From d043b138fe1c5707143b7ab91b183801fbaeae25 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Fri, 8 Jul 2022 12:19:15 -0700 Subject: [PATCH 01/15] temp --- cmd/depdiff/dependencies.go | 64 ++++++++++++++++++++++++++ cmd/depdiff/errors.go | 13 ++++++ cmd/depdiff/scorecard_results.go | 7 +++ cmd/depdiff/vulnerabilities.go | 78 ++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+) create mode 100644 cmd/depdiff/dependencies.go create mode 100644 cmd/depdiff/errors.go create mode 100644 cmd/depdiff/scorecard_results.go create mode 100644 cmd/depdiff/vulnerabilities.go diff --git a/cmd/depdiff/dependencies.go b/cmd/depdiff/dependencies.go new file mode 100644 index 00000000000..ab2940cafba --- /dev/null +++ b/cmd/depdiff/dependencies.go @@ -0,0 +1,64 @@ +package depdiff + +// ChangeType is the change type (added, updated, removed) of a dependency. +type ChangeType string + +const ( + Added ChangeType = "added" + Updated ChangeType = "updated" + Removed ChangeType = "removed" +) + +// IsValid determines if a ChangeType is valid. +func (ct *ChangeType) IsValid() bool { + switch *ct { + case Added, Updated, Removed: + return true + default: + return false + } +} + +// Dependency is a dependency. +type Dependency struct { + // // IsDirect suggests if the dependency is a direct dependency of a code commit. + // TODO: IsDirect remains a future feature since the current GitHub Dependency Review API + // mixes up direct and indirect dependencies in manifest files of different ecosystems. + IsDirect bool + + // ChangeType indicates whether the dependency is added or removed. + ChangeType ChangeType `json:"change_type"` + + // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. + ManifestFileName string `json:"manifest"` + + // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. + Ecosystem string `json:"ecosystem" bigquery:"System"` + + // Name is the name of the dependency. + Name string `json:"name" bigquery:"Name"` + + // Version is the package version of the dependency. + Version string `json:"version" bigquery:"Version"` + + // Package URL is a short link for a package. + PackageURL string `json:"package_url"` + + // License is the license of the dependency. + License string `json:"license"` + + // SrcRepoURL is the source repository URL of the dependency. + SrcRepoURL string `json:"source_repository_url"` + + // ScResults is the Scorecard scanning result of the dependency package repository. + ScResults ScorecardResult `json:"scorecard_results"` + + // Vulnerabilities is a list of Vulnerability. + Vulnerabilities []Vulnerability `json:"vulnerabilities"` + + // Dependencies is the list of dependencies of the current dependency, + // e.g. indirect (transitive) dependencies. + // TODO: this is not a version-zero feature, and will be used to analyze transitive + // dependencies in future versions. + Dependencies []Dependency `json:"dependencies"` +} diff --git a/cmd/depdiff/errors.go b/cmd/depdiff/errors.go new file mode 100644 index 00000000000..7a80d9d7229 --- /dev/null +++ b/cmd/depdiff/errors.go @@ -0,0 +1,13 @@ +package depdiff + +import ( + "errors" +) + +var ( + // ErrInvalidDepDiffFormat indicates the specified dependency diff output format is not valid. + ErrInvalidDepDiffFormat = errors.New("invalid depdiff format") + + // ErrInvalidDepDiffFormat indicates the specified dependency diff output format is not valid. + ErrMarshalDepDiffToJSON = errors.New("error marshal results to JSON") +) diff --git a/cmd/depdiff/scorecard_results.go b/cmd/depdiff/scorecard_results.go new file mode 100644 index 00000000000..7761b2564bc --- /dev/null +++ b/cmd/depdiff/scorecard_results.go @@ -0,0 +1,7 @@ +package depdiff + +// ScorecardResult is the Scorecard scanning result of a repository. +type ScorecardResult struct { + // AggregateScore is the Scorecard aggregate score (0-10) of the dependency. + AggregateScore float32 `json:"score"` +} diff --git