Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Add ProjectPackageClient interface and deps.dev default client #3954

Merged
merged 7 commits into from
May 8, 2024
Merged

🌱 Add ProjectPackageClient interface and deps.dev default client #3954

merged 7 commits into from
May 8, 2024

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

This change adds a new client that allows Scorecard to retrieve package versions for a repository. A ProjectPackageVersion.Version is a package version published by a repository.

Instead of looking up a repository directly in a package manager, this interface allows Scorecard to handle multiple project package versions, i.e. packages with different names than their source repos, and monorepos that publish multiple packages.

We implement a deps.dev client for this interface using GetProjectPackageVersions:

GetProjectPackageVersions returns known mappings between the requested project and package versions. At most 1500 package versions are returned. Mappings which were derived from a SLSA provenance attestation are served first.

@raghavkaul raghavkaul temporarily deployed to integration-test March 19, 2024 18:59 — with GitHub Actions Inactive
@codecov Codecov
Copy link

codecov bot commented Mar 19, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 28 lines in your changes are missing coverage. Please review.

Project coverage is 66.04%. Comparing base (0b9dfb6) to head (b71528f).
Report is 30 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3954      +/-   ##
==========================================
- Coverage   73.83%   66.04%   -7.80%     
==========================================
  Files         219      226       +7     
  Lines       15987    16290     +303     
==========================================
- Hits        11804    10758    -1046     
- Misses       3430     4856    +1426     
+ Partials      753      676      -77

@raghavkaul raghavkaul changed the title Add ProjectPackageClient interface and deps.dev default client 🌱 Add ProjectPackageClient interface and deps.dev default client Mar 19, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2024

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added Stale and removed Stale labels Apr 2, 2024
@github-actions GitHub Actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Apr 14, 2024
@raghavkaul raghavkaul marked this pull request as ready for review April 15, 2024 21:38
@raghavkaul raghavkaul requested a review from a team as a code owner April 15, 2024 21:38
@raghavkaul raghavkaul requested review from justaugustus and spencerschrock and removed request for a team April 15, 2024 21:38
@raghavkaul
v4 -> v5
5f1f4b2 
Signed-off-by: Raghav Kaul <[email protected]>
@raghavkaul raghavkaul temporarily deployed to integration-test April 16, 2024 23:02 — with GitHub Actions Inactive
spencerschrock
spencerschrock reviewed Apr 23, 2024
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we throw everything under an internal folder while experimenting, so we can change things later without breaking changes?

maybe internal/clients or internal/clients/depsdev ? We do this already with nuget client for example, which is marked as internal in cmd/internal/nuget

@github-actions github-actions bot removed the Stale label Apr 25, 2024
@raghavkaul
Move to internal
b71528f 
Signed-off-by: Raghav Kaul <[email protected]>
@raghavkaul raghavkaul temporarily deployed to integration-test May 8, 2024 18:24 — with GitHub Actions Inactive
@raghavkaul raghavkaul temporarily deployed to integration-test May 8, 2024 20:01 — with GitHub Actions Inactive
@raghavkaul
update
b3eee3b 
Signed-off-by: Raghav Kaul <[email protected]>
@raghavkaul raghavkaul temporarily deployed to integration-test May 8, 2024 20:33 — with GitHub Actions Inactive
@raghavkaul raghavkaul temporarily deployed to integration-test May 8, 2024 20:45 — with GitHub Actions Inactive
@raghavkaul raghavkaul merged commit f842292 into ossf:main May 8, 2024
36 checks passed
@raghavkaul raghavkaul deleted the feature-projectpackageclient branch May 8, 2024 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@raghavkaul @spencerschrock