ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-10-26 10:28:10 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

🌱 Refactor to make it testable

Browse Source 
- Related to https://github.com/ossf/scorecard/issues/1568

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
This commit is contained in:
naveensrinivasan 2022-03-09 05:36:23 +00:00 committed by Naveen
parent f2a132a430
commit 1995bc3b9c
7 changed files with 832 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -110,7 +110,7 @@ cron/data/metadata.pb.go: cron/data/metadata.proto | $(PROTOC)
protoc --go_out=../../../ cron/data/metadata.proto protoc --go_out=../../../ cron/data/metadata.proto
generate-mocks: ## Compiles and generates all mocks using mockgen. generate-mocks: ## Compiles and generates all mocks using mockgen.
generate-mocks: clients/mockclients/repo_client.go clients/mockclients/repo.go clients/mockclients/cii_client.go checks/mockclients/vulnerabilities.go generate-mocks: clients/mockclients/repo_client.go clients/mockclients/repo.go clients/mockclients/cii_client.go checks/mockclients/vulnerabilities.go checks/mockclients/packagemanager.go
clients/mockclients/repo_client.go: clients/repo_client.go clients/mockclients/repo_client.go: clients/repo_client.go
# Generating MockRepoClient # Generating MockRepoClient
$(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt $(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
@ -123,7 +123,9 @@ clients/mockclients/cii_client.go: clients/cii_client.go
checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go
# Generating MockCIIClient # Generating MockCIIClient
$(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt $(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
checks/mockclients/packagemanager.go: cmd/packagemanager_client.go
# Generating MockPackageManagerClient
$(MOCKGEN) -source=cmd/packagemanager_client.go -destination=clients/mockclients/packagemanager.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
generate-docs: ## Generates docs generate-docs: ## Generates docs
generate-docs: validate-docs docs/checks.md generate-docs: validate-docs docs/checks.md
docs/checks.md: docs/checks/internal/checks.yaml docs/checks/internal/*.go docs/checks/internal/generate/*.go docs/checks.md: docs/checks/internal/checks.yaml docs/checks/internal/*.go docs/checks/internal/generate/*.go

65
clients/mockclients/packagemanager.go Normal file
View File

@ -0,0 +1,65 @@
// Copyright 2021 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Code generated by MockGen. DO NOT EDIT.
// Source: cmd/packagemanager_client.go
// Package mockrepo is a generated GoMock package.
package mockrepo
import (
http "net/http"
reflect "reflect"
gomock "github.com/golang/mock/gomock"
)
// MockpackageManagerClient is a mock of packageManagerClient interface.
type MockpackageManagerClient struct {
ctrl *gomock.Controller
recorder *MockpackageManagerClientMockRecorder
}
// MockpackageManagerClientMockRecorder is the mock recorder for MockpackageManagerClient.
type MockpackageManagerClientMockRecorder struct {
mock *MockpackageManagerClient
}
// NewMockpackageManagerClient creates a new mock instance.
func NewMockpackageManagerClient(ctrl *gomock.Controller) *MockpackageManagerClient {
mock := &MockpackageManagerClient{ctrl: ctrl}
mock.recorder = &MockpackageManagerClientMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use.
func (m *MockpackageManagerClient) EXPECT() *MockpackageManagerClientMockRecorder {
return m.recorder
}
// Get mocks base method.
func (m *MockpackageManagerClient) Get(URI, packagename string) (*http.Response, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "Get", URI, packagename)
ret0, _ := ret[0].(*http.Response)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// Get indicates an expected call of Get.
func (mr *MockpackageManagerClientMockRecorder) Get(URI, packagename interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockpackageManagerClient)(nil).Get), URI, packagename)
}

4
clients/repo_client.go
View File

@ -15,7 +15,9 @@
// Package clients defines the interface for RepoClient and related structs. // Package clients defines the interface for RepoClient and related structs.
package clients package clients
import "errors" import (
"errors"
)
// ErrUnsupportedFeature indicates an API that is not supported by the client. // ErrUnsupportedFeature indicates an API that is not supported by the client.
var ErrUnsupportedFeature = errors.New("unsupported feature") var ErrUnsupportedFeature = errors.New("unsupported feature")

