✨ Implement local repo client for local folders #1146
Conversation
laurentsimon
changed the title
laurentsimon
force-pushed
the
feat/localint2
branch
9 times, most recently
from
259d759 to
f24bfc5
Compare
laurentsimon
changed the title
laurentsimon
force-pushed
the
feat/localint2
branch
from
d86206d to
26b6bbf
Compare
|
friendly ping |
checks/fuzzing.go
Outdated
| // Local clients do not have a repo's full name for the OSS-Fuzz lookup. | ||
| if c.RepoClient.IsLocal() { | ||
| e := sce.WithMessage(sce.ErrScorecardInternal, "not supported for local repos") | ||
| return checker.CreateRuntimeErrorResult(CheckFuzzing, e) | ||
| } | ||
|
|
There was a problem hiding this comment.
We shouldn't check what the RepoClient implementation type is here. Its ok if it doesn't find anything here and fails.
There was a problem hiding this comment.
we'll be providing an erroneous result if we fail. I think we need to tell users this check is not supported, like we do for other checks the local repo client does not support.
There was a problem hiding this comment.
IMO, I don't think its erroneous or misleading. We are basically checking whether the repo does Fuzzing using OSS-Fuzz or has a CII badge and we report a failure since they don't. In future, if we expand our support for Fuzzing (e.g using ClusterFuzzLite or looking for local files for evidence of Fuzzing), even local repos will be able to have a non-fail score for Fuzzing.
There was a problem hiding this comment.
Fair point regarding fuzzing: you're right there may be local files indicating fuzzing configuration in the repo itself. I don't think we'll ever be able to check for CII badge using local repos, though. @david-a-wheeler to comment on this.
@naveensrinivasan @oliverchang any opinion on this thread?
There was a problem hiding this comment.
Similar point holds true for CII too - if we extend the local file implementation in the future to return a valid HTTP URL associated with the local source code, local repos can have a valid CII badge value.
In general, my contention is changing the checks behavior based on the implementation detail.
There was a problem hiding this comment.
I agree with @azeemshaikh38. It would be better to not encode this implementation detail/type check as part of the RepoClient interface as it's breaking the interface somewhat.
If we do need to make such a distinction for displaying better error messages, maybe could we do this at registerCheck time? I.e. add a supportsLocal bool in registerCheck and enable/disable it at runtime based on the type of repo we're checking.
We could also in theory support this Fuzzing check today, if we add support to the local repo client to take the git remote result and use that as the repo URL to search for.
There was a problem hiding this comment.
should this be part of registerCheck or the checks.yml?
Any thought on checks that use both source code and GH APIs?
There was a problem hiding this comment.
checks.yml also works and would be better for documentation!
Maybe for local only mode, we just don't support any any GH APIs calls? How many checks would that disable? I'm not sure it's worth the complexity to support.
Then we don't need to make much of a distinction for a hybrid local source code + GH API option. If the user provides a github token as well, we can just have a hybrid RepoClient which is treated in the same way as a regular remote RepoClient, assuming we can extract the remote repo URL.
There was a problem hiding this comment.
checks.yml also works and would be better for documentation!
yes, I'm on the same page.
Maybe for local only mode, we just don't support any any GH APIs calls? How many checks would that disable? I'm not sure it's worth the complexity to support.
yes, I like removing complexity, and disabling them would be nice. I initially use IsLocal(), but documentation checks.yaml is better.
I'll check how that would work and see how many would be disabled. @azeemsgoogle please chime in for additional comments.
Then we don't need to make much of a distinction for a hybrid local source code + GH API option. If the user provides a github token as well, we can just have a hybrid RepoClient which is treated in the same way as a regular remote RepoClient, assuming we can extract the remote repo URL.
doable, thanks for the suggestion, I'll keep this in mind.
The CII badge requirements mostly focus on the project. You could use git to find the relevant remote URL, then query the CII Best Practices badge for the information about that URL. You might check "origin" and then "upstream" remotes, that should be enough. |
thanks for chiming in. We envision 3 different repo clients: online (GitHub, GitLab, etc), local folder (plain source code with no info), "hybrid" (source code with info, e.g. by git). it would work well for the 3rd option. |
|
another thing I wanted to mention: requiring a GitHub token to run scorecard on a local folder feels weird. |
I agree, that'd work for third option. If you only have a local folder with source code and NO other info, you could establish some convention for recording its home repo URL, and then use that. |
Do you mean using the path as name, or taking it from an existing file? |
laurentsimon
force-pushed
the
feat/localint2
branch
from
26b6bbf to
1d8a05f
Compare
|
FYI @naveensrinivasan pre-submit failing with |
+1! We should make it painlessly easy for someone to run this on their own local checkout.
How do we plan to support local repos using the CLI? If it's a separate option, maybe we can do
But it's not clear we need this when we can just take the upstream by doing a |
laurentsimon
force-pushed
the
feat/localint2
branch
from
ebb7aec to
3d14f74
Compare
|
@azeemshaikh38 @oliverchang I've removed the |
| @@ -111,7 +110,8 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult { | |||
| if r { | |||
| return checker.CreateMaxScoreResult(CheckSecurityPolicy, "security policy file detected") | |||
| } | |||
| case !errors.Is(err, sce.ErrRepoUnreachable): | |||
| // err != nil | |||
| files := []string{} | ||
| var err error | ||
|
|
||
| once.Do(func() { | ||
| files, err = listFiles(client.path, predicate) | ||
| }) |
There was a problem hiding this comment.
I'm not sure if this is working right.
onceshould be defined and initiated insidelocalDirClientstruct. Else, it'll be shared by all instances oflocalDirClient.- The
filesanderrvariables should also be insidelocalDirClient. Else, they get re-initiated and will return empty values whenListFilesis called more than once.
| } | ||
|
|
||
| // GetFileContent implements RepoClient.GetFileContent. | ||
| func (client *localDirClient) GetFileContent(filename string) ([]byte, error) { | ||
| // TODO | ||
| return nil, nil | ||
| return getFileContent(client.path, filename) | ||
| } | ||
|
|
||
| // ListMergedPRs implements RepoClient.ListMergedPRs. |
There was a problem hiding this comment.
FYI, Search API can also be implemented for local client. Maybe the next PR.
There was a problem hiding this comment.
good point! I think checks that are supported don't use it, so not needed in the short term. Thanks for flagging!
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
feature
What is the current behavior? (You can also link to an open issue here)
no support for local folders
What is the new behavior (if this is a feature change)?
add support for local client repo from a folder
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
yes for the internal API
Other information: