🌱 [W.I.P] feat(listing): add ignorelist for scanning

[Dentrax]

Signed-off-by: Furkan [email protected] @Dentrax
Co-authored-by: Batuhan [email protected] @developer-guy

• Please check if the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process

• What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Fixes #1406

• What is the current behavior? (You can also link to an open issue here)

See #1406 and anchore/syft#593

• What is the new behavior (if this is a feature change)?

We have the ability to pass ignorelist.

• Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

No

• Other information:

[Dentrax]

This is currently WIP. Passing the ignoreDirs field is not implemented yet, since we couldn't way out to pass project-wide ignore array.

We add a new IgnoreDirs []string field in the CheckRequest struct. We should fill this from the same field/type that we need to add in the config.go/config struct?

And we are not passing CheckRequest for the CheckFilesContentV6 function. That's why we passed an empty array.

@laurentsimon Can you please enlighten us on this?

[laurentsimon]

The current idea we have is to build the "ignore list" as a policy applied on the canonical scorecard results. By canonical, I mean scorecard results without filtering.

Consumers of the canonical results can then decide to apply a policy of their choice, e.g., "I don't care about results referencing path /some/path for check CheckName". The policy file may be different for every consumer, and we aim to provide a policy language to express more complex policies, e.g. using https://cuelang.org/ or https://www.openpolicyagent.org/docs/latest/policy-language/ or anything users may want.

If we were to provide a directory list that changes scorecard's behavior at the time it gathers information (this PR), it becomes harder to tell what the ground truth is. Also, it's not expressive enough for other use cases users may want.

So we envisage a world where:

1. scorecard results are canonical and do not depend on filtering
2. consumers apply policies to filter out results they don't care about, possibly using a hint from the consumer. A consumer may be the producer as well: for example, in the GitHub action, the repo owner will be able to add a config file. We envisage this policy being applied on the canonical results.

In order to build expressive policies, we aim to add some features in scorecard to output the results in a more structure format. We're tracking it in #1245. The first step is to split the checks into 2 parts:

1. The part that gathers information
2. The part that applies a policy. Today, you can think of the score as a simple policy. Long-term, users will be able to express more complex policies using a policy language. We have already split some of our checks, see this folder https://github.com/ossf/scorecard/tree/main/checks/raw (data gathering) and https://github.com/ossf/scorecard/tree/main/checks/evaluation (score policy calculation). You can try it out using SCORECARD_V6=1 scorecard ... --raw. The output raw results are defined in https://github.com/ossf/scorecard/blob/main/checker/raw_result.go#L19 (fyi, this is subject to changes until public release)

Let me know if you have questions.

[github-actions]

Stale pull request message

[Dentrax]

A bit confused and lost @laurentsimon on this PR. Thanks for your thoughts. How should we proceed here? 🙏

[laurentsimon]

We're going to address the ignore-list using policies. Please see the discussion starting on this #1245 (comment)
Feel free to comment on the issue.