39
cmd/package_managers.go
View File

@ -18,8 +18,6 @@ package cmd
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"net/http"
"time"
sce "github.com/ossf/scorecard/v4/errors" sce "github.com/ossf/scorecard/v4/errors"
) )
@ -29,24 +27,24 @@ type packageMangerResponse struct {
exists bool exists bool
} }
// TODO(#1568): Add unit tests for this. func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string,
func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string) (packageMangerResponse, error) { manager packageManagerClient) (packageMangerResponse, error) {
if npm != "" { if npm != "" {
gitRepo, err := fetchGitRepositoryFromNPM(npm) gitRepo, err := fetchGitRepositoryFromNPM(npm, manager)
return packageMangerResponse{ return packageMangerResponse{
exists: true, exists: true,
associatedRepo: gitRepo, associatedRepo: gitRepo,
}, err }, err
} }
if pypi != "" { if pypi != "" {
gitRepo, err := fetchGitRepositoryFromPYPI(pypi) gitRepo, err := fetchGitRepositoryFromPYPI(pypi, manager)
return packageMangerResponse{ return packageMangerResponse{
exists: true, exists: true,
associatedRepo: gitRepo, associatedRepo: gitRepo,
}, err }, err
} }
if rubygems != "" { if rubygems != "" {
gitRepo, err := fetchGitRepositoryFromRubyGems(rubygems) gitRepo, err := fetchGitRepositoryFromRubyGems(rubygems, manager)
return packageMangerResponse{ return packageMangerResponse{
exists: true, exists: true,
associatedRepo: gitRepo, associatedRepo: gitRepo,
@ -79,14 +77,9 @@ type rubyGemsSearchResults struct {
} }
// Gets the GitHub repository URL for the npm package. // Gets the GitHub repository URL for the npm package.
// nolint: noctx func fetchGitRepositoryFromNPM(packageName string, packageManager packageManagerClient) (string, error) {
func fetchGitRepositoryFromNPM(packageName string) (string, error) {
npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1" npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1"
const timeout = 10 resp, err := packageManager.Get(npmSearchURL, packageName)
client := &http.Client{
Timeout: timeout * time.Second,
}
resp, err := client.Get(fmt.Sprintf(npmSearchURL, packageName))
if err != nil { if err != nil {
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get npm package json: %v", err)) return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get npm package json: %v", err))
} }
@ -105,14 +98,9 @@ func fetchGitRepositoryFromNPM(packageName string) (string, error) {
} }
// Gets the GitHub repository URL for the pypi package. // Gets the GitHub repository URL for the pypi package.
// nolint: noctx func fetchGitRepositoryFromPYPI(packageName string, manager packageManagerClient) (string, error) {
func fetchGitRepositoryFromPYPI(packageName string) (string, error) {
pypiSearchURL := "https://pypi.org/pypi/%s/json" pypiSearchURL := "https://pypi.org/pypi/%s/json"
const timeout = 10 resp, err := manager.Get(pypiSearchURL, packageName)
client := &http.Client{
Timeout: timeout * time.Second,
}
resp, err := client.Get(fmt.Sprintf(pypiSearchURL, packageName))
if err != nil { if err != nil {
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get pypi package json: %v", err)) return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get pypi package json: %v", err))
} }
@ -131,14 +119,9 @@ func fetchGitRepositoryFromPYPI(packageName string) (string, error) {
} }
// Gets the GitHub repository URL for the rubygems package. // Gets the GitHub repository URL for the rubygems package.
// nolint: noctx func fetchGitRepositoryFromRubyGems(packageName string, manager packageManagerClient) (string, error) {
func fetchGitRepositoryFromRubyGems(packageName string) (string, error) {
rubyGemsSearchURL := "https://rubygems.org/api/v1/gems/%s.json" rubyGemsSearchURL := "https://rubygems.org/api/v1/gems/%s.json"
const timeout = 10 resp, err := manager.Get(rubyGemsSearchURL, packageName)
client := &http.Client{
Timeout: timeout * time.Second,
}
resp, err := client.Get(fmt.Sprintf(rubyGemsSearchURL, packageName))
if err != nil { if err != nil {
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get ruby gem json: %v", err)) return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("failed to get ruby gem json: %v", err))
} }

