Scorecard Integration #1294
Scorecard Integration #1294
Conversation
developed functions to check for availability nexB#598 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…aving logic nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…exB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
… nexB#598 Signed-off-by: 404-geek <[email protected]>
…ecard_integration
…up.cfg nexB#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
…gration # Conflicts: # scanpipe/models.py # scanpipe/tests/test_models.py
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
| # Generated by Django 5.0.7 on 2024-08-20 16:56 | ||
|
|
||
| from django.db import migrations | ||
|
|
||
|
|
||
| class Migration(migrations.Migration): | ||
|
|
||
| dependencies = [ | ||
| ('scanpipe', '0067_discoveredpackage_notes'), | ||
| ('scanpipe', '0067_packagescore_scorecardcheck'), | ||
| ] | ||
|
|
||
| operations = [ | ||
| ] |
There was a problem hiding this comment.
The migrations file need to be consolidated.
Migrate your local db to 0066: ./manage.py migrate scanpipe 0066
Delete those migrations files (0067 and 0068) and regenerate a single clean migration file.
| selected_steps = models.JSONField( | ||
| null=True, blank=True, validators=[validate_none_or_list] | ||
| ) | ||
| selected_steps = models.JSONField( | ||
| selected_groups = models.JSONField( |
| ) | ||
|
|
||
| @classmethod | ||
| @transaction.atomic() |
There was a problem hiding this comment.
@404-geek Could you provide an example that shows why atomic() is useful here?
scanpipe/models.py
Outdated
|
|
||
| @classmethod | ||
| @transaction.atomic() | ||
| def create_from_data(cls, DiscoveredPackage, scorecard_data, scoring_tool=None): |
There was a problem hiding this comment.
Why provide the DiscoveredPackage class object as an arg? Isn't it already present in the context/scope?
scanpipe/models.py
Outdated
| @classmethod | ||
| @transaction.atomic() | ||
| def create_from_data(cls, DiscoveredPackage, scorecard_data, scoring_tool=None): | ||
| """Create ScoreCard Object from ScoreCard Object""" |
There was a problem hiding this comment.
"Object" why using upper case here?
| Attributes | ||
| ---------- | ||
| download_inputs (bool): Indicates whether inputs should be downloaded. | ||
| is_addon (bool): Indicates whether this pipeline is an add-on. | ||
|
|
||
| Methods | ||
| ------- | ||
| steps(cls): | ||
| Defines the steps for the pipeline. | ||
|
|
||
| check_scorecode_service_availability(self): | ||
| Checks if the ScoreCode service is configured and available. | ||
|
|
||
| lookup_save_packages_scorecode_info(self): | ||
| Fetches ScoreCode information for each discovered package in the project | ||
| and saves the information to the respective package instances. | ||
|
|
There was a problem hiding this comment.
This is not consistent with existing pipelines.
Also, the Pipeline docstring is used to render documentation in the UI.
The Attributes and Methods are not relevant in that context.
| if not scorecard.is_available(): | ||
| raise Exception("scorecode service is not available.") | ||
|
|
||
| def lookup_save_packages_scorecode_info(self): |
There was a problem hiding this comment.
fetch_packages_scorecode_info would be better.
| ) | ||
|
|
||
| else: | ||
| raise Exception("No Data Found for the packages") |
There was a problem hiding this comment.
Why mxing upper and lower case in a sentence?
setup.cfg
Outdated
| @@ -98,6 +98,8 @@ install_requires = | |||
| fontawesomefree==6.6.0 | |||
| # MatchCode-toolkit | |||
| matchcode-toolkit==5.1.0 | |||
| # ScoreCode | |||
| ScoreCode[full] @ git+https://github.com/nexB/ScoreCode.git@0ab078f18d83684c3a920095bcec8664d44cf028 | |||
There was a problem hiding this comment.
What's the plan to issue a proper release of ScoreCode?
setup.cfg
Outdated
| @@ -136,6 +139,7 @@ scancodeio_pipelines = | |||
| collect_symbols_tree_sitter = scanpipe.pipelines.collect_symbols_tree_sitter:CollectSymbolsTreeSitter | |||
| enrich_with_purldb = scanpipe.pipelines.enrich_with_purldb:EnrichWithPurlDB | |||
| find_vulnerabilities = scanpipe.pipelines.find_vulnerabilities:FindVulnerabilities | |||
| get_scorecard_info_packages = scanpipe.pipelines.get_scorecard_info_packages:FetchScoreCodeInfo | |||
There was a problem hiding this comment.
fetch_scorecode_info would be much better and consistent with the pipeline name.
…#1283 Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
|
@404-geek can you check the failing tests? |
|
Hey @404-geek , what's your latest status on this PR? Any chances we can complete and merge it before it diverges too much from the main branch? |
Hi @tdruez, I’m planning to have this PR ready by next week. Most of the requested changes have been addressed; I just need to add a few test cases before pushing the final version. |
Signed-off-by: 404-geek <[email protected]>
…ecard_integration
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
Signed-off-by: 404-geek <[email protected]>
ScoreCode Integration
This pull request integrates the ScoreCode Repo into SCIO, enabling the fetching of the latest OSSF Scorecard Data for
discovered packagesusing theirvcs_url. The current implementation supportsgithub.comandgitlab.comVCS URLs.Key Features:
vcs_urlgithub.comandgitlab.comVCS URLsRelated Issues:
This feature enhances SCIO's functionality by ensuring that users can retrieve the most up-to-date security scores for packages discovered in their projects, improving overall security assessment and management.