a/cmd/depdiff/vulnerabilities.go b/cmd/depdiff/vulnerabilities.go new file mode 100644 index 00000000000..a45ba10f008 --- /dev/null +++ b/cmd/depdiff/vulnerabilities.go @@ -0,0 +1,78 @@ +package depdiff + +import ( + "time" +) + +// SeverityLevel is the level of severity of a vulnerability. +type SeverityLevel string + +const ( + Critical SeverityLevel = "CRITICAL" + High SeverityLevel = "HIGH" + Medium SeverityLevel = "MEDIUM" + Moderate SeverityLevel = "MODERATE" + Low SeverityLevel = "LOW" + None SeverityLevel = "NONE" + Unknown SeverityLevel = "UNKNOWN" +) + +// IsValid determines if a SeverityLevel is valid. +func (sl *SeverityLevel) IsValid() bool { + switch *sl { + case Critical, High, Medium, Moderate, Low, None, Unknown: + return true + default: + return false + } +} + +// Source is an authoritative source of a vulnerability. +type Source string + +const ( + GHSA Source = "GHSA" + NSWG Source = "NSWG" + OSV Source = "OSV" +) + +// IsValid determines if a Source is valid. +func (src *Source) IsValid() bool { + switch *src { + case GHSA, NSWG, OSV: + return true + default: + return false + } +} + +// Vulnerability is a security vulnerability of a dependency. +type Vulnerability struct { + // Source is the source of a vulnerability. + Source string `bigquery:"Source"` + + // ID is the identifier of a vulnerability. + ID string `json:"advisory_ghsa_id" bigquery:"SourceID"` + + // SourceURL is the source URL of a vulnerability. + SourceURL string `json:"advisory_url" bigquery:"SourceURL"` + + // Title is the text summary of a vulnerability. + Title string `json:"advisory_summary" bigquery:"Title"` + + // Description is a long text paragraph of a vulnerability. + Description string `json:"description" bigquery:"Description"` + + // Score is the score of a vulnerability given by an authoritative src. + // TODO: this is not a version-zero property and will be included in future versions. + // Score bigquery.NullFloat64 `bigquery:"Score"` + + // GitHubSeverity is the severity level of a vulnerability determined by GitHub. + GitHubSeverity SeverityLevel `json:"github_severity" bigquery:"GitHubSeverity"` + + // ReferenceURLs include all URLs that are related to a vulnerability. + ReferenceURLs []string `json:"reference_urls" bigquery:"ReferenceURLs"` + + // DisclosedTime is the time when a vulenrability is publicly disclosed. + DisclosedTime time.Time `json:"disclosed_time" bigquery:"Disclosed"` +} From 5f95398260bedfa473581753c0d8096935153032 Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Fri, 8 Jul 2022 12:36:38 -0700 Subject: [PATCH 02/15] Update dependencies.go --- cmd/depdiff/dependencies.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cmd/depdiff/dependencies.go b/cmd/depdiff/dependencies.go index ab2940cafba..12ea643d3b5 100644 --- a/cmd/depdiff/dependencies.go +++ b/cmd/depdiff/dependencies.go @@ -1,3 +1,17 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package depdiff // ChangeType is the change type (added, updated, removed) of a dependency. From c29a8411987294a467f33acc1bad2f3e49a7f298 Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Fri, 8 Jul 2022 12:36:49 -0700 Subject: [PATCH 03/15] Update errors.go --- cmd/depdiff/errors.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cmd/depdiff/errors.go b/cmd/depdiff/errors.go index 7a80d9d7229..daec146ef73 100644 --- a/cmd/depdiff/errors.go +++ b/cmd/depdiff/errors.go @@ -1,3 +1,17 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package depdiff import ( From 572bef56b313a2ee0508b92244192375a068043a Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Fri, 8 Jul 2022 12:36:58 -0700 Subject: [PATCH 04/15] Update scorecard_results.go --- cmd/depdiff/scorecard_results.