feat(scorecard): Implement baseUrl for fetching openssf data#2301
feat(scorecard): Implement baseUrl for fetching openssf data#2301
Conversation
…nd simplied the usage of the openssf client by fetching scorecards only using a baseUrl
alizard0
requested review from
a team,
Eswaraiahsapram,
christoph-jerolimov and
its-mitesh-kumar
as code owners
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
|
Testing image, it loads all openssf metrics using baseUrl component annotation. |
workspaces/scorecard/plugins/scorecard-backend-module-openssf/src/clients/OpenSSFClient.ts
Outdated
Show resolved
Hide resolved
| kind: Component | ||
| metadata: | ||
| name: openssf-scorecard-only | ||
| name: openssf-scorecard |
There was a problem hiding this comment.
Is the name change needed for something? The idea was that it is obvous that this entity has just openssf-scorecard scorecard features enabled.
| - The repository is private (OpenSSF only analyzes public repositories) | ||
| - The repository path in the annotation is incorrect | ||
| - The metric score is lower than -1 or higher than 10. | ||
| 18 metrics from [OpenSSF checks](https://github.com/ossf/scorecard/blob/main/docs/checks.md): `openssf.binary_artifacts`, `openssf.branch_protection`, `openssf.cii_best_practices`, `openssf.ci_tests`, `openssf.code_review`, `openssf.contributors`, `openssf.dangerous_workflow`, `openssf.dependency_update_tool`, `openssf.fuzzing`, `openssf.license`, `openssf.maintained`, `openssf.packaging`, `openssf.pinned_dependencies`, `openssf.sast`, `openssf.security_policy`, `openssf.signed_releases`, `openssf.token_permissions`, `openssf.vulnerabilities`. |
There was a problem hiding this comment.
Why did you replaced the table with this metrics? I personally find a list or table more readable then this comma separated list?
| type: service | ||
| lifecycle: production | ||
| owner: my-team | ||
| openssf/baseUrl: https://api.securityscorecards.dev/projects/github.com/owner/repo |
There was a problem hiding this comment.
I think you have changed this annotation
| For the OpenSSF metrics to work, your catalog entities must have the required annotation: | ||
| | Annotation | Required | Description | | ||
| | ----------------- | -------- | --------------------------------------------------------------------------- | | ||
| | `openssf/baseUrl` | Yes | Full scorecard API URL for this component (e.g. public API or self-hosted). | |
There was a problem hiding this comment.
You changed that annotation
| const apiUrl = `${this.baseUrl}/${this.gitServiceHost}/${owner}/${repo}`; | ||
| async getScorecard(entity: Entity): Promise<OpenSSFResponse> { | ||
| const scorecardUrl = | ||
| entity.metadata.annotations?.['openssf/scorecardUrl'] ?? ''; |
There was a problem hiding this comment.
Can you please create a src/annotations.ts with an export for the annotations?
/**
* @public
*/
export enum OpenSSFAnnotation {
URL = 'openssf/scorecardUrl',
}And I've added above. Mayby this should be called "openssf.dev/scorecard-location"? /cc @dzemanov
There was a problem hiding this comment.
@alizard0 to follow backstage's annotation format, e.g backstage.io/..., github.com/...
CI Feedback 🧐A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
|
dzemanov
left a comment
dzemanov
left a comment
There was a problem hiding this comment.
Tested that this works fine:
|
3 participants
Hey, I just made a Pull Request!
✔️ Checklist