ossf · laurentsimon · Jun 7, 2023 · May 3, 2023 · May 3, 2023 · May 4, 2023
@@ -43,6 +43,11 @@ type RawResults struct {
 	LicenseResults              LicenseData
 	TokenPermissionsResults     TokenPermissionsData
 	CITestResults               CITestData
+	Metadata                    MetadataData
+}
+
+type MetadataData struct {
+	Metadata map[string]string
 }
 
 type RevisionCIInfo struct {

@@ -0,0 +1,56 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pkg
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+)
+
+// JSONScorecardProbeResult exports results as JSON for flat findings without checks.
+//
+//nolint:govet
+type JSONScorecardProbeResult struct {
+	Date      string            `json:"date"`
+	Repo      jsonRepoV2        `json:"repo"`
+	Scorecard jsonScorecardV2   `json:"scorecard"`
+	Findings  []finding.Finding `json:"findings"`
+}
+
+func (r *ScorecardResult) AsPJSON(writer io.Writer) error {
+	encoder := json.NewEncoder(writer)
+	out := JSONScorecardProbeResult{
+		Repo: jsonRepoV2{
+			Name:   r.Repo.Name,
+			Commit: r.Repo.CommitSHA,
+		},
+		Scorecard: jsonScorecardV2{
+			Version: r.Scorecard.Version,
+			Commit:  r.Scorecard.CommitSHA,
+		},
+		Date:     r.Date.Format("2006-01-02"),
+		Findings: r.Findings,
+	}
+
+	if err := encoder.Encode(out); err != nil {
+		return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("encoder.Encode: %v", err))
+	}
+
+	return nil
+}
@@ -19,6 +19,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -27,6 +29,10 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/options"
+	"github.com/ossf/scorecard/v4/probes"
+	"github.com/ossf/scorecard/v4/probes/zrunner"
 )
 
 func runEnabledChecks(ctx context.Context,
@@ -102,6 +108,15 @@ func RunScorecard(ctx context.Context,
 	if err != nil || commitSHA == "" {
 		return ScorecardResult{}, err
 	}
+	defaultBranch, err := repoClient.GetDefaultBranchName()
+	if err != nil {
+		if !errors.Is(err, clients.ErrUnsupportedFeature) {
+			return ScorecardResult{},
+				sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetDefaultBranchName:%v", err.Error()))
+		}
+		defaultBranch = "unknown"
+	}
+
 	versionInfo := version.GetVersionInfo()
 	ret := ScorecardResult{
 		Repo: RepoInfo{
@@ -115,11 +130,42 @@ func RunScorecard(ctx context.Context,
 		Date: time.Now(),
 	}
 	resultsCh := make(chan checker.CheckResult)
-	go runEnabledChecks(ctx, repo, &ret.RawResults, checksToRun, repoClient, ossFuzzRepoClient,
+
+	// Set metadata for all checks to use. This is necessary
+	// to create remediations from the probe yaml files.
+	ret.RawResults.Metadata.Metadata = map[string]string{
+		"repository.host":          repo.Host(),
+		"repository.name":          strings.TrimPrefix(repo.URI(), repo.Host()+"/"),
+		"repository.uri":           repo.URI(),
+		"repository.sha1":          commitSHA,
+		"repository.defaultBranch": defaultBranch,
+	}
+
+	go runEnabledChecks(ctx, repo, &ret.RawResults, checksToRun,
+		repoClient, ossFuzzRepoClient,
 		ciiClient, vulnsClient, resultsCh)
 
 	for result := range resultsCh {
 		ret.Checks = append(ret.Checks, result)
 	}
+
+	if value, _ := os.LookupEnv(options.EnvVarScorecardExperimental); value == "1" {
+		// Run the probes.
+		var findings []finding.Finding
+		// TODO(#3049): only run the probes for checks.
+		// NOTE: We will need separate functions to support:
+		// - `--probes X,Y`
+		// - `--check-definitions-file path/to/config.yml
+		// NOTE: we discard the returned error because the errors are
+		// already cotained in the findings and we want to return the findings
+		// to users.
+		// See https://github.com/ossf/scorecard/blob/main/probes/zrunner/runner.go#L34-L45.
+		// Note: we discard the error because each probe's error is reported within
+		// the probe and we don't want the entire scorecard run to fail if a single error
+		// is encountered.
+		//nolint:errcheck
+		findings, _ = zrunner.Run(&ret.RawResults, probes.All)
+		ret.Findings = findings
+	}
 	return ret, nil
 }
@@ -25,6 +25,7 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/docs/checks"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
 	"github.com/ossf/scorecard/v4/log"
 	"github.com/ossf/scorecard/v4/options"
 	spol "github.com/ossf/scorecard/v4/policy"
@@ -50,6 +51,7 @@ type ScorecardResult struct {
 	Scorecard  ScorecardInfo
 	Checks     []checker.CheckResult
 	RawResults checker.RawResults
+	Findings   []finding.Finding
 	Metadata   []string
 }
 
@@ -119,6 +121,8 @@ func FormatResults(
 		err = results.AsJSON2(opts.ShowDetails, log.ParseLevel(opts.LogLevel), doc, os.Stdout)
 	case options.FormatFJSON:
 		err = results.AsFJSON(opts.ShowDetails, log.ParseLevel(opts.LogLevel), doc, os.Stdout)
+	case options.FormatPJSON:
+		err = results.AsPJSON(os.Stdout)
 	case options.FormatRaw:
 		err = results.AsRawJSON(os.Stdout)
 	default:

@@ -1,4 +1,4 @@
-// Copyright 2022 OpenSSF Scorecard Authors
+// Copyright 2023 OpenSSF Scorecard Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

@@ -1,4 +1,4 @@
-// Copyright 2022 OpenSSF Scorecard Authors
+// Copyright 2023 OpenSSF Scorecard Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

@@ -1,4 +1,4 @@
-// Copyright 2022 OpenSSF Scorecard Authors
+// Copyright 2023 OpenSSF Scorecard Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

@@ -1,4 +1,4 @@
-// Copyright 2022 OpenSSF Scorecard Authors
+// Copyright 2023 OpenSSF Scorecard Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.