scorecard: Initial copy of scorecard command logic

Signed-off-by: Stephen Augustus <[email protected]>
ossf · Feb 16, 2022 · cc9921c · cc9921c
1 parent cff7d01
commit cc9921c
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 10 deletions.
diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/ossf/scorecard/v4 v4.0.2-0.20220216001345-ba503c3bee01
 	github.com/rs/zerolog v1.26.1
 	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
+	github.com/spf13/cobra v1.3.0
 	gocloud.dev v0.24.0
 	gopkg.in/yaml.v2 v2.4.0
 )

diff --git a/go.sum b/go.sum
@@ -878,6 +878,7 @@ github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
@@ -1059,6 +1060,7 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -1267,13 +1269,15 @@ github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKv
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
 github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
@@ -1351,8 +1355,11 @@ github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/go-gitlab v0.32.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f h1:mvXjJIHRZyhNuGassLTcXTwjiWq7NmjdavZsUnmFybQ=
 github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=

diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go
@@ -20,16 +20,20 @@ import (
 	"github.com/ossf/allstar/pkg/policies/binary"
 	"github.com/ossf/allstar/pkg/policies/branch"
 	"github.com/ossf/allstar/pkg/policies/outside"
+	"github.com/ossf/allstar/pkg/policies/scorecard"
 	"github.com/ossf/allstar/pkg/policies/security"
 	"github.com/ossf/allstar/pkg/policydef"
 )
 
 // GetPolicies returns a slice of all policies in Allstar.
 func GetPolicies() []policydef.Policy {
 	return []policydef.Policy{
+		// TODO(scorecard): Deprecate Binary Artifacts check once Scorecard check
+		//                  is working
 		binary.NewBinary(),
 		branch.NewBranch(),
 		outside.NewOutside(),
 		security.NewSecurity(),
+		scorecard.NewScorecard(),
 	}
 }
diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go
@@ -18,15 +18,25 @@ package scorecard
 import (
 	"context"
 	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/google/go-github/v39/github"
+	"github.com/rs/zerolog/log"
 
 	"github.com/ossf/allstar/pkg/config"
 	"github.com/ossf/allstar/pkg/policydef"
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
-	"github.com/ossf/scorecard/v4/clients/githubrepo"
-
-	"github.com/google/go-github/v39/github"
-	"github.com/rs/zerolog/log"
+	"github.com/ossf/scorecard/v4/clients"
+	screpo "github.com/ossf/scorecard/v4/clients/githubrepo"
+	docs "github.com/ossf/scorecard/v4/docs/checks"
+	"github.com/ossf/scorecard/v4/format"
+	sclog "github.com/ossf/scorecard/v4/log"
+	"github.com/ossf/scorecard/v4/options"
+	"github.com/ossf/scorecard/v4/pkg"
+	"github.com/ossf/scorecard/v4/policy"
 )
 
 const configFile = "scorecard.yaml"
@@ -107,18 +117,88 @@ func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner,
 		}, nil
 	}
 
-	scRepoArg := fmt.Sprintf("%s/%s", owner, repo)
-	scRepo, err := githubrepo.MakeGithubRepo(scRepoArg)
+	// TODO(scorecard): Configure options
+	scOpts := options.New()
+	scOpts.Repo = fmt.Sprintf("%s/%s", owner, repo)
+
+	// TODO(scorecard): Read policy
+	pol, err := policy.ParseFromFile(scOpts.PolicyFile)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("readPolicy: %v", err)
 	}
 
-	roundTripper := c.Client().Transport
-	repoClient := githubrepo.CreateGithubRepoClientWithTransport(ctx, roundTripper)
-	if err := repoClient.InitRepo(scRepo, defaultGitRef); err != nil {
+	logger := sclog.NewLogger(sclog.Level(scOpts.LogLevel))
+
+	// TODO(scorecard): Plumb roundtripper into clients
+	//roundTripper := c.Client().Transport
+
+	// TODO(scorecard): Fix ciiClient, vulnsClient
+	scRepo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := screpo.GetClients(
+		ctx, scOpts.Repo, scOpts.Local, logger)
+	if err != nil {
 		return nil, err
 	}
 	defer repoClient.Close()
+	if ossFuzzRepoClient != nil {
+		defer ossFuzzRepoClient.Close()
+	}
+
+	// TODO(scorecard): Read docs
+	checkDocs, err := docs.Read()
+	if err != nil {
+		return nil, fmt.Errorf("cannot read yaml file: %v", err)
+	}
+
+	// TODO(scorecard)
+	var requiredRequestTypes []checker.RequestType
+	if scOpts.Local != "" {
+		requiredRequestTypes = append(requiredRequestTypes, checker.FileBased)
+	}
+	if !strings.EqualFold(scOpts.Commit, clients.HeadSHA) {
+		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
+	}
+	enabledChecks, err := policy.GetEnabled(pol, scOpts.ChecksToRun, requiredRequestTypes)
+	if err != nil {
+		return nil, err
+	}
+
+	if scOpts.Format == options.FormatDefault {
+		for checkName := range enabledChecks {
+			fmt.Fprintf(os.Stderr, "Starting [%s]\n", checkName)
+		}
+	}
+
+	repoResult, err := pkg.RunScorecards(ctx, scRepo, scOpts.Commit, scOpts.Format == options.FormatRaw, enabledChecks, repoClient,
+		ossFuzzRepoClient, ciiClient, vulnsClient)
+	if err != nil {
+		return nil, err
+	}
+	repoResult.Metadata = append(repoResult.Metadata, scOpts.Metadata...)
+
+	// Sort them by name
+	sort.Slice(repoResult.Checks, func(i, j int) bool {
+		return repoResult.Checks[i].Name < repoResult.Checks[j].Name
+	})
+
+	if scOpts.Format == options.FormatDefault {
+		for checkName := range enabledChecks {
+			fmt.Fprintf(os.Stderr, "Finished [%s]\n", checkName)
+		}
+		fmt.Println("\nRESULTS\n-------")
+	}
+
+	resultsErr := format.FormatResults(
+		scOpts,
+		repoResult,
+		checkDocs,
+		pol,
+	)
+	if resultsErr != nil {
+		return nil, fmt.Errorf("failed to format results: %v", err)
+	}
+
+	// TODO(scorecard): Refactor below here
+
 	l := checker.NewLogger()
 	cr := &checker.CheckRequest{
 		Ctx:        ctx,