Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Feature DependencyDiff (Version 0 Part 2) #2046

Merged
merged 64 commits into from
Jul 18, 2022
Merged
Changes from 6 commits
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
d043b13
temp
aidenwang9867 Jul 8, 2022
5f95398
Update dependencies.go
aidenwang9867 Jul 8, 2022
c29a841
Update errors.go
aidenwang9867 Jul 8, 2022
572bef5
Update scorecard_results.go
aidenwang9867 Jul 8, 2022
dc50937
Update vulnerabilities.go
aidenwang9867 Jul 8, 2022
4e90206
save
aidenwang9867 Jul 8, 2022
1fee520
temp
aidenwang9867 Jul 9, 2022
0595cdf
temp
aidenwang9867 Jul 9, 2022
c5cb697
temp
aidenwang9867 Jul 9, 2022
7bc6911
temp
aidenwang9867 Jul 11, 2022
62fb494
temp
aidenwang9867 Jul 11, 2022
b6c3b2c
Merge branch 'ossf:main' into depdiff_p2
aidenwang9867 Jul 11, 2022
92a117e
temp
aidenwang9867 Jul 11, 2022
c49c7f4
temp
aidenwang9867 Jul 11, 2022
c733ba5
temp
aidenwang9867 Jul 11, 2022
1379082
temp
aidenwang9867 Jul 11, 2022
8a89984
temp
aidenwang9867 Jul 11, 2022
cdd1840
temp
aidenwang9867 Jul 11, 2022
0e1223d
temp
aidenwang9867 Jul 11, 2022
2ac26d7
temp
aidenwang9867 Jul 11, 2022
2b0ffed
temp
aidenwang9867 Jul 11, 2022
3fd0f77
Merge branch 'main' into depdiuff_p1_pr
aidenwang9867 Jul 11, 2022
5549e91
Merge branch 'ossf:main' into depdiff_p2
aidenwang9867 Jul 11, 2022
3faf9ed
tempsave:
aidenwang9867 Jul 12, 2022
f6049b8
Merge branch 'depdiff_p2' of https://github.com/aidenwang9867/scoreca…
aidenwang9867 Jul 12, 2022
6d24320
Merge branch 'ossf:main' into depdiff_p2
aidenwang9867 Jul 12, 2022
847b3e7
temp
aidenwang9867 Jul 12, 2022
5c64505
temp
aidenwang9867 Jul 12, 2022
af29bc9
Merge branch 'ossf:main' into depdiff_p2
aidenwang9867 Jul 12, 2022
ad9c056
temp
aidenwang9867 Jul 13, 2022
23a1745
temp
aidenwang9867 Jul 13, 2022
5fea8bd
temp0713-1
aidenwang9867 Jul 13, 2022
1c313bd
temp0713-2
aidenwang9867 Jul 13, 2022
5e9c33d
temp0713-3
aidenwang9867 Jul 13, 2022
cae5546
Merge branch 'main' into depdiff_p2
aidenwang9867 Jul 13, 2022
4da19cf
temp0713-4
aidenwang9867 Jul 13, 2022
26be711
temp0713-4
aidenwang9867 Jul 14, 2022
f3419b2
temp0713-5
aidenwang9867 Jul 14, 2022
70f81c2
temp0713-6
aidenwang9867 Jul 14, 2022
e3f4d87
temp0713-7
aidenwang9867 Jul 14, 2022
c9b8cc7
temp0713-8
aidenwang9867 Jul 14, 2022
aea729f
temp0713-9
aidenwang9867 Jul 14, 2022
fd3d7b1
temp0713-10
aidenwang9867 Jul 14, 2022
0e3cb52
temp0713-11
aidenwang9867 Jul 14, 2022
70a3894
temp0713-12
aidenwang9867 Jul 14, 2022
a9658df
1
aidenwang9867 Jul 14, 2022
e1e0653
temp
aidenwang9867 Jul 14, 2022
751d67d
temp
aidenwang9867 Jul 14, 2022
9de05d8
Merge branch 'main' into depdiff_p2
aidenwang9867 Jul 14, 2022
459cf97
temp
aidenwang9867 Jul 15, 2022
4e4e201
Merge branch 'depdiff_p2' of https://github.com/aidenwang9867/scoreca…
aidenwang9867 Jul 15, 2022
f243586
temp
aidenwang9867 Jul 15, 2022
0493379
temp
aidenwang9867 Jul 15, 2022
baae011
temp
aidenwang9867 Jul 15, 2022
1f42bf7
Merge branch 'main' into depdiff_p2
aidenwang9867 Jul 15, 2022
fc1e227
temp
aidenwang9867 Jul 16, 2022
a7547d4
temp
aidenwang9867 Jul 16, 2022
347d74d
save
aidenwang9867 Jul 18, 2022
4e5e7a4
Merge branch 'main' into depdiff_p2
aidenwang9867 Jul 18, 2022
e825159
save
aidenwang9867 Jul 18, 2022
a8f30d9
Merge branch 'depdiff_p2' of https://github.com/aidenwang9867/scoreca…
aidenwang9867 Jul 18, 2022
08fa625
save
aidenwang9867 Jul 18, 2022
3cb16cc
final_commit_before_merge
aidenwang9867 Jul 18, 2022
e2b13e0
Merge branch 'main' into depdiff_p2
aidenwang9867 Jul 18, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions pkg/check-depdiff/check-depdiff.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
// Copyright 2022 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package depdiff

