Include OSSF Scorecard analysis using containers

__fixtures__/index.js

@@ -710,8 +710,208 @@ const sampleGithubRepository = {
   }
 }
 
+const sampleOSSFScorecardResult = {
+  date: '2024-12-11T23:55:17Z',
+  repo: {
+    name: 'github.com/octocat/Hello-World',
+    commit: 'e739f419e56442b754e4fea6dbcf98c1c8d00dda'
+  },
+  scorecard: {
+    version: 'v5.0.0',
+    commit: 'ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4'
+  },
+  score: 6,
+  checks: [
+    {
+      details: null,
+      score: 10,
+      reason: 'no binaries found in the repo',
+      name: 'Binary-Artifacts',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts',
+        short: 'Determines if the project has generated executable (binary) artifacts in the source repository.'
+      }
+    },
+    {
+      details: null,
+      score: 3,
+      reason: 'branch protection is not maximal on development and all release branches',
+      name: 'Branch-Protection',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection',
+        short: "Determines if the default and release branches are protected with GitHub's branch protection settings."
+      }
+    },
+    {
+      details: null,
+      score: 6,
+      reason: '13 out of 19 merged PRs checked by a CI test -- score normalized to 6',
+      name: 'CI-Tests',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests',
+        short: 'Determines if the project runs tests before pull requests are merged.'
+      }
+    },
+    {
+      details: null,
+      score: 0,
+      reason: 'no effort to earn an OpenSSF best practices badge detected',
+      name: 'CII-Best-Practices',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices',
+        short: 'Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.'
+      }
+    },
+    {
+      details: null,
+      score: 3,
+      reason: 'Found 9/30 approved changesets -- score normalized to 3',
+      name: 'Code-Review',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review',
+        short: 'Determines if the project requires human code review before pull requests (aka merge requests) are merged.'
+      }
+    },
+    {
+      details: null,
+      score: 10,
+      reason: 'project has 21 contributing companies or organizations',
+      name: 'Contributors',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors',
+        short: 'Determines if the project has a set of contributors from multiple organizations (e.g., companies).'
+      }
+    },
+    {
+      details: null,
+      score: 10,
+      reason: 'no dangerous workflow patterns detected',
+      name: 'Dangerous-Workflow',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow',
+        short: "Determines if the project's GitHub Action workflows avoid dangerous patterns."
+      }
+    },
+    {
+      details: null,
+      score: 0,
+      reason: 'no update tool detected',
+      name: 'Dependency-Update-Tool',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool',
+        short: 'Determines if the project uses a dependency update tool.'
+      }
+    },
+    {
+      details: null,
+      score: 0,
+      reason: 'project is not fuzzed',
+      name: 'Fuzzing',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing',
+        short: 'Determines if the project uses fuzzing.'
+      }
+    },
+    {
+      score: 10,
+      reason: 'license file detected',
+      name: 'License',
+      details: [
+        'Info: project has a license file: LICENSE:0',
+        'Info: FSF or OSI recognized license: MIT License: LICENSE:0'
+      ],
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license',
+        short: 'Determines if the project has defined a license.'
+      }
+    },
+    {
+      details: null,
+      score: 10,
+      reason: '30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10',
+      name: 'Maintained',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained',
+        short: 'Determines if the project is "actively maintained".'
+      }
+    },
+    {
+      details: null,
+      score: -1,
+      reason: 'packaging workflow not detected',
+      name: 'Packaging',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging',
+        short: 'Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.'
+      }
+    },
+    {
+      details: null,
+      score: 4,
+      reason: 'dependency not pinned by hash detected -- score normalized to 4',
+      name: 'Pinned-Dependencies',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies',
+        short: 'Determines if the project has declared and pinned the dependencies of its build process.'
+      }
+    },
+    {
+      details: null,
+      score: 0,
+      reason: 'SAST tool is not run on all commits -- score normalized to 0',
+      name: 'SAST',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast',
+        short: 'Determines if the project uses static code analysis.'
+      }
+    },
+    {
+      details: null,
+      score: 10,
+      reason: 'security policy file detected',
+      name: 'Security-Policy',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy',
+        short: 'Determines if the project has published a security policy.'
+      }
+    },
+    {
+      details: null,
+      score: -1,
+      reason: 'no releases found',
+      name: 'Signed-Releases',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases',
+        short: 'Determines if the project cryptographically signs release artifacts.'
+      }
+    },
+    {
+      details: null,
+      score: 9,
+      reason: 'detected GitHub workflow tokens with excessive permissions',
+      name: 'Token-Permissions',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions',
+        short: "Determines if the project's workflows follow the principle of least privilege."
+      }
+    },
+    {
+      details: null,
+      score: 8,
+      reason: '2 existing vulnerabilities detected',
+      name: 'Vulnerabilities',
+      documentation: {
+        url: 'https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities',
+        short: 'Determines if the project has open, known unfixed vulnerabilities.'
+      }
+    }
+  ],
+  metadata: null
+}
+
 module.exports = {
   sampleGithubOrg,
   sampleGithubListOrgRepos,
-  sampleGithubRepository
+  sampleGithubRepository,
+  sampleOSSFScorecardResult
 }

