diff --git a/.codecov.yml b/.codecov.yml index 97cae9da52b..01a294fe37a 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -12,8 +12,6 @@ ignore: - "docs/**/*" # this is the runner - "main.go" - # this package is deprecated and going to be removed. - - "dependencydiff/**/*" coverage: precision: 2 diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go deleted file mode 100644 index 3eb28f837d9..00000000000 --- a/dependencydiff/dependencydiff.go +++ /dev/null @@ -1,206 +0,0 @@ -// Copyright 2022 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Deprecated: This is going to be removed in the future. -package dependencydiff - -import ( - "context" - "fmt" - "strings" - - "github.com/ossf/scorecard/v5/checker" - "github.com/ossf/scorecard/v5/checks" - "github.com/ossf/scorecard/v5/clients" - sce "github.com/ossf/scorecard/v5/errors" - "github.com/ossf/scorecard/v5/internal/packageclient" - sclog "github.com/ossf/scorecard/v5/log" - "github.com/ossf/scorecard/v5/pkg" - "github.com/ossf/scorecard/v5/policy" -) - -// Depdiff is the exported name for dependency-diff. -const ( - Depdiff = "Dependency-diff" -) - -// A private context struct used for GetDependencyCheckResults. -type dependencydiffContext struct { - logger *sclog.Logger - ownerName, repoName, base, head string - ctx context.Context - ghRepo clients.Repo - ghRepoClient clients.RepoClient - ossFuzzClient clients.RepoClient - vulnsClient clients.VulnerabilitiesClient - ciiClient clients.CIIBestPracticesClient - projectClient packageclient.ProjectPackageClient - changeTypesToCheck []string - checkNamesToRun []string - dependencydiffs []dependency - results []pkg.DependencyCheckResult -} - -// Deprecated: This is going to be removed in the future. -// GetDependencyDiffResults gets dependency changes between two given code commits BASE and HEAD -// along with the Scorecard check results of the dependencies, and returns a slice of DependencyCheckResult. -// TO use this API, an access token must be set. See https://github.com/ossf/scorecard#authentication. -func GetDependencyDiffResults( - ctx context.Context, - repoURI string, /* Use the format "ownerName/repoName" as the repo URI, such as "ossf/scorecard". */ - base, head string, /* Two code commits base and head, can use either SHAs or branch names. */ - checksToRun []string, /* A list of enabled check names to run. */ - changeTypes []string, /* A list of dependency change types for which we surface scorecard results. */ -) ([]pkg.DependencyCheckResult, error) { - logger := sclog.NewLogger(sclog.DefaultLevel) - ownerAndRepo := strings.Split(repoURI, "/") - if len(ownerAndRepo) != 2 { - return nil, fmt.Errorf("%w: repo uri input", errInvalid) - } - owner, repo := ownerAndRepo[0], ownerAndRepo[1] - dCtx := dependencydiffContext{ - logger: logger, - ownerName: owner, - repoName: repo, - base: base, - head: head, - ctx: ctx, - changeTypesToCheck: changeTypes, - checkNamesToRun: checksToRun, - } - // Fetch the raw dependency diffs. This API will also handle error cases such as invalid base or head. - err := fetchRawDependencyDiffData(&dCtx) - if err != nil { - return nil, fmt.Errorf("error in fetchRawDependencyDiffData: %w", err) - } - // Map the ecosystem naming convention from GitHub to OSV. - err = mapDependencyEcosystemNaming(dCtx.dependencydiffs) - if err != nil { - return nil, fmt.Errorf("error in mapDependencyEcosystemNaming: %w", err) - } - err = getScorecardCheckResults(&dCtx) - if err != nil { - return nil, fmt.Errorf("error getting scorecard check results: %w", err) - } - return dCtx.results, nil -} - -func initRepoAndClientByChecks(dCtx *dependencydiffContext, dSrcRepo