From e7d919891750b75c8875b0a4e178a249a7b3b8b6 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 15 Feb 2022 20:48:58 -0500 Subject: [PATCH 1/5] go.mod: Update to scorecard/v4@main Signed-off-by: Stephen Augustus --- go.mod | 2 +- go.sum | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 790f9d51..5bec3759 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/google/go-github/v39 v39.2.0 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 github.com/onsi/ginkgo v1.16.5 // indirect - github.com/ossf/scorecard/v4 v4.0.2-0.20220216001345-ba503c3bee01 + github.com/ossf/scorecard/v4 v4.1.1-0.20220227152949-d71866ca16b4 github.com/rs/zerolog v1.26.1 github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228 gocloud.dev v0.24.0 diff --git a/go.sum b/go.sum index 061dbaf1..c9d4487a 100644 --- a/go.sum +++ b/go.sum @@ -1071,8 +1071,9 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.0.0 h1:CcuG/HvWNkkaqCUpJifQY8z7qEMBJya6aLPx6ftGyjQ= github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.3 h1:e/3Cwtogj0HA+25nMP1jCMDIf8RtRYbGwGGuBIFztkc= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -1120,8 +1121,8 @@ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYr github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8= github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= -github.com/ossf/scorecard/v4 v4.0.2-0.20220216001345-ba503c3bee01 h1:kK2BOiZ+3m9LQXhP+8Ks4x3G4Gd5b12NbZQzu1kj/uM= -github.com/ossf/scorecard/v4 v4.0.2-0.20220216001345-ba503c3bee01/go.mod h1:g2KtlJZAfsm1A5pj05AgZXnIaiPYqAoJXZ1010FY9DA= +github.com/ossf/scorecard/v4 v4.1.1-0.20220227152949-d71866ca16b4 h1:LwuPOLzif3rEnB7Ta5PDmDPTxt5ld7dt5sS624jIztE= +github.com/ossf/scorecard/v4 v4.1.1-0.20220227152949-d71866ca16b4/go.mod h1:qs5PAO9RACLADHXR4jYFz18M6DlGre+Won6bmRWUnhE= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= @@ -1188,8 +1189,8 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1: github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8/go.mod h1:CGFX09Ci3pq9QZdj86B+VGIdNj4VyCo2iPOGS9esB/k= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= -github.com/rhysd/actionlint v1.6.8 h1:li0691FNuuS3da2igfjMb9M58AgMXX7j9U5EgbCZFuc= -github.com/rhysd/actionlint v1.6.8/go.mod h1:0AA4pvZ2nrZHT6D86eUhieH2NFmLqhxrNex0NEa2A2g= +github.com/rhysd/actionlint v1.6.9 h1:8rQQ76o88zctUCzukt0A5O/FO003wTGbkLQuwQkMf9c= +github.com/rhysd/actionlint v1.6.9/go.mod h1:0AA4pvZ2nrZHT6D86eUhieH2NFmLqhxrNex0NEa2A2g= github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= @@ -2150,8 +2151,8 @@ modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= mvdan.cc/editorconfig v0.2.0/go.mod h1:lvnnD3BNdBYkhq+B4uBuFFKatfp02eB6HixDvEz91C0= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= -mvdan.cc/sh/v3 v3.4.2 h1:d3TKODXfZ1bjWU/StENN+GDg5xOzNu5+C8AEu405E5U= -mvdan.cc/sh/v3 v3.4.2/go.mod h1:p/tqPPI4Epfk2rICAe2RoaNd8HBSJ8t9Y2DA9yQlbzY= +mvdan.cc/sh/v3 v3.4.3 h1:zbuKH7YH9cqU6PGajhFFXZY7dhPXcDr55iN/cUAqpuw= +mvdan.cc/sh/v3 v3.4.3/go.mod h1:p/tqPPI4Epfk2rICAe2RoaNd8HBSJ8t9Y2DA9yQlbzY= mvdan.cc/unparam v0.0.0-20190720180237-d51796306d8f/go.mod h1:4G1h5nDURzA3bwVMZIVpwbkw+04kSxk3rAtzlimaUJw= mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7/go.mod h1:HGC5lll35J70Y5v7vCGb9oLhHoScFwkHDJm/05RdSTc= nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= From 0066ebd5f33e4327583610b22b2e3110c543902b Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 15 Feb 2022 21:22:12 -0500 Subject: [PATCH 2/5] binary: Use scorecard `checker.NewLogger` Signed-off-by: Stephen Augustus --- pkg/policies/binary/binary.go | 45 ++++------------------------------- 1 file changed, 4 insertions(+), 41 deletions(-) diff --git a/pkg/policies/binary/binary.go b/pkg/policies/binary/binary.go index 8bd076cd..6a3a977a 100644 --- a/pkg/policies/binary/binary.go +++ b/pkg/policies/binary/binary.go @@ -81,43 +81,6 @@ func (b Binary) Name() string { return polName } -// TODO(log): Replace once scorecard supports a constructor for