710
cmd/package_managers_test.go Normal file
View File

@ -0,0 +1,710 @@
// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package cmd implements Scorecard commandline.
package cmd
import (
"bytes"
"errors"
"io/ioutil"
"net/http"
"testing"
"github.com/golang/mock/gomock"
mockrepo "github.com/ossf/scorecard/v4/clients/mockclients"
)
func Test_fetchGitRepositoryFromNPM(t *testing.T) {
t.Parallel()
type args struct {
packageName string
result string
}
tests := []struct {
name string
args args
want string
wantErr bool
}{
{
name: "fetchGitRepositoryFromNPM",
args: args{
packageName: "npm-package",
result: `
{
"objects": [
{
"package": {
"name": "@pulumi/pulumi",
"scope": "pulumi",
"version": "3.26.0",
"description": "Pulumi's Node.js SDK",
"date": "2022-03-09T14:05:40.682Z",
"links": {
"homepage": "https://github.com/pulumi/pulumi#readme",
"repository": "https://github.com/pulumi/pulumi",
"bugs": "https://github.com/pulumi/pulumi/issues"
},
"publisher": {
"username": "pulumi-bot",
"email": "bot@pulumi.com"
},
"maintainers": [
{
"username": "joeduffy",
"email": "joe@pulumi.com"
},
{
"username": "pulumi-bot",
"email": "bot@pulumi.com"
}
]
},
"score": {
"final": 0.4056031974977145,
"detail": {
"quality": 0.7308571951451065,
"popularity": 0.19908392082147397,
"maintenance": 0.3333333333333333
}
},
"searchScore": 0.00090895034
}
],
"total": 380,
"time": "Wed Mar 09 2022 18:11:10 GMT+0000 (Coordinated Universal Time)"
}
`,
},
want: "https://github.com/pulumi/pulumi",
wantErr: false,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "",
},
want: "",
wantErr: true,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "foo",
},
want: "",
wantErr: true,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: `
{
"objects": [],
"total": 380,
"time": "Wed Mar 09 2022 18:11:10 GMT+0000 (Coordinated Universal Time)"
}
`,
},
want: "",
wantErr: true,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
ctrl := gomock.NewController(t)
p := mockrepo.NewMockpackageManagerClient(ctrl)
p.EXPECT().Get(gomock.Any(), tt.args.packageName).
DoAndReturn(func(url, packageName string) (*http.Response, error) {
if tt.wantErr && tt.args.result == "" {
//nolint
return nil, errors.New("error")
}
return &http.Response{
StatusCode: 200,
Body: ioutil.NopCloser(bytes.NewBufferString(tt.args.result)),
}, nil
}).AnyTimes()
got, err := fetchGitRepositoryFromNPM(tt.args.packageName, p)
if (err != nil) != tt.wantErr {
t.Errorf("fetchGitRepositoryFromNPM() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("fetchGitRepositoryFromNPM() = %v, want %v", got, tt.want)
}
})
}
}
func Test_fetchGitRepositoryFromPYPI(t *testing.T) {
t.Parallel()
type args struct {
packageName string
result string
}
tests := []struct {
name string
args args
want string
wantErr bool
}{
{
name: "fetchGitRepositoryFromPYPI",
//nolint
args: args{
packageName: "npm-package",
//nolint
result: `
{
"info": {
"author": "Hüseyin Tekinaslan",
"author_email": "htaslan@bil.omu.edu.tr",
"bugtrack_url": null,
"classifiers": [
"Development Status :: 5 - Production/Stable",
"License :: OSI Approved :: MIT License",
"Programming Language :: Python",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.2",
"Programming Language :: Python :: 3.3",
"Programming Language :: Python :: 3.4",
"Programming Language :: Python :: 3.5",
"Programming Language :: Python :: Implementation :: CPython",
"Topic :: Software Development :: Libraries :: Python Modules"
],
"description": "UNKNOWN",
"description_content_type": null,
"docs_url": null,
"downoad_url": null,
"downloads": {
"last_day": -1,
"last_month": -1,
"last_week": -1
},
"home_page": "http://github.com/htaslan/color",
"keywords": "colorize pycolorize color pycolor",
"license": "MIT",
"maintainer": null,
"maintainer_email": null,
"name": "color",
"package_url": "https://pypi.org/project/color/",
"platform": "UNKNOWN",
"project_url": "https://pypi.org/project/color/",
"project_urls": {
"Homepage": "http://github.com/htaslan/color",
"Source": "foo"
},
"release_url": "https://pypi.org/project/color/0.1/",
"requires_dist": null,
"requires_python": null,
"summary": "python module for colorize string",