__tests__/__snapshots__/providers.test.js.snap

@@ -1,6 +1,6 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`GitHub Providers mappers Should map organization data correctly 1`] = `
+exports[`GitHub Provider mappers Should map organization data correctly 1`] = `
 {
   "advanced_security_enabled_for_new_repositories": false,
   "avatar_url": "https://github.com/images/error/octocat_happy.gif",
@@ -53,7 +53,7 @@ exports[`GitHub Providers mappers Should map organization data correctly 1`] = `
 }
 `;
 
-exports[`GitHub Providers mappers Should map repository data correctly 1`] = `
+exports[`GitHub Provider mappers Should map repository data correctly 1`] = `
 {
   "allow_auto_merge": false,
   "allow_forking": true,
@@ -114,3 +114,105 @@ exports[`GitHub Providers mappers Should map repository data correctly 1`] = `
   "watchers_count": 80,
 }
 `;
+
+exports[`OSSF Provider mappers Should map scorecard data correctly 1`] = `
+{
+  "analysis_execution_time": 19876,
+  "analysis_score": 6,
+  "analysis_time": "2024-12-11T23:55:17Z",
+  "binary_artifacts_details": undefined,
+  "binary_artifacts_documentation": "Determines if the project has generated executable (binary) artifacts in the source repository.",
+  "binary_artifacts_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts",
+  "binary_artifacts_reason": "no binaries found in the repo",
+  "binary_artifacts_score": 10,
+  "branch_protection_details": undefined,
+  "branch_protection_documentation": "Determines if the default and release branches are protected with GitHub's branch protection settings.",
+  "branch_protection_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection",
+  "branch_protection_reason": "branch protection is not maximal on development and all release branches",
+  "branch_protection_score": 3,
+  "ci_tests_details": undefined,
+  "ci_tests_documentation": "Determines if the project runs tests before pull requests are merged.",
+  "ci_tests_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests",
+  "ci_tests_reason": "13 out of 19 merged PRs checked by a CI test -- score normalized to 6",
+  "ci_tests_score": 6,
+  "cii_best_practices_details": undefined,
+  "cii_best_practices_documentation": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.",
+  "cii_best_practices_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices",
+  "cii_best_practices_reason": "no effort to earn an OpenSSF best practices badge detected",
+  "cii_best_practices_score": 0,
+  "code_review_details": undefined,
+  "code_review_documentation": "Determines if the project requires human code review before pull requests (aka merge requests) are merged.",
+  "code_review_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review",
+  "code_review_reason": "Found 9/30 approved changesets -- score normalized to 3",
+  "code_review_score": 3,
+  "contributors_details": undefined,
+  "contributors_documentation": "Determines if the project has a set of contributors from multiple organizations (e.g., companies).",
+  "contributors_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors",
+  "contributors_reason": "project has 21 contributing companies or organizations",
+  "contributors_score": 10,
+  "dangerous_workflow_details": undefined,
+  "dangerous_workflow_documentation": "Determines if the project's GitHub Action workflows avoid dangerous patterns.",
+  "dangerous_workflow_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow",
+  "dangerous_workflow_reason": "no dangerous workflow patterns detected",
+  "dangerous_workflow_score": 10,
+  "dependency_update_tool_details": undefined,
+  "dependency_update_tool_documentation": "Determines if the project uses a dependency update tool.",
+  "dependency_update_tool_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool",
+  "dependency_update_tool_reason": "no update tool detected",
+  "dependency_update_tool_score": 0,
+  "fuzzing_details": undefined,
+  "fuzzing_documentation": "Determines if the project uses fuzzing.",
+  "fuzzing_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing",
+  "fuzzing_reason": "project is not fuzzed",
+  "fuzzing_score": 0,
+  "license_details": "Info: project has a license file: LICENSE:0
+Info: FSF or OSI recognized license: MIT License: LICENSE:0",
+  "license_documentation": "Determines if the project has defined a license.",
+  "license_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license",
+  "license_reason": "license file detected",
+  "license_score": 10,
+  "maintained_details": undefined,
+  "maintained_documentation": "Determines if the project is "actively maintained".",
+  "maintained_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained",
+  "maintained_reason": "30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10",
+  "maintained_score": 10,
+  "packaging_details": undefined,
+  "packaging_documentation": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.",
+  "packaging_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging",
+  "packaging_reason": "packaging workflow not detected",
+  "packaging_score": -1,
+  "pinned_dependencies_details": undefined,
+  "pinned_dependencies_documentation": "Determines if the project has declared and pinned the dependencies of its build process.",
+  "pinned_dependencies_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies",
+  "pinned_dependencies_reason": "dependency not pinned by hash detected -- score normalized to 4",
+  "pinned_dependencies_score": 4,
+  "repo_commit": "e739f419e56442b754e4fea6dbcf98c1c8d00dda",
+  "sast_details": undefined,
+  "sast_documentation": "Determines if the project uses static code analysis.",
+  "sast_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast",
+  "sast_reason": "SAST tool is not run on all commits -- score normalized to 0",
+  "sast_score": 0,
+  "scorecard_commit": "ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4",
+  "scorecard_version": "v5.0.0",
+  "security_policy_details": undefined,
+  "security_policy_documentation": "Determines if the project has published a security policy.",
+  "security_policy_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy",
+  "security_policy_reason": "security policy file detected",
+  "security_policy_score": 10,
+  "signed_releases_details": undefined,
+  "signed_releases_documentation": "Determines if the project cryptographically signs release artifacts.",
+  "signed_releases_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases",
+  "signed_releases_reason": "no releases found",
+  "signed_releases_score": -1,
+  "token_permissions_details": undefined,
+  "token_permissions_documentation": "Determines if the project's workflows follow the principle of least privilege.",
+  "token_permissions_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions",
+  "token_permissions_reason": "detected GitHub workflow tokens with excessive permissions",
+  "token_permissions_score": 9,
+  "vulnerabilities_details": undefined,
+  "vulnerabilities_documentation": "Determines if the project has open, known unfixed vulnerabilities.",
+  "vulnerabilities_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities",
+  "vulnerabilities_reason": "2 existing vulnerabilities detected",
+  "vulnerabilities_score": 8,
+}
+`;

