Scorecard Integration #1294
Open
Scorecard Integration #1294
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
developed functions to check for availability nexB#598 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…aving logic nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…exB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
… nexB#598 Signed-off-by: 404-geek <[email protected]>
…ecard_integration
…up.cfg nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…gration # Conflicts: # scanpipe/models.py # scanpipe/tests/test_models.py
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
tdruez
requested changes
Dec 3, 2024
scanpipe/migrations/0070_alter_project_purl_discoveredpackagescore_and_more.py
Outdated
Show resolved
Hide resolved
scanpipe/models.py
Outdated
| ) | ||
|
|
||
| @classmethod | ||
| @transaction.atomic() |
There was a problem hiding this comment.
@404-geek You haven't address the question above yet ;)
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…ecard_integration
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
tdruez
requested changes
Jun 24, 2025
| @@ -1238,6 +1238,38 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration( | |||
| expected = vulnerability_data[0]["affected_by_vulnerabilities"] | |||
| self.assertEqual(expected, package1.affected_by_vulnerabilities) | |||
|
|
|||
| @mock.patch("scorecode.ossf_scorecard.is_available") | |||
| def test_scanpipe_get_scorecard_info_packages_integration(self, mock_is_available): | |||
There was a problem hiding this comment.
This test depends on internet access at the moment. This is problematic.
The ossf_scorecard.fetch_scorecard_info return value should be mocked instead.
| package=package, scorecard_data=scorecard_obj | ||
| ) | ||
|
|
||
| self.assertIsNotNone(package_score) |
Comment on lines
+2625
to
+2626
| if check.check_score == "-1": | ||
| self.assertEqual(check.check_score, "-1") |
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
tdruez
reviewed
Jul 14, 2025
Comment on lines
+15
to
+19
| migrations.AlterField( | ||
| model_name='codebaseresource', | ||
| name='sha1_git', | ||
| field=models.CharField(blank=True, help_text='SHA1 checksum generated by Git, hex-encoded.', max_length=40, verbose_name='SHA1_git'), | ||
| ), |
There was a problem hiding this comment.
This seems odd, why is it in this migration file?
|
@404-geek We are almost ready but there's still a few comments you have not addressed yet. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ScoreCode Integration
This pull request integrates the ScoreCode Repo into SCIO, enabling the fetching of the latest OSSF Scorecard Data for
discovered packagesusing theirvcs_url. The current implementation supportsgithub.comandgitlab.comVCS URLs.Key Features:
vcs_urlgithub.comandgitlab.comVCS URLsRelated Issues:
This feature enhances SCIO's functionality by ensuring that users can retrieve the most up-to-date security scores for packages discovered in their projects, improving overall security assessment and management.