"version": "0.1",
"yanked": false,
"yanked_reason": null
},
"last_serial": 2041956,
"releases": {
"0.1": [
{
"comment_text": "a python module of colorize string",
"digests": {
"md5": "1a4577069c636b28d85052db9a384b95",
"sha256": "de5b51fea834cb067631beaa1ec11d7753f1e3615e836e2e4c34dcf2b343eac2"
},
"downloads": -1,
"filename": "color-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1a4577069c636b28d85052db9a384b95",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 3568,
"upload_time": "2016-04-01T13:23:25",
"upload_time_iso_8601": "2016-04-01T13:23:25.284973Z",
"url": "https://files.pythonhosted.org/packages/88/04/0defd6f424e5bafb5abc75510cbe119a85d80b5505f1de5cd9a16d89ba8c/color-0.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
]
},
"urls": [
{
"comment_text": "a python module of colorize string",
"digests": {
"md5": "1a4577069c636b28d85052db9a384b95",
"sha256": "de5b51fea834cb067631beaa1ec11d7753f1e3615e836e2e4c34dcf2b343eac2"
},
"downloads": -1,
"filename": "color-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1a4577069c636b28d85052db9a384b95",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 3568,
"upload_time": "2016-04-01T13:23:25",
"upload_time_iso_8601": "2016-04-01T13:23:25.284973Z",
"url": "https://files.pythonhosted.org/packages/88/04/0defd6f424e5bafb5abc75510cbe119a85d80b5505f1de5cd9a16d89ba8c/color-0.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"vulnerabilities": []
}
`,
},
want: "foo",
wantErr: false,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "",
},
want: "",
wantErr: true,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "foo",
},
want: "",
wantErr: true,
},
{
name: "empty project url",
//nolint
args: args{
packageName: "npm-package",
//nolint
result: `
{
"info": {
"author": "Hüseyin Tekinaslan",
"author_email": "htaslan@bil.omu.edu.tr",
"bugtrack_url": null,
"classifiers": [
"Development Status :: 5 - Production/Stable",
"License :: OSI Approved :: MIT License",
"Programming Language :: Python",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.2",
"Programming Language :: Python :: 3.3",
"Programming Language :: Python :: 3.4",
"Programming Language :: Python :: 3.5",
"Programming Language :: Python :: Implementation :: CPython",
"Topic :: Software Development :: Libraries :: Python Modules"
],
"description": "UNKNOWN",
"description_content_type": null,
"docs_url": null,
"downoad_url": null,
"downloads": {
"last_day": -1,
"last_month": -1,
"last_week": -1
},
"home_page": "http://github.com/htaslan/color",
"keywords": "colorize pycolorize color pycolor",
"license": "MIT",
"maintainer": null,
"maintainer_email": null,
"name": "color",
"package_url": "https://pypi.org/project/color/",
"platform": "UNKNOWN",
"project_url": "https://pypi.org/project/color/",
"project_urls": {
"Homepage": "http://github.com/htaslan/color",
"Source": ""
},
"release_url": "https://pypi.org/project/color/0.1/",
"requires_dist": null,
"requires_python": null,
"summary": "python module for colorize string",
"version": "0.1",
"yanked": false,
"yanked_reason": null
},
"last_serial": 2041956,
"releases": {
"0.1": [
{
"comment_text": "a python module of colorize string",
"digests": {
"md5": "1a4577069c636b28d85052db9a384b95",
"sha256": "de5b51fea834cb067631beaa1ec11d7753f1e3615e836e2e4c34dcf2b343eac2"
},
"downloads": -1,
"filename": "color-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1a4577069c636b28d85052db9a384b95",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 3568,
"upload_time": "2016-04-01T13:23:25",
"upload_time_iso_8601": "2016-04-01T13:23:25.284973Z",
"url": "https://files.pythonhosted.org/packages/88/04/0defd6f424e5bafb5abc75510cbe119a85d80b5505f1de5cd9a16d89ba8c/color-0.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
]
},
"urls": [
{
"comment_text": "a python module of colorize string",
"digests": {
"md5": "1a4577069c636b28d85052db9a384b95",
"sha256": "de5b51fea834cb067631beaa1ec11d7753f1e3615e836e2e4c34dcf2b343eac2"
},
"downloads": -1,
"filename": "color-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1a4577069c636b28d85052db9a384b95",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 3568,