import (
"fmt"
)

type DepDiffContext struct {
OwnerName string
RepoName string
BaseSHA string
HeadSHA string
AccessToken string
}

func GetDependencyDiff(ownerName, repoName, baseSHA, headSHA, accessToken string) (string, error) {
ctx := DepDiffContext{
OwnerName: ownerName,
RepoName: repoName,
BaseSHA: baseSHA,
HeadSHA: headSHA,
AccessToken: accessToken,
}

// Fetch dependency diffs using the GitHub Dependency Review API.
deps, err := raw.FetchDependencyDiffData(ctx)
if err != nil {
return "", err
}
fmt.Println(deps)

return "", nil
}
47 changes: 47 additions & 0 deletions pkg/check-depdiff/dependency_results.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
// Copyright 2022 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package depdiff

import (
"github.com/ossf/scorecard/v4/pkg"
"github.com/ossf/scorecard/v4/pkg/check-depdiff/raw"
)

// DependencyCheckResult is the dependency structure used in the returned results.
type DependencyCheckResult struct {
// Package URL is a short link for a package.
PackageURL *string `json:"packageUrl"`

// SourceRepository is the source repository URL of the dependency.
SourceRepository *string `json:"sourceRepository"`

// ChangeType indicates whether the dependency is added, updated, or removed.
ChangeType *raw.ChangeType `json:"changeType"`

// ManifestPath is the path of the manifest file of the dependency, such as go.mod for Go.
ManifestPath *string `json:"manifestPath"`

// Ecosystem is the name of the package management system, such as NPM, GO, PYPI.
Ecosystem *string `json:"ecosystem"`

// Version is the package version of the dependency.
Version *string `json:"version"`

// ScorecardResults is the scorecard result for the dependency repo.
ScorecardResults *pkg.ScorecardResult `json:"scorecardResults"`

// Name is the name of the dependency.
Name string `json:"name"`
}
Original file line number Diff line number Diff line change
@@ -12,9 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

package depdiff

import "github.com/ossf/scorecard/v4/pkg"
package raw

// ChangeType is the change type (added, updated, removed) of a dependency.
type ChangeType string
@@ -38,54 +36,26 @@ func (ct *ChangeType) IsValid() bool {
}
}

// rawDependency is the Dependency structure that is used to receive
// the raw results from the GitHub Dependency Review API.
type rawDependency struct {
// Dependency is a raw dependency fetched from the GitHub Dependency Review API.
type Dependency struct {
// Package URL is a short link for a package.
PackageURL *string `json:"package_url"`

// SrcRepoURL is the source repository URL of the dependency.
SrcRepoURL *string `json:"source_repository_url"`
// SourceRepository is the source repository URL of the dependency.
SourceRepository *string `json:"source_repository_url"`

// ChangeType indicates whether the dependency is added, updated, or removed.
ChangeType *ChangeType `json:"change_type"`

// ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go.
// ManifestPath is the path of the manifest file of the dependency, such as go.mod for Go.
ManifestPath *string `json:"manifest"`

// Ecosystem is the name of the package management system, such as NPM, GO, PYPI.
Ecosystem *string `json:"ecosystem"`

// Name is the name of the dependency.
Name *string `json:"name"`

// Version is the package version of the dependency.
Version *string `json:"version"`
}

// DependencyCheckResult is the dependency structure used in the returned results.
type DependencyCheckResult struct {
// Package URL is a short link for a package.
PackageURL *string `json:"packageUrl"`

// SrcRepoURL is the source repository URL of the dependency.
SrcRepoURL *string `json:"srcRepoUrl"`

// ChangeType indicates whether the dependency is added, updated, or removed.
ChangeType *ChangeType `json:"changeType"`

// ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go.
ManifestPath *string `json:"manifest"`

// Ecosystem is the name of the package management system, such as NPM, GO, PYPI.
Ecosystem *string `json:"ecosystem"`

// Name is the name of the dependency.
Name string `json:"name"`

// Version is the package version of the dependency.
Version *string `json:"version"`

// ScReresults is the scorecard result for the dependency repo.
ScReresults *pkg.ScorecardResult `json:"scorecardResults"`
}
40 changes: 4 additions & 36 deletions pkg/check-depdiff/depdiff.go → pkg/check-depdiff/raw/fetch.go
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

package depdiff
package raw

import (
"fmt"
@@ -23,42 +23,14 @@ import (
gogh "github.com/google/go-github/v38/github"
)

type DepDiffContext struct {
OwnerName string
RepoName string
BaseSHA string
HeadSHA string
AccessToken string
}

func GetDependencyDiff(ownerName, repoName, baseSHA, headSHA, accessToken string) (string, error) {
ctx := DepDiffContext{
OwnerName: ownerName,
RepoName: repoName,
BaseSHA: baseSHA,
HeadSHA: headSHA,
AccessToken: accessToken,
}

// Fetch dependency diffs using the GitHub Dependency Review API.
deps, err := FetchDependencyDiffData(ctx)
if err != nil {
return "", err
}
fmt.Println(deps)

return "", nil
}

// Get the depednency-diffs between two specified code commits.
func FetchDependencyDiffData(ctx DepDiffContext) ([]rawDependency, error) {
func FetchDependencyDiffData(owner, repo, base, head string) ([]Dependency, error) {
// Currently, the GitHub Dependency Review
// (https://docs.github.com/en/rest/dependency-graph/dependency-review) API is used.
// Set a ten-seconds timeout to make sure the client can be created correctly.
client := gogh.NewClient(&http.Client{Timeout: 10 * time.Second})
reqURL := path.Join(
"repos", ctx.OwnerName, ctx.RepoName, "dependency-graph", "compare",
ctx.BaseSHA+"..."+ctx.HeadSHA,
"repos", owner, repo, "dependency-graph", "compare", base+"..."+head,
)
req, err := client.NewRequest("GET", reqURL, nil)
if err != nil {
@@ -68,14 +40,10 @@ func FetchDependencyDiffData(ctx DepDiffContext) ([]rawDependency, error) {
// An access token is required in the request header to be able to use this API.
req.Header.Set("Authorization", "token "+ctx.AccessToken)

depDiff := []rawDependency{}
depDiff := []Dependency{}
_, err = client.Do(req.Context(), req, &depDiff)
if err != nil {
return nil, fmt.Errorf("get response error: %w", err)
}
return depDiff, nil
}

func GetAggregateScore(d rawDependency) (float32, error) {
return 0, nil
}