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cmd/depdiff/scorecard_results.go b/cmd/depdiff/scorecard_results.go index 7761b2564bc..d30713263c4 100644 --- a/cmd/depdiff/scorecard_results.go +++ b/cmd/depdiff/scorecard_results.go @@ -1,3 +1,17 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package depdiff // ScorecardResult is the Scorecard scanning result of a repository. From dc50937a3003e9084410b9ce28a10a25e28859b1 Mon Sep 17 00:00:00 2001 From: Aiden Wang <54022336+aidenwang9867@users.noreply.github.com> Date: Fri, 8 Jul 2022 12:37:07 -0700 Subject: [PATCH 05/15] Update vulnerabilities.go --- cmd/depdiff/vulnerabilities.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cmd/depdiff/vulnerabilities.go b/cmd/depdiff/vulnerabilities.go index a45ba10f008..646c63aeea0 100644 --- a/cmd/depdiff/vulnerabilities.go +++ b/cmd/depdiff/vulnerabilities.go @@ -1,3 +1,17 @@ +// Copyright 2022 Security Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package depdiff import ( From 4e902065c2886d78aea1e473414ccd2ae469b4f6 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Fri, 8 Jul 2022 15:38:26 -0700 Subject: [PATCH 06/15] save --- cmd/depdiff/errors.go | 27 ------------------- cmd/depdiff/scorecard_results.go | 21 --------------- .../check-depdiff}/dependencies.go | 27 +++++-------------- .../check-depdiff}/vulnerabilities.go | 0 4 files changed, 6 insertions(+), 69 deletions(-) delete mode 100644 cmd/depdiff/errors.go delete mode 100644 cmd/depdiff/scorecard_results.go rename {cmd/depdiff => pkg/check-depdiff}/dependencies.go (66%) rename {cmd/depdiff => pkg/check-depdiff}/vulnerabilities.go (100%) diff --git a/cmd/depdiff/errors.go b/cmd/depdiff/errors.go deleted file mode 100644 index daec146ef73..00000000000 --- a/cmd/depdiff/errors.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2022 Security Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package depdiff - -import ( - "errors" -) - -var ( - // ErrInvalidDepDiffFormat indicates the specified dependency diff output format is not valid. - ErrInvalidDepDiffFormat = errors.New("invalid depdiff format") - - // ErrInvalidDepDiffFormat indicates the specified dependency diff output format is not valid. - ErrMarshalDepDiffToJSON = errors.New("error marshal results to JSON") -) diff --git a/cmd/depdiff/scorecard_results.go b/cmd/depdiff/scorecard_results.go deleted file mode 100644 index d30713263c4..00000000000 --- a/cmd/depdiff/scorecard_results.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2022 Security Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package depdiff - -// ScorecardResult is the Scorecard scanning result of a repository. -type ScorecardResult struct { - // AggregateScore is the Scorecard aggregate score (0-10) of the dependency. - AggregateScore float32 `json:"score"` -} diff --git a/cmd/depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go similarity index 66% rename from cmd/depdiff/dependencies.go rename to pkg/check-depdiff/dependencies.go index 12ea643d3b5..2ec62820dc1 100644 --- a/cmd/depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -40,39 +40,24 @@ type Dependency struct { // mixes up direct and indirect dependencies in manifest files of different ecosystems. IsDirect bool - // ChangeType indicates whether the dependency is added or removed. + // ChangeType indicates whether the dependency is added, updated, or removed. ChangeType ChangeType `json:"change_type"` // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. ManifestFileName string `json:"manifest"` // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. - Ecosystem string `json:"ecosystem" bigquery:"System"` + Ecosystem string `json:"ecosystem"` // Name is the name of the dependency. - Name string `json:"name" bigquery:"Name"` + Name string `json:"name"` // Version is the package version of the dependency. - Version string `json:"version" bigquery:"Version"` + Version string `json:"version"` // Package URL is a short link for a package. - PackageURL string `json:"package_url"` - - // License is the license of the dependency. - License string `json:"license"` + PackageURL *string `json:"package_url"` // SrcRepoURL is the source repository URL of the dependency. - SrcRepoURL string `json:"source_repository_url"` - - // ScResults is the Scorecard scanning result of the dependency package repository. - ScResults ScorecardResult `json:"scorecard_results"` - - // Vulnerabilities is a list of Vulnerability. - Vulnerabilities []Vulnerability `json:"vulnerabilities"` - - // Dependencies is the list of dependencies of the current dependency, - // e.g. indirect (transitive) dependencies. - // TODO: this is not a version-zero feature, and will be used to analyze transitive - // dependencies in future versions. - Dependencies []Dependency `json:"dependencies"` + SrcRepoURL *string `json:"source_repository_url"` } diff --git a/cmd/depdiff/vulnerabilities.go b/pkg/check-depdiff/vulnerabilities.go similarity index 100% rename from cmd/depdiff/vulnerabilities.go rename to pkg/check-depdiff/vulnerabilities.go From 1fee5201f2d127efca9602f1691f290a1df2e05d Mon Sep 17 00:00:00 2001 From: aidenwang Date: Fri, 8 Jul 2022 17:17:44 -0700 Subject: [PATCH 07/15] temp --- pkg/check-depdiff/dependencies.go | 5 -- pkg/check-depdiff/vulnerabilities.go | 92 ---------------------------- 2 files changed, 97 deletions(-) delete mode 100644 pkg/check-depdiff/vulnerabilities.go diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 2ec62820dc1..bfdb060897f 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -35,11 +35,6 @@ func (ct *ChangeType) IsValid() bool { // Dependency is a dependency. type Dependency struct { - // // IsDirect suggests if the dependency is a direct dependency of a code commit. - // TODO: IsDirect remains a future feature since the current GitHub Dependency Review API - // mixes up direct and indirect dependencies in manifest files of different ecosystems. - IsDirect bool - // ChangeType indicates whether the dependency is added, updated, or removed. ChangeType ChangeType `json:"change_type"` diff --git a/pkg/check-depdiff/vulnerabilities.go b/pkg/check-depdiff/vulnerabilities.go deleted file mode 100644 index 646c63aeea0..00000000000 --- a/pkg/check-depdiff/vulnerabilities.go +++ /dev/null @@ -1,92 +0,0 @@ -// Copyright 2022 Security Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package depdiff - -import ( - "time" -) - -// SeverityLevel is the level of severity of a vulnerability. -type SeverityLevel string - -const ( - Critical SeverityLevel = "CRITICAL" - High SeverityLevel = "HIGH" - Medium SeverityLevel = "MEDIUM" - Moderate SeverityLevel = "MODERATE" - Low SeverityLevel = "LOW" - None SeverityLevel = "NONE" - Unknown SeverityLevel = "UNKNOWN" -) - -// IsValid determines if a SeverityLevel is valid. -func (sl *SeverityLevel) IsValid() bool { - switch *sl { - case Critical, High, Medium, Moderate, Low, None, Unknown: - return true - default: - return false - } -} - -// Source is an authoritative source of a vulnerability. -type Source string - -const ( - GHSA Source = "GHSA" - NSWG Source = "NSWG" - OSV Source = "OSV" -) - -// IsValid determines if a Source is valid. -func (src *Source) IsValid() bool { - switch *src { - case GHSA, NSWG, OSV: - return true - default: - return false - } -} - -// Vulnerability is a security vulnerability of a dependency. -type Vulnerability struct { - // Source is the source of a vulnerability. - Source string `bigquery:"Source"` - - // ID is the identifier of a vulnerability. - ID string `json:"advisory_ghsa_id" bigquery:"SourceID"` - - // SourceURL is the source URL of a vulnerability. - SourceURL string `json:"advisory_url" bigquery:"SourceURL"` - - // Title is the text summary of a vulnerability. - Title string `json:"advisory_summary" bigquery:"Title"` - - // Description is a long text paragraph of a vulnerability. - Description string `json:"description" bigquery:"Description"` - - // Score is the score of a vulnerability given by an authoritative src. - // TODO: this is not a version-zero property