"upload_time": "2016-04-01T13:23:25",
"upload_time_iso_8601": "2016-04-01T13:23:25.284973Z",
"url": "https://files.pythonhosted.org/packages/88/04/0defd6f424e5bafb5abc75510cbe119a85d80b5505f1de5cd9a16d89ba8c/color-0.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"vulnerabilities": []
}
`,
},
want: "",
wantErr: true,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
ctrl := gomock.NewController(t)
p := mockrepo.NewMockpackageManagerClient(ctrl)
p.EXPECT().Get(gomock.Any(), tt.args.packageName).
DoAndReturn(func(url, packageName string) (*http.Response, error) {
if tt.wantErr && tt.args.result == "" {
//nolint
return nil, errors.New("error")
}
return &http.Response{
StatusCode: 200,
Body: ioutil.NopCloser(bytes.NewBufferString(tt.args.result)),
}, nil
}).AnyTimes()
got, err := fetchGitRepositoryFromPYPI(tt.args.packageName, p)
if (err != nil) != tt.wantErr {
t.Errorf("fetchGitRepositoryFromPYPI() error = %v, wantErr %v testcase name %v", err, tt.wantErr, tt.name)
return
}
if got != tt.want {
t.Errorf("fetchGitRepositoryFromPYPI() = %v, want %v", got, tt.want)
}
})
}
}
func Test_fetchGitRepositoryFromRubyGems(t *testing.T) {
t.Parallel()
type args struct {
packageName string
result string
}
tests := []struct {
name string
args args
want string
wantErr bool
}{
{
name: "fetchGitRepositoryFromPYPI",
//nolint
args: args{
packageName: "npm-package",
//nolint
result: `
{
"name": "color",
"downloads": 8177801,
"version": "1.8",
"version_created_at": "2015-10-26T05:03:11.976Z",
"version_downloads": 4558362,
"platform": "ruby",
"authors": "Austin Ziegler, Matt Lyon",
"info": "Color is a Ruby library to provide basic RGB, CMYK, HSL, and other colourspace\nmanipulation support to applications that require it. It also provides 152\nnamed RGB colours (184 with spelling variations) that are commonly supported in\nHTML, SVG, and X11 applications. A technique for generating monochromatic\ncontrasting palettes is also included.\n\nThe Color library performs purely mathematical manipulation of the colours\nbased on colour theory without reference to colour profiles (such as sRGB or\nAdobe RGB). For most purposes, when working with RGB and HSL colour spaces,\nthis won't matter. Absolute colour spaces (like CIE L*a*b* and XYZ) and cannot\nbe reliably converted to relative colour spaces (like RGB) without colour\nprofiles.\n\nColor 1.8 adds an alpha parameter to all &lt;tt&gt;#css_rgba&lt;/tt&gt; calls, fixes a bug\nexposed by new constant lookup semantics in Ruby 2, and ensures that\n&lt;tt&gt;Color.equivalent?&lt;/tt&gt; can only be called on Color instances.\n\nBarring bugs introduced in this release, this (really) is the last version of\ncolor that supports Ruby 1.8, so make sure that your gem specification is set\nproperly (to &lt;tt&gt;~&gt; 1.8&lt;/tt&gt;) if that matters for your application. This\nversion will no longer be supported one year after the release of color 2.0.",
"licenses": [
"MIT"
],
"metadata": {},
"yanked": false,
"sha": "0a8512ecf6a8fe14928707f7d2766680c955b3a2224de198c1e25c837cd36f82",
"project_uri": "https://rubygems.org/gems/color",
"gem_uri": "https://rubygems.org/gems/color-1.8.gem",
"homepage_uri": "https://github.com/halostatue/color",
"wiki_uri": null,
"documentation_uri": "https://www.rubydoc.info/gems/color/1.8",
"mailing_list_uri": null,
"source_code_uri": "foo",
"bug_tracker_uri": null,
"changelog_uri": null,
"funding_uri": null,
"dependencies": {
"development": [
{
"name": "hoe",
"requirements": "~> 3.14"
},
{
"name": "hoe-doofus",
"requirements": "~> 1.0"
},
{
"name": "hoe-gemspec2",
"requirements": "~> 1.1"
},
{
"name": "hoe-git",
"requirements": "~> 1.6"
},
{
"name": "hoe-travis",
"requirements": "~> 1.2"
},
{
"name": "minitest",
"requirements": "~> 5.8"
},
{
"name": "minitest-around",
"requirements": "~> 0.3"
},
{
"name": "minitest-autotest",
"requirements": "~> 1.0"
},
{
"name": "minitest-bisect",
"requirements": "~> 1.2"
},
{
"name": "minitest-focus",
"requirements": "~> 1.1"
},
{
"name": "minitest-moar",
"requirements": "~> 0.0"
},
{
"name": "minitest-pretty_diff",
"requirements": "~> 0.1"
},
{
"name": "rake",