string) error { - repo, repoClient, ossFuzzClient, ciiClient, vulnsClient, projectClient, err := checker.GetClients( - dCtx.ctx, dSrcRepo, "", dCtx.logger) - if err != nil { - return fmt.Errorf("error getting the github repo and clients: %w", err) - } - dCtx.ghRepo = repo - dCtx.ghRepoClient = repoClient - // If the caller doesn't specify the checks to run, run all the checks and return all the clients. - if dCtx.checkNamesToRun == nil || len(dCtx.checkNamesToRun) == 0 { - dCtx.ossFuzzClient, dCtx.ciiClient, dCtx.vulnsClient = ossFuzzClient, ciiClient, vulnsClient - return nil - } - for _, cn := range dCtx.checkNamesToRun { - switch cn { - case checks.CheckFuzzing: - dCtx.ossFuzzClient = ossFuzzClient - case checks.CheckCIIBestPractices: - dCtx.ciiClient = ciiClient - case checks.CheckVulnerabilities: - dCtx.vulnsClient = vulnsClient - case checks.CheckSignedReleases: - dCtx.projectClient = projectClient - } - } - return nil -} - -func getScorecardCheckResults(dCtx *dependencydiffContext) error { - // Initialize the checks to run from the caller's input. - checksToRun, err := policy.GetEnabled(nil, dCtx.checkNamesToRun, nil) - if err != nil { - return fmt.Errorf("error init scorecard checks: %w", err) - } - for _, d := range dCtx.dependencydiffs { - depCheckResult := pkg.DependencyCheckResult{ - PackageURL: d.PackageURL, - SourceRepository: d.SourceRepository, - ChangeType: d.ChangeType, - ManifestPath: d.ManifestPath, - Ecosystem: d.Ecosystem, - Version: d.Version, - Name: d.Name, - /* The scorecard check result is nil now. */ - } - if d.ChangeType == nil { - // Since we allow a dependency having a nil change type, so we also - // give such a dependency a nil scorecard result. - dCtx.results = append(dCtx.results, depCheckResult) - continue - } - // (1) If no change types are specified, run the checks on all types of dependencies. - // (2) If there are change types specified by the user, run the checks on the specified types. - noneGivenOrIsSpecified := len(dCtx.changeTypesToCheck) == 0 || /* None specified.*/ - isSpecifiedByUser(*d.ChangeType, dCtx.changeTypesToCheck) /* Specified by the user.*/ - // For now we skip those without source repo urls. - // TODO (#2063): use the BigQuery dataset to supplement null source repo URLs to fetch the Scorecard results for them. - if d.SourceRepository != nil && noneGivenOrIsSpecified { - // Initialize the repo and client(s) corresponding to the checks to run. - err = initRepoAndClientByChecks(dCtx, *d.SourceRepository) - if err != nil { - return fmt.Errorf("error init repo and clients: %w", err) - } - - // Run scorecard on those types of dependencies that the caller would like to check. - // If the input map changeTypesToCheck is empty, by default, we run the checks for all valid types. - // TODO (#2064): use the Scorecard REST API to retrieve the Scorecard result statelessly. - scorecardResult, err := pkg.RunScorecard( - dCtx.ctx, - dCtx.ghRepo, - // TODO (#2065): In future versions, ideally, this should be - // the commitSHA corresponding to d.Version instead of HEAD. - clients.HeadSHA, - 0, - checksToRun, - dCtx.ghRepoClient, - dCtx.ossFuzzClient, - dCtx.ciiClient, - dCtx.vulnsClient, - dCtx.projectClient, - ) - // If the run fails, we leave the current dependency scorecard result empty and record the error - // rather than letting the entire API return nil since we still expect results for other dependencies. - if err != nil { - wrappedErr := sce.WithMessage(sce.ErrScorecardInternal, - fmt.Sprintf("scorecard running failed for %s: %v", d.Name, err)) - dCtx.logger.Error(wrappedErr, "") - depCheckResult.ScorecardResultWithError.Error = wrappedErr - } else { // Otherwise, we record the scorecard check results for this dependency. - depCheckResult.ScorecardResultWithError.ScorecardResult = &scorecardResult - } - } - dCtx.results = append(dCtx.results, depCheckResult) - } - return nil -} - -func isSpecifiedByUser(ct pkg.ChangeType, changeTypes []string) bool { - if len(changeTypes) == 0 { - return false - } - for _, ctByUser := range changeTypes { - if string(ct) == ctByUser { - return true - } - } - return false -} diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go deleted file mode 100644 index 7172804d234..00000000000 --- a/dependencydiff/dependencydiff_test.go +++ /dev/null @@ -1,232 +0,0 @@ -// Copyright 2022 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package dependencydiff - -import ( - "context" - "errors" - "path" - "testing" - - sclog "github.com/ossf/scorecard/v5/log" - "github.com/ossf/scorecard/v5/pkg" -) - -func Test_initRepoAndClientByChecks(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - dCtx dependencydiffContext - srcRepo string - wantRepoClient, wantFuzzClient bool - wantVulnClient, wantCIIClient bool - wantErr bool - }{ - { - name: "error creating repo", - dCtx: dependencydiffContext{ - logger: sclog.NewLogger(sclog.InfoLevel), - ctx: context.Background(), - checkNamesToRun: []string{}, - }, - srcRepo: path.Join( - "host_not_exist.com", - "owner_not_exist", - "repo_not_exist", - ), - wantRepoClient: false, - wantFuzzClient: false, - wantVulnClient: false, - wantCIIClient: false, - wantErr: true, - }, - // Same as the above, putting the normal responses to the e2e test. - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - err := initRepoAndClientByChecks(&tt.dCtx, tt.srcRepo) - if (err != nil) != tt.wantErr { - t.Errorf("initClientByChecks() error = {%v}, want error: %v", err, tt.wantErr) - return - } - if (tt.dCtx.ghRepoClient != nil) != tt.wantRepoClient { - t.Errorf("init repo error, wantRepoClient: %v, got %v", tt.wantRepoClient, tt.dCtx.ghRepoClient) - return - } - if (tt.dCtx.ossFuzzClient != nil) != tt.wantFuzzClient { - t.Errorf("init repo error, wantFuzzClient: %v, got %v", tt.wantFuzzClient, tt.dCtx.ossFuzzClient) - return - } - if (tt.dCtx.vulnsClient != nil) != tt.wantVulnClient { - t.Errorf("init repo error, wantVulnClient: %v, got %v", tt.wantVulnClient, tt.dCtx.vulnsClient) - return - } - if (tt.dCtx.ciiClient != nil) != tt.wantCIIClient { - t.Errorf("init repo error, wantCIIClient: %v, got %v", tt.wantCIIClient, tt.dCtx.ciiClient) - return - } - }) - } -} - -func Test_getScorecardCheckResults(t *testing.T) { - t.Parallel() - tests := []struct { - name string - dCtx dependencydiffContext - wantErr bool - }{ - { - name: "empty response", - dCtx: dependencydiffContext{ - ctx: context.Background(), - logger: sclog.NewLogger(sclog.InfoLevel), - ownerName: "owner_not_exist", - repoName: "repo_not_exist", - }, - wantErr: false, - }, - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - err := getScorecardCheckResults(&tt.dCtx) - if (err != nil) != tt.wantErr { - t.Errorf("getScorecardCheckResults() error = {%v}, want error: %v", err, tt.wantErr) - return - } - }) - } -} - -func Test_mapDependencyEcosystemNaming(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - deps []dependency - errWanted error - }{ - { - name: "error invalid github ecosystem", - deps: []dependency{ - { - Name: "dependency_1", - Ecosystem: asPointer("not_supported"), - }, - { - Name: "dependency_2", - Ecosystem: asPointer("gomod"), - }, - }, - errWanted: errInvalid, - }, - { - name: "error cannot find mapping", - deps: []dependency{ - { - Name: "dependency_3", - Ecosystem: asPointer("foobar"), - }, - }, - errWanted: errMappingNotFound, - }, - { - name: "correct mapping", - deps: []dependency{ - { - Name: "dependency_4", - Ecosystem: asPointer("gomod"), - }, - { - Name: "dependency_5", - Ecosystem: asPointer("pip"), - }, - { - Name: "dependency_6", - Ecosystem: asPointer("cargo"), - }, - { - Name: "dependency_7", - Ecosystem: asPointer("actions"), - }, - }, - }, - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - err := mapDependencyEcosystemNaming(tt.deps) - if tt.errWanted != nil && errors.Is(tt.errWanted, err) { - t.Errorf("not a wanted error, want:%v, got:%v", tt.errWanted, err) - return - } - }) - } -} - -func Test_isSpecifiedByUser(t *testing.T) { - t.Parallel() - tests := []struct { - name string - ct pkg.ChangeType - changeTypesToCheck []string - resultWanted bool - }{ - { - name: "error invalid github ecosystem", - }, - { - name: "added", - ct: pkg.ChangeType("added"), - changeTypesToCheck: nil, - resultWanted: false, - }, - { - name: "ct is added but not specified", - ct: pkg.ChangeType("added"), - changeTypesToCheck: []string{"removed"}, - resultWanted: false, - }, - { - name: "removed", - ct: pkg.ChangeType("added"), - changeTypesToCheck: []string{"added", "removed"}, - resultWanted: true, - }, - { - name: "not_supported", - ct: pkg.ChangeType("not_supported"), - changeTypesToCheck: []string{"added", "removed"}, - resultWanted: false, - }, - } - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - result := isSpecifiedByUser(tt.ct, tt.changeTypesToCheck) - if result != tt.resultWanted { - t.Errorf("result (%v) != result wanted (%v)", result, tt.resultWanted) - return - } - }) - } -} diff --git a/dependencydiff/errors.go b/dependencydiff/errors.go deleted file mode 100644 index 72b57f56794..00000000000 --- a/dependencydiff/errors.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2022 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package dependencydiff - -import "errors" - -// static Errors for mapping. -var ( - errMappingNotFound = errors.New("ecosystem mapping not found") - errInvalid = errors.New("invalid") -) diff --git a/dependencydiff/mapping.go b/dependencydiff/mapping.go deleted file mode 100644 index ef0a102460a..00000000000 --- a/dependencydiff/mapping.go +++ /dev/null @@ -1,120 +0,0 @@ -// Copyright 2022 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package dependencydiff - -import ( - "fmt" -) - -// Ecosystem is a package ecosystem supported by OSV, GitHub, etc. -type ecosystem string - -// OSV ecosystem naming data source: https://ossf.github.io/osv-schema/#affectedpackage-field -const ( - // The Go ecosystem. - ecosystemGo ecosystem = "Go" - - // The NPM ecosystem. - ecosystemNpm ecosystem = "npm" - - // The Android ecosystem. - ecosystemAndroid ecosystem = "Android" //nolint:unused - - // The crates.io ecosystem for RUST. - ecosystemCrates ecosystem = "crates.io" - - // For reports from the OSS-Fuzz project that have no more appropriate ecosystem. - ecosystemOssFuzz ecosystem = "OSS-Fuzz" //nolint:unused - - // The Python PyPI ecosystem. PyPI is the main package source of pip. - ecosystemPyPI ecosystem = "PyPI" - - // The RubyGems ecosystem. - ecosystemRubyGems ecosystem = "RubyGems" - - // The PHP package manager ecosystem. Packagist is the main Composer repository. - ecosystemPackagist ecosystem = "Packagist" - - // The Maven Java package ecosystem. - ecosystemMaven ecosystem = "Maven" - - // The NuGet package ecosystem. - ecosystemNuGet ecosystem = "NuGet" - - // The Linux kernel. - ecosystemLinux ecosystem = "Linux" //nolint:unused - - // The Debian package ecosystem. - ecosystemDebian