new loggers. -// This is a copy of the `DetailLogger` implementation at: -// https://github.com/ossf/scorecard/blob/ba503c3bee014d97c38f3f5caaeb6977935a9272/checker/detail_logger_impl.go -type logger struct { - logs []checker.CheckDetail -} - -func (l *logger) Info(msg *checker.LogMessage) { - cd := checker.CheckDetail{ - Type: checker.DetailInfo, - Msg: *msg, - } - l.logs = append(l.logs, cd) -} - -func (l *logger) Warn(msg *checker.LogMessage) { - cd := checker.CheckDetail{ - Type: checker.DetailWarn, - Msg: *msg, - } - l.logs = append(l.logs, cd) -} - -func (l *logger) Debug(msg *checker.LogMessage) { - cd := checker.CheckDetail{ - Type: checker.DetailDebug, - Msg: *msg, - } - l.logs = append(l.logs, cd) -} - -func (l *logger) Flush() []checker.CheckDetail { - ret := l.logs - l.logs = nil - return ret -} - // Check performs the policy check for this policy based on the // configuration stored in the org/repo, implementing policydef.Policy.Check() func (b Binary) Check(ctx context.Context, c *github.Client, owner, @@ -157,15 +120,15 @@ func (b Binary) Check(ctx context.Context, c *github.Client, owner, return nil, err } defer repoClient.Close() - l := logger{} + l := checker.NewLogger() cr := &checker.CheckRequest{ Ctx: ctx, RepoClient: repoClient, Repo: scRepo, - Dlogger: &l, + Dlogger: l, } - // TODO, likely this should be a "scorecard" policy that runs multiple checks + // TODO(scorecard): Likely this should be a "scorecard" policy that runs multiple checks // here, and uses config to enable/disable checks. res := checks.BinaryArtifacts(cr) if res.Error2 != nil { @@ -184,7 +147,7 @@ func (b Binary) Check(ctx context.Context, c *github.Client, owner, Pass: res.Score >= checker.MaxResultScore, NotifyText: notify, Details: details{ - Messages: l.logs, + Messages: l.Logs(), }, }, nil } From fcaa79b0649a944f19db96d180cd9e50b728240c Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 15 Feb 2022 21:28:16 -0500 Subject: [PATCH 3/5] policies: Stub scorecard policy from binary artifacts policy Signed-off-by: Stephen Augustus --- pkg/policies/scorecard/scorecard.go | 213 ++++++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 pkg/policies/scorecard/scorecard.go diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go new file mode 100644 index 00000000..84d16b46 --- /dev/null +++ b/pkg/policies/scorecard/scorecard.go @@ -0,0 +1,213 @@ +// Copyright 2022 Allstar Authors + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package scorecard implements security policy checks from scorecard. +package scorecard + +import ( + "context" + "fmt" + + "github.com/ossf/allstar/pkg/config" + "github.com/ossf/allstar/pkg/policydef" + "github.com/ossf/scorecard/v4/checker" + "github.com/ossf/scorecard/v4/checks" + "github.com/ossf/scorecard/v4/clients/githubrepo" + + "github.com/google/go-github/v39/github" + "github.com/rs/zerolog/log" +) + +const configFile = "scorecard.yaml" +const polName = "Scorecard" +const defaultGitRef = "HEAD" + +// OrgConfig is the org-level config definition for this policy. +type OrgConfig struct { + // OptConfig is the standard org-level opt in/out config, RepoOverride applies to all + // config. + OptConfig config.OrgOptConfig `yaml:"optConfig"` + + // Action defines which action to take, default log, other: issue... + Action string `yaml:"action"` +} + +// RepoConfig is the repo-level config for this policy. +type RepoConfig struct { + // OptConfig is the standard repo-level opt in/out config. + OptConfig config.RepoOptConfig `yaml:"optConfig"` + + // Action overrides the same setting in org-level, only if present. + Action *string `yaml:"action"` +} + +type mergedConfig struct { + Action string +} + +type details struct { + Messages []checker.CheckDetail +} + +var configFetchConfig func(context.Context, *github.Client, string, string, string, bool, interface{}) error + +func init() { + configFetchConfig = config.FetchConfig +} + +// Scorecard is the Scorecard