Scorecard Integration #1294
Scorecard Integration #1294
Conversation
developed functions to check for availability nexB#598 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…aving logic nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…exB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
… nexB#598 Signed-off-by: 404-geek <[email protected]>
…ecard_integration
…up.cfg nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…gration # Conflicts: # scanpipe/models.py # scanpipe/tests/test_models.py
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
| ) | ||
|
|
||
| @classmethod | ||
| @transaction.atomic() |
There was a problem hiding this comment.
@404-geek Could you provide an example that shows why atomic() is useful here?
| if not scorecard.is_available(): | ||
| raise Exception("scorecode service is not available.") | ||
|
|
||
| def lookup_save_packages_scorecode_info(self): |
There was a problem hiding this comment.
fetch_packages_scorecode_info would be better.
…#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
|
@404-geek can you check the failing tests? |
|
Hey @404-geek , what's your latest status on this PR? Any chances we can complete and merge it before it diverges too much from the main branch? |
Hi @tdruez, I’m planning to have this PR ready by next week. Most of the requested changes have been addressed; I just need to add a few test cases before pushing the final version. |
Signed-off-by: 404-geek <[email protected]>
…ecard_integration
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
| migrations.AlterField( | ||
| model_name='project', | ||
| name='purl', | ||
| field=models.CharField(blank=True, help_text="Package URL (PURL) for the project, required for pushing the project's scan result to FederatedCode. For example, if the input is an input URL like https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz, the corresponding PURL would be pkg:npm/[email protected].", max_length=2048), | ||
| ), |
There was a problem hiding this comment.
Why is this field impacted by this PR?
| def __str__(self): | ||
| return self.score or str(self.uuid) | ||
|
|
There was a problem hiding this comment.
Follow the conventions used across the existing Models:
- Fields
- class Meta
- str
| ) | ||
|
|
||
| @classmethod | ||
| @transaction.atomic() |
There was a problem hiding this comment.
@404-geek You haven't address the question above yet ;)
|
|
||
|
|
||
| class ScorecardCheck(UUIDPKModel, ScorecardChecksMixin): | ||
| def __str__(self): |
There was a problem hiding this comment.
Follow the conventions used across the existing Models:
- Fields
- class Meta
- str
| blank=True, | ||
| null=True, |
There was a problem hiding this comment.
Can a DiscoveredPackageScore instance really exists without a DiscoveredPackage FK defined?
| def check_scorecode_service_availability(self): | ||
| """Check if the scorecode service is configured and available.""" | ||
| if not ossf_scorecard.is_available(): | ||
| raise Exception("scorecode service is not available.") |
There was a problem hiding this comment.
Use ScoreCode case for consistency.
| @@ -284,3 +286,10 @@ def make_dependency(project, **extra): | |||
| "license_key": "mpl-2.0", | |||
| }, | |||
| } | |||
|
|
|||
| scorecard_data = None | |||
There was a problem hiding this comment.
That line seems unnecessary.
| data = Path(__file__).parent / "data" | ||
|
|
||
| with open(f"{data}/scorecode/scorecard_response.json") as file: | ||
| scorecard_data = json.load(file) |
There was a problem hiding this comment.
This should not be loaded in the module init but as needed in the test function context.
| @@ -2477,6 +2481,29 @@ def test_scanpipe_codebase_resource_queryset_elfs(self): | |||
| self.assertTrue("e" in paths) | |||
| self.assertTrue("a" in paths) | |||
|
|
|||
| def test_scorecard_models(self): | |||
There was a problem hiding this comment.
The name of this function does not follow existing conventions.
|
|
||
| run = project1.add_pipeline(pipeline_name) | ||
| pipeline = run.make_pipeline_instance() | ||
| # mock_is_configured.return_value = True |
ScoreCode Integration
This pull request integrates the ScoreCode Repo into SCIO, enabling the fetching of the latest OSSF Scorecard Data for
discovered packagesusing theirvcs_url. The current implementation supportsgithub.comandgitlab.comVCS URLs.Key Features:
vcs_urlgithub.comandgitlab.comVCS URLsRelated Issues:
This feature enhances SCIO's functionality by ensuring that users can retrieve the most up-to-date security scores for packages discovered in their projects, improving overall security assessment and management.