager of Erlang. // TODO: GitHub doesn't support hex as the ecosystem for Erlang yet. Add this to the map in the future. ecosystemHex ecosystem = "Hex" // nolint:unused + + // GitHub Actions is an ecosystem for the GitHub Actions. + ecosystemActions ecosystem = "GitHub Actions" + + // Pub is the official package repository for Dart and Flutter apps. + ecosystemPub ecosystem = "Pub" // nolint:unused + + // Ecosystems with a "nolint" tag suggests GitHub hasn't gotten them supported yet. + // We need to add them to the below hashmap in a timely manner once GitHub adds supports. ) var ( @@ -78,12 +87,38 @@ var ( "composer": ecosystemPackagist, "rubygems": ecosystemRubyGems, "nuget": ecosystemNuGet, + "actions": ecosystemActions, } ) +func mapDependencyEcosystemNaming(deps []dependency) error { + for i := range deps { + // Since we allow a dependency's ecosystem to be nil, so skip those nil ones and only map + // those valid ones. + if deps[i].Ecosystem == nil { + continue + } + mappedEcosys, err := toEcosystem(*deps[i].Ecosystem) + if err != nil { + // Iff. the ecosystem is not empty and the mapping entry is not found, we will return an error. + return fmt.Errorf("error mapping dependency ecosystem: %w", err) + } + deps[i].Ecosystem = asPointer(string(mappedEcosys)) + + } + return nil +} + +// Note: the current implementation directly returns an error if the mapping entry is not found in the above hashmap. +// GitHub might update their ecosystem names frequently, so we might also need to update the above map in a timely +// manner for the dependency-diff feature not to fail because of the "mapping not found" error. func toEcosystem(e string) (ecosystem, error) { if ecosystemOSV, found := gitHubToOSV[e]; found { return ecosystemOSV, nil } return "", fmt.Errorf("%w for github entry %s", errMappingNotFound, e) } + +func asPointer(s string) *string { + return &s +}