__tests__/cli/__snapshots__/workflows.test.js.snap

@@ -17,5 +17,10 @@ exports[`list - Non-Interactive Mode Should provide a list of available workflow
     "name": "run-all-checks",
     "workflow": [Function],
   },
+  {
+    "description": "Upsert the OSSF Scorecard scoring by running and checking every repository in the database.",
+    "name": "upsert-ossf-scorecard",
+    "workflow": [Function],
+  },
 ]
 `;

__tests__/cli/workflows.test.js

@@ -140,3 +140,7 @@ describe('run upsert-github-repositories', () => {
 describe('run run-all-checks', () => {
   test.todo('Should run all the compliance checks for the stored data')
 })
+
+describe('run upsert-ossf-scorecard', () => {
+  test.todo('Should upsert the OSSF Scorecard scoring by running and checking every repository in the database')
+})

__tests__/providers.test.js

@@ -1,10 +1,11 @@
-const { github } = require('../src/providers')
+const { github, ossf } = require('../src/providers')
 const {
   sampleGithubOrg,
-  sampleGithubRepository
+  sampleGithubRepository,
+  sampleOSSFScorecardResult
 } = require('../__fixtures__')
 
-describe('GitHub Providers', () => {
+describe('GitHub Provider', () => {
   describe('fetchOrgByLogin', () => {
     it.todo('Should fetch organization by login')
     it.todo('Should throw an error if the organization does not exist')
@@ -35,3 +36,17 @@ describe('GitHub Providers', () => {
     })
   })
 })
+
+describe('OSSF Provider', () => {
+  describe('performScorecardAnalysis', () => {
+    it.todo('Should perform scorecard analysis')
+    it.todo('Should throw an error if the repository does not exist')
+    it.todo('Should throw an error if there are network issues')
+  })
+  describe('mappers', () => {
+    it('Should map scorecard data correctly', () => {
+      const mappedData = ossf.mappers.result({ ...sampleOSSFScorecardResult, analysis_execution_time: 19876 })
+      expect(mappedData).toMatchSnapshot()
+    })
+  })
+})