⚠️ Add ProjectPackageVersions to raw data collection

checker/raw_result.go

@@ -88,6 +88,17 @@ type Package struct {
 	Runs []Run
 }
 
+type PackageProvenance struct {
+	Commit     string
+	IsVerified bool
+}
+type ProjectPackages struct {
+	System         string
+	Name           string
+	Version        string
+	SLSAProvenance PackageProvenance
+}
+
 // DependencyUseType represents a type of dependency use.
 type DependencyUseType string
 
@@ -287,6 +298,7 @@ type BinaryArtifactData struct {
 // for the Signed-Releases check.
 type SignedReleasesData struct {
 	Releases []clients.Release
+	Packages []ProjectPackages
 }
 
 // DependencyUpdateToolData contains the raw results

checks/raw/code_review.go

@@ -39,10 +39,6 @@ func CodeReview(c clients.RepoClient) (checker.CodeReviewData, error) {
 
 	changesets := getChangesets(commits)
 
-	if err != nil {
-		return checker.CodeReviewData{}, fmt.Errorf("%w", err)
-	}
-
 	return checker.CodeReviewData{
 		DefaultBranchChangesets: changesets,
 	}, nil

checks/raw/signed_releases.go

@@ -27,7 +27,32 @@ func SignedReleases(c *checker.CheckRequest) (checker.SignedReleasesData, error)
 		return checker.SignedReleasesData{}, fmt.Errorf("%w", err)
 	}
 
+	versions, err := c.ProjectClient.GetProjectPackageVersions(c.Ctx, c.Repo.Host(), c.Repo.Path())
+	if err != nil {
+		return checker.SignedReleasesData{}, fmt.Errorf("GetProjectPackageVersions: %w", err)
+	}
+
+	pkgs := []checker.ProjectPackages{}
+	for _, v := range versions.Versions {
+		prov := checker.PackageProvenance{}
+
+		if len(v.SLSAProvenances) > 0 {
+			prov = checker.PackageProvenance{
+				Commit:     v.SLSAProvenances[0].Commit,
+				IsVerified: v.SLSAProvenances[0].Verified,
+			}
+		}
+
+		pkgs = append(pkgs, checker.ProjectPackages{
+			System:         v.VersionKey.System,
+			Name:           v.VersionKey.Name,
+			Version:        v.VersionKey.Version,
+			SLSAProvenance: prov,
+		})
+	}
+
 	return checker.SignedReleasesData{
 		Releases: releases,
+		Packages: pkgs,
 	}, nil
 }

checks/signed_releases_test.go

@@ -15,6 +15,7 @@
 package checks
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"testing"
@@ -24,6 +25,7 @@ import (
 	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/clients"
 	mockrepo "github.com/ossf/scorecard/v5/clients/mockclients"
+	"github.com/ossf/scorecard/v5/internal/packageclient"
 	scut "github.com/ossf/scorecard/v5/utests"
 )
 
@@ -435,8 +437,8 @@ func TestSignedRelease(t *testing.T) {
 
 			ctrl := gomock.NewController(t)
 
-			mockRepo := mockrepo.NewMockRepoClient(ctrl)
-			mockRepo.EXPECT().ListReleases().DoAndReturn(
+			mockRepoC := mockrepo.NewMockRepoClient(ctrl)
+			mockRepoC.EXPECT().ListReleases().DoAndReturn(
 				func() ([]clients.Release, error) {
 					if tt.err != nil {
 						return nil, tt.err
@@ -445,8 +447,30 @@ func TestSignedRelease(t *testing.T) {
 				},
 			).MinTimes(1)
 
+			mockRepo := mockrepo.NewMockRepo(ctrl)
+			mockRepo.EXPECT().Host().DoAndReturn(
+				func() string {
+					return ""
+				},
+			).AnyTimes()
+			mockRepo.EXPECT().Path().DoAndReturn(
+				func() string {
+					return ""
+				},
+			).AnyTimes()
+
+			mockPkgC := mockrepo.NewMockProjectPackageClient(ctrl)
+			mockPkgC.EXPECT().GetProjectPackageVersions(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
+				func(ctx context.Context, host, project string) (*packageclient.ProjectPackageVersions, error) {
+					v := packageclient.ProjectPackageVersions{}
+					return &v, nil
+				},
+			).AnyTimes()
+
 			req := checker.CheckRequest{
-				RepoClient: mockRepo,
+				RepoClient:    mockRepoC,
+				Repo:          mockRepo,
+				ProjectClient: mockPkgC,
 			}
 			req.Dlogger = &scut.TestDetailLogger{}
 			res := SignedReleases(&req)

clients/githubrepo/repo.go

@@ -132,3 +132,8 @@ func MakeGithubRepo(input string) (clients.Repo, error) {
 	}
 	return &repo, nil
 }
+
+// Path() implements RepoClient.Path.
+func (r *repoURL) Path() string {
+	return fmt.Sprintf("%s/%s", r.owner, r.repo)
+}

clients/gitlabrepo/repo.go

@@ -165,6 +165,11 @@ func (r *repoURL) Metadata() []string {
 	return r.metadata
 }
 
+// Path() implements RepoClient.Path.
+func (r *repoURL) Path() string {
+	return fmt.Sprintf("%s/%s", r.owner, r.project)
+}
+
 // MakeGitlabRepo takes input of forms in parse and returns and implementation
 // of clients.Repo interface.
 func MakeGitlabRepo(input string) (clients.Repo, error) {

clients/localdir/repo.go

@@ -69,6 +69,11 @@ func (r *repoLocal) AppendMetadata(m ...string) {
 	r.metadata = append(r.metadata, m...)
 }
 
+// Path() implements RepoClient.Path.
+func (r *repoLocal) Path() string {
+	return r.path
+}
+
 // MakeLocalDirRepo returns an implementation of clients.Repo interface.
 func MakeLocalDirRepo(pathfn string) (clients.Repo, error) {
 	p := path.Clean(pathfn)

clients/repo.go

@@ -16,9 +16,15 @@ package clients
 
 // Repo interface uniquely identifies a repo.
 type Repo interface {
+	// Path returns the specifier of the repository within its forge
+	Path() string
+	// URI returns the fully qualified address of the repository
 	URI() string
+	// Host returns the web domain of the repository
 	Host() string
+	// String returns a string representation of the repository URI
 	String() string
+	// IsValid returns whether the repository provided is a real URI
 	IsValid() error
 	Metadata() []string
 	AppendMetadata(metadata ...string)