"requirements": "~> 10.0"
},
{
"name": "rdoc",
"requirements": "~> 4.0"
},
{
"name": "simplecov",
"requirements": "~> 0.7"
}
],
"runtime": []
}
}
`,
},
want: "foo",
wantErr: false,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "",
},
want: "",
wantErr: true,
},
{
name: "fetchGitRepositoryFromNPM_error",
args: args{
packageName: "npm-package",
result: "foo",
},
want: "",
wantErr: true,
},
{
name: "empty project url",
//nolint
args: args{
packageName: "npm-package",
//nolint
result: `
{
"name": "color",
"downloads": 8177801,
"version": "1.8",
"version_created_at": "2015-10-26T05:03:11.976Z",
"version_downloads": 4558362,
"platform": "ruby",
"authors": "Austin Ziegler, Matt Lyon",
"info": "Color is a Ruby library to provide basic RGB, CMYK, HSL, and other colourspace\nmanipulation support to applications that require it. It also provides 152\nnamed RGB colours (184 with spelling variations) that are commonly supported in\nHTML, SVG, and X11 applications. A technique for generating monochromatic\ncontrasting palettes is also included.\n\nThe Color library performs purely mathematical manipulation of the colours\nbased on colour theory without reference to colour profiles (such as sRGB or\nAdobe RGB). For most purposes, when working with RGB and HSL colour spaces,\nthis won't matter. Absolute colour spaces (like CIE L*a*b* and XYZ) and cannot\nbe reliably converted to relative colour spaces (like RGB) without colour\nprofiles.\n\nColor 1.8 adds an alpha parameter to all &lt;tt&gt;#css_rgba&lt;/tt&gt; calls, fixes a bug\nexposed by new constant lookup semantics in Ruby 2, and ensures that\n&lt;tt&gt;Color.equivalent?&lt;/tt&gt; can only be called on Color instances.\n\nBarring bugs introduced in this release, this (really) is the last version of\ncolor that supports Ruby 1.8, so make sure that your gem specification is set\nproperly (to &lt;tt&gt;~&gt; 1.8&lt;/tt&gt;) if that matters for your application. This\nversion will no longer be supported one year after the release of color 2.0.",
"licenses": [
"MIT"
],
"metadata": {},
"yanked": false,
"sha": "0a8512ecf6a8fe14928707f7d2766680c955b3a2224de198c1e25c837cd36f82",
"project_uri": "https://rubygems.org/gems/color",
"gem_uri": "https://rubygems.org/gems/color-1.8.gem",
"homepage_uri": "https://github.com/halostatue/color",
"wiki_uri": null,
"documentation_uri": "https://www.rubydoc.info/gems/color/1.8",
"mailing_list_uri": null,
"source_code_uri": "",
"bug_tracker_uri": null,
"changelog_uri": null,
"funding_uri": null,
"dependencies": {
"development": [
{
"name": "hoe",
"requirements": "~> 3.14"
},
{
"name": "hoe-doofus",
"requirements": "~> 1.0"
},
{
"name": "hoe-gemspec2",
"requirements": "~> 1.1"
},
{
"name": "hoe-git",
"requirements": "~> 1.6"
},
{
"name": "hoe-travis",
"requirements": "~> 1.2"
},
{
"name": "minitest",
"requirements": "~> 5.8"
},
{
"name": "minitest-around",
"requirements": "~> 0.3"
},
{
"name": "minitest-autotest",
"requirements": "~> 1.0"
},
{
"name": "minitest-bisect",
"requirements": "~> 1.2"
},
{
"name": "minitest-focus",
"requirements": "~> 1.1"
},
{
"name": "minitest-moar",
"requirements": "~> 0.0"
},
{
"name": "minitest-pretty_diff",
"requirements": "~> 0.1"
},
{
"name": "rake",
"requirements": "~> 10.0"
},
{
"name": "rdoc",
"requirements": "~> 4.0"
},
{
"name": "simplecov",
"requirements": "~> 0.7"
}
],
"runtime": []
}
}
`,
},
want: "",
wantErr: true,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
ctrl := gomock.NewController(t)
p := mockrepo.NewMockpackageManagerClient(ctrl)
p.EXPECT().Get(gomock.Any(), tt.args.packageName).
DoAndReturn(func(url, packageName string) (*http.Response, error) {
if tt.wantErr && tt.args.result == "" {
//nolint
return nil, errors.New("error")
}
return &http.Response{
StatusCode: 200,
Body: ioutil.NopCloser(bytes.NewBufferString(tt.args.result)),
}, nil
}).AnyTimes()
got, err := fetchGitRepositoryFromRubyGems(tt.args.packageName, p)
if (err != nil) != tt.wantErr {
t.Errorf("fetchGitRepositoryFromRubyGems() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("fetchGitRepositoryFromRubyGems() = %v, want %v", got, tt.want)
}
})
}
}

