Added scorecard pipeline to SCIO with intergration test nexB#1283

Signed-off-by: 404-geek <[email protected]>
404-geek · Jul 28, 2024 · df50416 · df50416
1 parent 5812d97
commit df50416
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 16 deletions.
diff --git a/scancodeio/settings.py b/scancodeio/settings.py
@@ -418,7 +418,3 @@
 MATCHCODEIO_USER = env.str("MATCHCODEIO_USER", default="")
 MATCHCODEIO_PASSWORD = env.str("MATCHCODEIO_PASSWORD", default="")
 MATCHCODEIO_API_KEY = env.str("MATCHCODEIO_API_KEY", default="")
-
-# OpenSSF ScoreCard Integration
-
-SCORECARD_URL = env.str("SCORECARD_URL", default="")
diff --git a/scanpipe/pipelines/get_scorecard_info_packages.py b/scanpipe/pipelines/get_scorecard_info_packages.py
@@ -28,21 +28,28 @@
 
 class FetchScoreCodeInfo(Pipeline):
     """
-        Pipeline to fetch ScoreCode information for packages and dependencies.
+    Pipeline to fetch ScoreCode information for packages and dependencies.
 
-        This pipeline retrieves ScoreCode data for each package and dependency
-        in the project and stores it in the corresponding package and dependency
-        instances.
+    This pipeline retrieves ScoreCode data for each package in the project and
+    stores it in the corresponding package instances
 
-        Attributes:
-            download_inputs (bool): Indicates whether inputs should be downloaded.
-            is_addon (bool): Indicates whether this pipeline is an add-on.
+    Attributes
+    ----------
+        download_inputs (bool): Indicates whether inputs should be downloaded.
+        is_addon (bool): Indicates whether this pipeline is an add-on.
 
-        Methods:
-            steps(cls):
-                Defines the steps for the pipeline.
+    Methods
+    -------
+        steps(cls):
+            Defines the steps for the pipeline.
+
+        check_scorecode_service_availability(self):
+            Checks if the ScoreCode service is configured and available.
+
+        lookup_save_packages_scorecode_info(self):
+            Fetches ScoreCode information for each discovered package in the project
+            and saves the information to the respective package instances.
 
-    scorecode data is stored on each package and dependency instance.
     """
 
     download_inputs = False

diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py
@@ -1233,6 +1233,41 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration(
         expected = vulnerability_data[0]["affected_by_vulnerabilities"]
         self.assertEqual(expected, package1.affected_by_vulnerabilities)
 
+    @mock.patch("ossf_scorecard.scorecard.is_available")
+    @mock.patch("ossf_scorecard.scorecard.is_configured")
+    def test_scanpipe_get_scorecard_info_packages_integration(
+        self, mock_is_configured, mock_is_available
+    ):
+        pipeline_name = "get_scorecard_info_packages"
+        project1 = Project.objects.create(name="Analysis")
+        package1 = DiscoveredPackage.create_from_data(project1, package_data1)
+        package1.vcs_url = "https://github.com/nexB/scancode-toolkit"
+        package1.save()
+
+        run = project1.add_pipeline(pipeline_name)
+        pipeline = run.make_pipeline_instance()
+        mock_is_configured.return_value = False
+        mock_is_available.return_value = False
+        exitcode, out = pipeline.execute()
+        self.assertEqual(1, exitcode, msg=out)
+        self.assertIn("scorecode service is not configured.", out)
+
+        run = project1.add_pipeline(pipeline_name)
+        pipeline = run.make_pipeline_instance()
+        mock_is_configured.return_value = True
+        mock_is_available.return_value = True
+
+        exitcode, out = pipeline.execute()
+        self.assertEqual(0, exitcode, msg=out)
+
+        package1.refresh_from_db()
+        self.assertIsNotNone(
+            package1.discovered_packages_score.filter(scoring_tool="OSSF")[0].score,
+            msg=out,
+        )
+
+        self.assertEqual("https://github.com/nexB/scancode-toolkit", package1.vcs_url)
+
     def test_scanpipe_resolve_dependencies_pipeline_integration(self):
         pipeline_name = "resolve_dependencies"
         project1 = Project.objects.create(name="Analysis")

diff --git a/setup.cfg b/setup.cfg
@@ -99,7 +99,7 @@ install_requires =
     # MatchCode-toolkit
     matchcode-toolkit==5.1.0
     # ScoreCode
-    ScoreCode[full] @ git+https://github.com/nexB/ScoreCode.git@1fa09b5ecdcc7813600e69bce38d42ed53cb364d
+    ScoreCode[full] @ git+https://github.com/nexB/ScoreCode.git@0ab078f18d83684c3a920095bcec8664d44cf028
     # Univers
     univers==30.11.0
     # Markdown
@@ -139,6 +139,7 @@ scancodeio_pipelines =
     collect_symbols_tree_sitter = scanpipe.pipelines.collect_symbols_tree_sitter:CollectSymbolsTreeSitter
     enrich_with_purldb = scanpipe.pipelines.enrich_with_purldb:EnrichWithPurlDB
     find_vulnerabilities = scanpipe.pipelines.find_vulnerabilities:FindVulnerabilities
+    get_scorecard_info_packages = scanpipe.pipelines.get_scorecard_info_packages:FetchScoreCodeInfo
     inspect_elf_binaries = scanpipe.pipelines.inspect_elf_binaries:InspectELFBinaries
     inspect_packages = scanpipe.pipelines.inspect_packages:InspectPackages
     load_inventory = scanpipe.pipelines.load_inventory:LoadInventory