ecosystem = "Debian" //nolint:unused - - // Hex is the package manager of Erlang. - // TODO: GitHub doesn't support hex as the ecosystem for Erlang yet. Add this to the map in the future. - ecosystemHex ecosystem = "Hex" //nolint:unused - - // GitHub Actions is an ecosystem for the GitHub Actions. - ecosystemActions ecosystem = "GitHub Actions" - - // Pub is the official package repository for Dart and Flutter apps. - ecosystemPub ecosystem = "Pub" //nolint:unused - - // Ecosystems with a "nolint" tag suggests GitHub hasn't gotten them supported yet. - // We need to add them to the below hashmap in a timely manner once GitHub adds supports. -) - -// gitHubToOSV defines the ecosystem naming mapping relationship between GitHub and others. -var gitHubToOSV = map[string]ecosystem{ - // GitHub ecosystem naming data source: https://docs.github.com/en/code-security/supply-chain-security/ - // understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems - "gomod": ecosystemGo, /* go.mod and go.sum */ - "cargo": ecosystemCrates, - "pip": ecosystemPyPI, /* pip and poetry */ - "npm": ecosystemNpm, /* npm and yarn */ - "maven": ecosystemMaven, - "composer": ecosystemPackagist, - "rubygems": ecosystemRubyGems, - "nuget": ecosystemNuGet, - "actions": ecosystemActions, -} - -func mapDependencyEcosystemNaming(deps []dependency) error { - for i := range deps { - // Since we allow a dependency's ecosystem to be nil, so skip those nil ones and only map - // those valid ones. - if deps[i].Ecosystem == nil { - continue - } - mappedEcosys, err := toEcosystem(*deps[i].Ecosystem) - if err != nil { - // Iff. the ecosystem is not empty and the mapping entry is not found, we will return an error. - return fmt.Errorf("error mapping dependency ecosystem: %w", err) - } - deps[i].Ecosystem = asPointer(string(mappedEcosys)) - } - return nil -} - -// Note: the current implementation directly returns an error if the mapping entry is not found in the above hashmap. -// GitHub might update their ecosystem names frequently, so we might also need to update the above map in a timely -// manner for the dependency-diff feature not to fail because of the "mapping not found" error. -func toEcosystem(e string) (ecosystem, error) { - if ecosystemOSV, found := gitHubToOSV[e]; found { - return ecosystemOSV, nil - } - return "", fmt.Errorf("%w for github entry %s", errMappingNotFound, e) -} - -func asPointer(s string) *string { - return &s -} diff --git a/dependencydiff/raw_dependencies.go b/dependencydiff/raw_dependencies.go deleted file mode 100644 index 0d149dfc9e9..00000000000 --- a/dependencydiff/raw_dependencies.go +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright 2022 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package dependencydiff - -import ( - "fmt" - "net/http" - "path" - - "github.com/google/go-github/v53/github" - - "github.com/ossf/scorecard/v5/clients/githubrepo/roundtripper" - "github.com/ossf/scorecard/v5/pkg" -) - -// dependency is a raw dependency fetched from the GitHub Dependency Review API. -// Fields of a dependency corresponding to those of pkg.DependencyCheckResult. -type dependency struct { - // Package URL is a short link for a package. - PackageURL *string `json:"package_url"` - - // SourceRepository is the source repository URL of the dependency. - SourceRepository *string `json:"source_repository_url"` - - // ChangeType indicates whether the dependency is added, updated, or removed. - ChangeType *pkg.ChangeType `json:"change_type"` - - // ManifestPath is the path of the manifest file of the dependency, such as go.mod for Go. - ManifestPath *string `json:"manifest"` - - // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. - Ecosystem *string `json:"ecosystem"` - - // Version is the package version of the dependency. - Version *string `json:"version"` - - // Name is the name of the dependency. - Name string `json:"name"` -} - -// fetchRawDependencyDiffData fetches the dependency-diffs between the two code commits -// using the GitHub Dependency Review API, and returns a slice of DependencyCheckResult. -func fetchRawDependencyDiffData(dCtx *dependencydiffContext) error { - ghrt := roundtripper.NewTransport(dCtx.ctx, dCtx.logger) - ghClient := github.NewClient(&http.Client{Transport: ghrt}) - req, err := ghClient.NewRequest( - "GET", - path.Join("repos", dCtx.ownerName, dCtx.repoName, - "dependency-graph", "compare", dCtx.base+"..."+dCtx.head), - nil, - ) - if err != nil { - return fmt.Errorf("request for dependency-diff failed with %w", err) - } - _, err = ghClient.Do(dCtx.ctx, req, &dCtx.dependencydiffs) - if err != nil { - return fmt.Errorf("error parsing the dependency-diff response: %w", err) - } - for _, d := range dCtx.dependencydiffs { - if !d.ChangeType.IsValid() { - return fmt.Errorf("%w: change type", errInvalid) - } - } - return nil -} diff --git a/e2e/dependencydiff_test.go b/e2e/dependencydiff_test.go deleted file mode 100644 index e0d76461e7f..00000000000 --- a/e2e/dependencydiff_test.go +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright 2021 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package e2e - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "github.com/ossf/scorecard/v5/checks" - //nolint:staticcheck // we know it's deprecated and the tests will be removed when the package is - "github.com/ossf/scorecard/v5/dependencydiff" -) - -const ( - repoURI = "ossf-tests/scorecard-depdiff" - base = "fd2a82b3b735fffbc2d782ed5f50301b879ecc51" - head = "1989568f93e484f6a86f8b276b170e3d6962ce12" -) - -var _ = Describe("E2E TEST:"+dependencydiff.Depdiff, func() { - Context("E2E TEST:Validating use of the dependency-diff API", func() { - It("Should return a slice of dependency-diff checking results", func() { - ctx := context.Background() - checksToRun := []string{ - checks.CheckBranchProtection, - } - changeTypesToCheck := []string{ - "removed", // Only checking those removed ones will make this test faster. - } - //nolint:staticcheck // we know it's deprecated and the tests will be removed when the package is - results, err := dependencydiff.GetDependencyDiffResults( - ctx, - repoURI, - base, head, - checksToRun, - changeTypesToCheck, - ) - Expect(err).Should(BeNil()) - Expect(len(results) > 0).Should(BeTrue()) - }) - It("Should return a valid empty result", func() { - ctx := context.Background() - checksToRun := []string{ - checks.CheckBranchProtection, - } - changeTypesToCheck := []string{ - "removed", - } - //nolint:staticcheck // we know it's deprecated and the tests will be removed when the package is - results, err := dependencydiff.GetDependencyDiffResults( - ctx, - repoURI, - base, base, - checksToRun, - changeTypesToCheck, - ) - Expect(err).Should(BeNil()) - Expect(len(results) == 0).Should(BeTrue()) - }) - It("Should initialize clients corresponding to the checks to run and do not crash", func() { - ctx := context.Background() - checksToRun := []string{ - checks.CheckFuzzing, - } - changeTypesToCheck := []string{ - "removed", - } - //nolint:staticcheck // we know it's deprecated and the tests will be removed when the package is - _, err := dependencydiff.GetDependencyDiffResults( - ctx, - repoURI, - base, head, - checksToRun, - changeTypesToCheck, - ) - Expect(err).Should(BeNil()) - }) - }) -})