23
cmd/packagemanager_client.go Normal file
View File

@ -0,0 +1,23 @@
// Copyright 2021 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cmd
import (
"net/http"
)
type packageManagerClient interface {
Get(URI string, packagename string) (*http.Response, error)
}

17
cmd/root.go
View File

@ -19,9 +19,11 @@ import (
"context" "context"
"fmt" "fmt"
"log" "log"
"net/http"
"os" "os"
"sort" "sort"
"strings" "strings"
"time"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"sigs.k8s.io/release-utils/version" "sigs.k8s.io/release-utils/version"
@ -71,10 +73,23 @@ func New(o *options.Options) *cobra.Command {
return cmd return cmd
} }
type packageManager struct{}
// nolint: noctx
func (c *packageManager) Get(url, packageName string) (*http.Response, error) {
const timeout = 10
client := &http.Client{
Timeout: timeout * time.Second,
}
//nolint
return client.Get(fmt.Sprintf(url, packageName))
}
// rootCmd runs scorecard checks given a set of arguments. // rootCmd runs scorecard checks given a set of arguments.
func rootCmd(o *options.Options) { func rootCmd(o *options.Options) {
p := &packageManager{}
// Set `repo` from package managers. // Set `repo` from package managers.
pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems) pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems, p)
if err != nil { if err != nil {
log.Panic(err) log.Panic(err)
} }