From cc9921c6c4f1a28e49ae1142b0d8e797e46c8881 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 15 Feb 2022 22:09:19 -0500 Subject: [PATCH] scorecard: Initial copy of scorecard command logic Signed-off-by: Stephen Augustus --- go.mod | 1 + go.sum | 7 ++ pkg/policies/policies.go | 4 ++ pkg/policies/scorecard/scorecard.go | 100 +++++++++++++++++++++++++--- 4 files changed, 102 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 1b070a00..99c5f209 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/ossf/scorecard/v4 v4.0.2-0.20220216001345-ba503c3bee01 github.com/rs/zerolog v1.26.1 github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228 + github.com/spf13/cobra v1.3.0 gocloud.dev v0.24.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/go.sum b/go.sum index 31086ec4..240ec929 100644 --- a/go.sum +++ b/go.sum @@ -878,6 +878,7 @@ github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= @@ -1059,6 +1060,7 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -1267,6 +1269,7 @@ github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKv github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0= github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= @@ -1274,6 +1277,7 @@ github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzu github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= @@ -1351,8 +1355,11 @@ github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/go-gitlab v0.32.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f h1:mvXjJIHRZyhNuGassLTcXTwjiWq7NmjdavZsUnmFybQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go index b642d2c3..6e0727e7 100644 --- a/pkg/policies/policies.go +++ b/pkg/policies/policies.go @@ -20,6 +20,7 @@ import ( "github.com/ossf/allstar/pkg/policies/binary" "github.com/ossf/allstar/pkg/policies/branch" "github.com/ossf/allstar/pkg/policies/outside" + "github.com/ossf/allstar/pkg/policies/scorecard" "github.com/ossf/allstar/pkg/policies/security" "github.com/ossf/allstar/pkg/policydef" ) @@ -27,9 +28,12 @@ import ( // GetPolicies returns a slice of all policies in Allstar. func GetPolicies() []policydef.Policy { return []policydef.Policy{ + // TODO(scorecard): Deprecate Binary Artifacts check once Scorecard check + // is working binary.NewBinary(), branch.NewBranch(), outside.NewOutside(), security.NewSecurity(), + scorecard.NewScorecard(), } } diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go index 84d16b46..2bb6a1fb 100644 --- a/pkg/policies/scorecard/scorecard.go +++ b/pkg/policies/scorecard/scorecard.go @@ -18,15 +18,25 @@ package scorecard import ( "context" "fmt" + "os" + "sort" + "strings" + + "github.com/google/go-github/v39/github" + "github.com/rs/zerolog/log" "github.com/ossf/allstar/pkg/config" "github.com/ossf/allstar/pkg/policydef" "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/checks" - "github.com/ossf/scorecard/v4/clients/githubrepo" - - "github.com/google/go-github/v39/github" - "github.com/rs/zerolog/log" + "github.com/ossf/scorecard/v4/clients" + screpo "github.com/ossf/scorecard/v4/clients/githubrepo" + docs "github.com/ossf/scorecard/v4/docs/checks" + "github.com/ossf/scorecard/v4/format" + sclog "github.com/ossf/scorecard/v4/log" + "github.com/ossf/scorecard/v4/options" + "github.com/ossf/scorecard/v4/pkg" + "github.com/ossf/scorecard/v4/policy" ) const configFile = "scorecard.yaml" @@ -107,18 +117,88 @@ func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner, }, nil } - scRepoArg := fmt.Sprintf("%s/%s", owner, repo) - scRepo, err := githubrepo.MakeGithubRepo(scRepoArg) + // TODO(scorecard): Configure options + scOpts := options.New() + scOpts.Repo = fmt.Sprintf("%s/%s", owner, repo) + + // TODO(scorecard): Read policy + pol, err := policy.ParseFromFile(scOpts.PolicyFile) if err != nil { - return nil, err + return nil, fmt.Errorf("readPolicy: %v", err) } - roundTripper := c.Client().Transport - repoClient := githubrepo.CreateGithubRepoClientWithTransport(ctx, roundTripper) - if err := repoClient.InitRepo(scRepo, defaultGitRef); err != nil { + logger := sclog.NewLogger(sclog.Level(scOpts.LogLevel)) + + // TODO(scorecard): Plumb roundtripper into clients + //roundTripper := c.Client().Transport + + // TODO(scorecard): Fix ciiClient, vulnsClient + scRepo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := screpo.GetClients( + ctx, scOpts.Repo, scOpts.Local, logger) + if err != nil { return nil, err } defer repoClient.Close() + if ossFuzzRepoClient != nil { + defer ossFuzzRepoClient.Close() + } + + // TODO(scorecard): Read docs + checkDocs, err := docs.Read() + if err != nil { + return nil, fmt.Errorf("cannot read yaml file: %v", err) + } + + // TODO(scorecard) + var requiredRequestTypes []checker.RequestType + if scOpts.Local != "" { + requiredRequestTypes = append(requiredRequestTypes, checker.FileBased) + } + if !strings.EqualFold(scOpts.Commit, clients.HeadSHA) { + requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased) + } + enabledChecks, err := policy.GetEnabled(pol, scOpts.ChecksToRun, requiredRequestTypes) + if err != nil { + return nil, err + } + + if scOpts.Format == options.FormatDefault { + for checkName := range enabledChecks { + fmt.Fprintf(os.Stderr, "Starting [%s]\n", checkName) + } + } + + repoResult, err := pkg.RunScorecards(ctx, scRepo, scOpts.Commit, scOpts.Format == options.FormatRaw, enabledChecks, repoClient, + ossFuzzRepoClient, ciiClient, vulnsClient) + if err != nil { + return nil, err + } + repoResult.Metadata = append(repoResult.Metadata, scOpts.Metadata...) + + // Sort them by name + sort.Slice(repoResult.Checks, func(i, j int) bool { + return repoResult.Checks[i].Name < repoResult.Checks[j].Name + }) + + if scOpts.Format == options.FormatDefault { + for checkName := range enabledChecks { + fmt.Fprintf(os.Stderr, "Finished [%s]\n", checkName) + } + fmt.Println("\nRESULTS\n-------") + } + + resultsErr := format.FormatResults( + scOpts, + repoResult, + checkDocs, + pol, + ) + if resultsErr != nil { + return nil, fmt.Errorf("failed to format results: %v", err) + } + + // TODO(scorecard): Refactor below here + l := checker.NewLogger() cr := &checker.CheckRequest{ Ctx: ctx,