Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hook Scorecard as a CI/CD solution, prevent bad deps from being added in code #58

Closed
inferno-chromium opened this issue Nov 11, 2020 · 11 comments
Closed

Hook Scorecard as a CI/CD solution, prevent bad deps from being added in code #58

inferno-chromium opened this issue Nov 11, 2020 · 11 comments
Labels
needs discussion
Projects
Scorecard

Comments

@inferno-chromium
Copy link
Contributor

No description provided.

@dlorenc
Copy link
Contributor

dlorenc commented Nov 11, 2020

Great idea!

I think we'd have to create a separate hook per language-package-manager that can parse out the dependency files and then call the scorecard tool.

It's probably going to be easier to do those hooks in whatever language we're handling.

Do we need a separate repo for each of those, or just one to hold them all?

@inferno-chromium
Copy link
Contributor Author

Great idea!

I think we'd have to create a separate hook per language-package-manager that can parse out the dependency files and then call the scorecard tool.

It's probably going to be easier to do those hooks in whatever language we're handling.

Do we need a separate repo for each of those, or just one to hold them all?

Probably one to hold them all.

By default, we run all the hooks in the CI run. If it does not find package lock file for a particular pkg manager, it bails out. Different hooks can be different jobs in the CI run.

@inferno-chromium inferno-chromium added this to the milestone-q2 milestone May 26, 2021
@inferno-chromium
Copy link
Contributor Author

we need to make atleast one check run in cicd pipeline.

@azeemshaikh38 azeemshaikh38 mentioned this issue May 26, 2021
Closed
@ristomcgehee
Copy link
Contributor

I think I'd like to start work on this issue. Here are some of my thoughts:

  • Snyk has multiple open source projects that parse dependency files. They are all written for node.js, so if we are willing to have a dependency on Node, we could support many languages without a great deal of work. Here's a partial list of dependency parsers:
  • I would think most users would want to specify a minimum score necessary for dependencies. If so, this issue would be dependent on !346.
  • I think users would also want a way to specify certain dependencies that can be allowed to be below the minimum score. This would be useful in an existing project where the goal would be to not add new dependencies below the minimum score.
  • Users might also want to specify certain checks that must pass, e.g. enforcing that "Active" has a score of 10.
  • Users can include a yaml file to specify options mentioned in previous bullets.

Thoughts on these points?

@kimsterv
Copy link
Contributor

kimsterv commented Jun 4, 2021

Bullets 2 - 4 all make sense to me!

For bullet 1, maybe it can be built in such a way to be pluggable so if there are other projects that parse dependency files, users would have options?

@ristomcgehee
Copy link
Contributor

I do like the idea of a pluggable architecture. I think it would be good for our project to compile in parsers for at least the popular dependency files. That way the user can download a single binary, and it will work out of the box. We can then have an option for the user to configure their own parser.

I cloned one of the Snyk repos I mentioned, and I don't think that will be useful here. They are interested in constructing a graph of all dependencies which is not exactly useful to us.

I did find another project that looks more promising: https://github.com/aquasecurity/go-dep-parser. This can parse dependencies for go.mod, npm, pipenv, composer, and more. Since it's written in Go, we could could easily incorporate it. There are some dependency files that include include the git repo such as composer.lock. For these ones, we might want to write our own parser so it can read the repo directly and not have to look it up with a web call.

@azeemshaikh38
Copy link
Contributor

Let's discuss this in our upcoming bi-weekly.

@laurentsimon
Copy link
Contributor

laurentsimon commented Jun 16, 2021
edited

did we forget to discuss this in the last meeting?
btw, there's also Google's deps.dev which offers a REST API and would do all the heavy lifting for us.

@ristomcgehee
Copy link
Contributor

did we forget to discuss this in the last meeting?

I saw it wasn't on the agenda, but I didn't bring it up because I'll be working on another issue first. Plus I'll be pretty busy the next few weeks getting our house ready to list.

btw, there's also Google's deps.dev which offers a REST API and would do all the heavy lifting for us.

I'll definitely give that look!

@laurentsimon laurentsimon removed this from the milestone-q2 milestone Oct 7, 2021
@justaugustus justaugustus added this to Backlog in Scorecard Feb 22, 2022
@afmarcum
Copy link
Contributor

afmarcum commented Aug 9, 2023
edited

Is this something that still needs to be discussed or can it be closed until it comes up again? Allowing 7 days for feedback.

@spencerschrock
Copy link
Contributor

Going to point to ossf/scorecard-action#1070, as that seems to be relevant discussion. This can be re-opened here as needed.

Scorecard automation moved this from Backlog to Done Aug 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs discussion
Projects
Scorecard
Done
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kimsterv @dlorenc @azeemshaikh38 @spencerschrock @inferno-chromium @ristomcgehee @laurentsimon @afmarcum