Artifacts policy object, implements policydef.Policy. +type Scorecard bool + +// NewScorecard returns a new Scorecard Artifacts policy. +func NewScorecard() policydef.Policy { + var sc Scorecard + return sc +} + +// Name returns the name of this policy, implementing policydef.Policy.Name() +func (sc Scorecard) Name() string { + return polName +} + +// Check performs the policy check for this policy based on the +// configuration stored in the org/repo, implementing policydef.Policy.Check() +func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner, + repo string) (*policydef.Result, error) { + oc, rc := getConfig(ctx, c, owner, repo) + enabled, err := config.IsEnabled(ctx, oc.OptConfig, rc.OptConfig, c, owner, repo) + if err != nil { + return nil, err + } + log.Info(). + Str("org", owner). + Str("repo", repo). + Str("area", polName). + Bool("enabled", enabled). + Msg("Check repo enabled") + if !enabled { + // Don't run this policy unless enabled, as it is expensive. This is only + // checking enablement of policy, but not Allstar overall, this is ok for + // now. + return &policydef.Result{ + Enabled: enabled, + Pass: true, + NotifyText: "Disabled", + Details: details{}, + }, nil + } + + scRepoArg := fmt.Sprintf("%s/%s", owner, repo) + scRepo, err := githubrepo.MakeGithubRepo(scRepoArg) + if err != nil { + return nil, err + } + + roundTripper := c.Client().Transport + repoClient := githubrepo.CreateGithubRepoClientWithTransport(ctx, roundTripper) + if err := repoClient.InitRepo(scRepo, defaultGitRef); err != nil { + return nil, err + } + defer repoClient.Close() + l := checker.NewLogger() + cr := &checker.CheckRequest{ + Ctx: ctx, + RepoClient: repoClient, + Repo: scRepo, + Dlogger: l, + } + + // TODO(scorecard): Likely this should be a "scorecard" policy that runs multiple checks + // here, and uses config to enable/disable checks. + res := checks.BinaryArtifacts(cr) + if res.Error2 != nil { + return nil, res.Error2 + } + + var notify string + if res.Score < checker.MaxResultScore { + notify = fmt.Sprintf("Scorecard Check Scorecard: %v\n"+ + "Please run scorecard directly for details: https://github.com/ossf/scorecard\n", + res.Reason) + } + + return &policydef.Result{ + Enabled: enabled, + Pass: res.Score >= checker.MaxResultScore, + NotifyText: notify, + Details: details{ + Messages: l.Logs(), + }, + }, nil +} + +// Fix implementing policydef.Policy.Fix(). Scorecard checks will not have a Fix option. +func (sc Scorecard) Fix(ctx context.Context, c *github.Client, owner, repo string) error { + log.Warn(). + Str("org", owner). + Str("repo", repo). + Str("area", polName). + Msg("Action fix is configured, but not implemented.") + return nil +} + +// GetAction returns the configured action from this policy's configuration +// stored in the org-level repo, default log. Implementing +// policydef.Policy.GetAction() +func (sc Scorecard) GetAction(ctx context.Context, c *github.Client, owner, repo string) string { + oc, rc := getConfig(ctx, c, owner, repo) + mc := mergeConfig(oc, rc, repo) + return mc.Action +} + +// TODO(policies): Consider de-duping config functions across policies +func getConfig(ctx context.Context, c *github.Client, owner, repo string) (*OrgConfig, *RepoConfig) { + oc := &OrgConfig{ // Fill out non-zero defaults + Action: "log", + } + if err := configFetchConfig(ctx, c, owner, "", configFile, true, oc); err != nil { + log.Error(). + Str("org", owner). + Str("repo", repo). + Bool("orgLevel", true). + Str("area", polName). + Str("file", configFile). + Err(err). + Msg("Unexpected config error, using defaults.") + } + rc := &RepoConfig{} + if err := configFetchConfig(ctx, c, owner, repo, configFile, false, rc); err != nil { + log.Error(). + Str("org", owner). + Str("repo", repo). + Bool("orgLevel", false). + Str("area", polName). + Str("file", configFile). + Err(err). + Msg("Unexpected config error, using defaults.") + } + return oc, rc +} + +func mergeConfig(oc *OrgConfig, rc *RepoConfig, repo string) *mergedConfig { + mc := &mergedConfig{ + Action: oc.Action, + } + + if !oc.OptConfig.DisableRepoOverride { + if rc.Action != nil { + mc.Action = *rc.Action + } + } + return mc +} From 06ad92eadcdc794492ca980e856d009c01081802 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 15 Feb 2022 22:09:19 -0500 Subject: [PATCH 4/5] scorecard: Initial copy of scorecard command logic Signed-off-by: Stephen Augustus --- go.mod | 1 + go.sum | 7 ++ pkg/policies/policies.go | 4 ++ pkg/policies/scorecard/scorecard.go | 100 +++++++++++++++++++++++++--- 4 files changed, 102 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 5bec3759..3a6ace78 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/ossf/scorecard/v4 v4.1.1-0.20220227152949-d71866ca16b4 github.com/rs/zerolog v1.26.1 github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228 + github.com/spf13/cobra v1.3.0 gocloud.dev v0.24.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/go.sum b/go.sum index c9d4487a..2b01846c 100644 --- a/go.sum +++ b/go.sum @@ -878,6 +878,7 @@ github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= @@ -1057,6 +1058,7 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -1267,6 +1269,7 @@ github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKv github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0= github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= @@ -1274,6 +1277,7 @@ github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzu github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= @@ -1351,8 +1355,11 @@ github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/go-gitlab v0.32.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f h1:mvXjJIHRZyhNuGassLTcXTwjiWq7NmjdavZsUnmFybQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go index b642d2c3..6e0727e7 100644 --- a/pkg/policies/policies.go +++ b/pkg/policies/policies.go @@ -20,6 +20,7 @@ import ( "github.com/ossf/allstar/pkg/policies/binary" "github.com/ossf/allstar/pkg/policies/branch" "github.com/ossf/allstar/pkg/policies/outside" + "github.com/ossf/allstar/pkg/policies/scorecard" "github.com/ossf/allstar/pkg/policies/security" "github.com/ossf/allstar/pkg/policydef" ) @@ -27,9 +28,12 @@ import ( // GetPolicies returns a slice of all policies in Allstar. func GetPolicies() []policydef.Policy { return []policydef.Policy{ + // TODO(scorecard): Deprecate Binary Artifacts check once Scorecard check + // is working binary.NewBinary(), branch.NewBranch(), outside.NewOutside(), security.NewSecurity(), + scorecard.NewScorecard(), } } diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go index 84d16b46..2bb6a1fb 100644 --- a/pkg/policies/scorecard/scorecard.go +++ b/pkg/policies/scorecard/scorecard.go @@ -18,15 +18,25 @@ package scorecard import ( "context" "fmt" + "os" + "sort" + "strings" + + "github.com/google/go-github/v39/github" + "github.com/rs/zerolog/log" "github.com/ossf/allstar/pkg/config" "github.com/ossf/allstar/pkg/policydef" "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/checks" - "github.com/ossf/scorecard/v4/clients/githubrepo" - - "github.com/google/go-github/v39/github" - "github.com/rs/zerolog/log" + "github.com/ossf/scorecard/v4/clients" + screpo "github.com/ossf/scorecard/v4/clients/githubrepo" + docs "github.com/ossf/scorecard/v4/docs/checks" + "github.com/ossf/scorecard/v4/format" + sclog "github.com/ossf/scorecard/v4/log" + "github.com/ossf/scorecard/v4/options" + "github.com/ossf/scorecard/v4/pkg" + "github.com/ossf/scorecard/v4/policy" ) const configFile = "scorecard.yaml" @@ -107,18 +117,88 @@ func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner, }, nil } - scRepoArg := fmt.Sprintf("%s/%s", owner, repo) - scRepo, err := githubrepo.MakeGithubRepo(scRepoArg) + // TODO(scorecard): Configure options + scOpts := options.New() + scOpts.Repo = fmt.Sprintf("%s/%s", owner, repo) + + // TODO(scorecard): Read policy + pol, err := policy.ParseFromFile(scOpts.PolicyFile) if err != nil { - return nil, err + return nil, fmt.Errorf("readPolicy: %v", err) } - roundTripper := c.Client().Transport - repoClient := githubrepo.CreateGithubRepoClientWithTransport(ctx, roundTripper) - if err := repoClient.InitRepo(scRepo, defaultGitRef); err != nil { + logger := sclog.NewLogger(sclog.Level(scOpts.LogLevel)) + + // TODO(scorecard): Plumb roundtripper into clients + //roundTripper := c.Client().Transport + + // TODO(scorecard): Fix ciiClient, vulnsClient + scRepo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := screpo.GetClients( + ctx, scOpts.Repo, scOpts.Local, logger) + if err != nil { return nil, err } defer repoClient.Close() + if ossFuzzRepoClient != nil { + defer ossFuzzRepoClient.Close() + } + + // TODO(scorecard): Read docs + checkDocs, err := docs.Read() + if err != nil { + return nil, fmt.Errorf("cannot read yaml file: %v", err) + } + + // TODO(scorecard) + var requiredRequestTypes []checker.RequestType + if scOpts.Local != "" { + requiredRequestTypes = append(requiredRequestTypes, checker.FileBased) + } + if !strings.EqualFold(scOpts.Commit, clients.HeadSHA) { + requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased) + } + enabledChecks, err := policy.GetEnabled(pol, scOpts.ChecksToRun, requiredRequestTypes) + if err != nil { + return nil, err + } + + if scOpts.Format == options.FormatDefault { + for checkName := range enabledChecks { + fmt.Fprintf(os.Stderr, "Starting [%s]\n", checkName) + } + } + + repoResult, err := pkg.RunScorecards(ctx, scRepo, scOpts.Commit, scOpts.Format == options.FormatRaw, enabledChecks, repoClient, + ossFuzzRepoClient, ciiClient, vulnsClient) + if err != nil { + return nil, err + } + repoResult.Metadata = append(repoResult.Metadata, scOpts.Metadata...) + + // Sort them by name + sort.Slice(repoResult.Checks, func(i, j int) bool { + return repoResult.Checks[i].Name < repoResult.Checks[j].Name + }) + + if scOpts.Format == options.FormatDefault { + for checkName := range enabledChecks { + fmt.Fprintf(os.Stderr, "Finished [%s]\n", checkName) + } + fmt.Println("\nRESULTS\n-------") + } + + resultsErr := format.FormatResults( + scOpts, + repoResult, + checkDocs, + pol, + ) + if resultsErr != nil { + return nil, fmt.Errorf("failed to format results: %v", err) + } + + // TODO(scorecard): Refactor below here + l := checker.NewLogger() cr := &checker.CheckRequest{ Ctx: ctx, From 269b6a7e14a497e4cd6203b44b4e9c5651e2bb6e Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Sun, 27 Feb 2022 11:10:24 -0500 Subject: [PATCH 5/5] scorecard: Update usage to scorecard/v4@main Signed-off-by: Stephen Augustus --- pkg/policies/scorecard/scorecard.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/policies/scorecard/scorecard.go b/pkg/policies/scorecard/scorecard.go index 2bb6a1fb..32aebe66 100644 --- a/pkg/policies/scorecard/scorecard.go +++ b/pkg/policies/scorecard/scorecard.go @@ -30,9 +30,7 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/checks" "github.com/ossf/scorecard/v4/clients" - screpo "github.com/ossf/scorecard/v4/clients/githubrepo" docs "github.com/ossf/scorecard/v4/docs/checks" - "github.com/ossf/scorecard/v4/format" sclog "github.com/ossf/scorecard/v4/log" "github.com/ossf/scorecard/v4/options" "github.com/ossf/scorecard/v4/pkg" @@ -133,7 +131,7 @@ func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner, //roundTripper := c.Client().Transport // TODO(scorecard): Fix ciiClient, vulnsClient - scRepo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := screpo.GetClients( + scRepo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients( ctx, scOpts.Repo, scOpts.Local, logger) if err != nil { return nil, err @@ -187,9 +185,9 @@ func (sc Scorecard) Check(ctx context.Context, c *github.Client, owner, fmt.Println("\nRESULTS\n-------") } - resultsErr := format.FormatResults( + resultsErr := pkg.FormatResults( scOpts, - repoResult, + &repoResult, checkDocs, pol, )