and will be included in future versions. - // Score bigquery.NullFloat64 `bigquery:"Score"` - - // GitHubSeverity is the severity level of a vulnerability determined by GitHub. - GitHubSeverity SeverityLevel `json:"github_severity" bigquery:"GitHubSeverity"` - - // ReferenceURLs include all URLs that are related to a vulnerability. - ReferenceURLs []string `json:"reference_urls" bigquery:"ReferenceURLs"` - - // DisclosedTime is the time when a vulenrability is publicly disclosed. - DisclosedTime time.Time `json:"disclosed_time" bigquery:"Disclosed"` -} From 92a117e2792f2a58c6f58e2db44e4e0fe3da5194 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 11:31:06 -0700 Subject: [PATCH 08/15] temp --- pkg/check-depdiff/dependencies.go | 51 +++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index bfdb060897f..a3a4d5d7832 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -14,12 +14,17 @@ package depdiff +import "github.com/ossf/scorecard/v4/pkg" + // ChangeType is the change type (added, updated, removed) of a dependency. type ChangeType string const ( - Added ChangeType = "added" + // Added suggests the dependency is a new one. + Added ChangeType = "added" + // Updated suggests the dependency is bumped from an old version. Updated ChangeType = "updated" + // Removed suggests the dependency is removed. Removed ChangeType = "removed" ) @@ -33,26 +38,54 @@ func (ct *ChangeType) IsValid() bool { } } -// Dependency is a dependency. -type Dependency struct { +// rawDependency is the Dependency structure that is used to receive +// the raw results from the GitHub Dependency Review API. +type rawDependency struct { + // Package URL is a short link for a package. + PackageURL *string `json:"package_url"` + + // SrcRepoURL is the source repository URL of the dependency. + SrcRepoURL *string `json:"source_repository_url"` + // ChangeType indicates whether the dependency is added, updated, or removed. - ChangeType ChangeType `json:"change_type"` + ChangeType *ChangeType `json:"change_type"` // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. - ManifestFileName string `json:"manifest"` + ManifestPath *string `json:"manifest"` // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. - Ecosystem string `json:"ecosystem"` + Ecosystem *string `json:"ecosystem"` // Name is the name of the dependency. Name string `json:"name"` // Version is the package version of the dependency. - Version string `json:"version"` + Version *string `json:"version"` +} +// Dependency is the dependency structure used in the returned results. +type Dependency struct { // Package URL is a short link for a package. - PackageURL *string `json:"package_url"` + PackageURL *string `json:"packageUrl"` // SrcRepoURL is the source repository URL of the dependency. - SrcRepoURL *string `json:"source_repository_url"` + SrcRepoURL *string `json:"srcRepoUrl"` + + // ChangeType indicates whether the dependency is added, updated, or removed. + ChangeType *ChangeType `json:"changeType"` + + // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. + ManifestPath *string `json:"manifest"` + + // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. + Ecosystem *string `json:"ecosystem"` + + // Name is the name of the dependency. + Name string `json:"name"` + + // Version is the package version of the dependency. + Version *string `json:"version"` + + // ScReresults is the scorecard result for the dependency repo. + ScReresults pkg.ScorecardResult `json:"scorecardResults"` } From c49c7f4624f2d322f6d32afa67d7b0f074f9e097 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 11:31:55 -0700 Subject: [PATCH 09/15] temp --- pkg/check-depdiff/dependencies.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index a3a4d5d7832..6fd4c7cec71 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -64,7 +64,7 @@ type rawDependency struct { } // Dependency is the dependency structure used in the returned results. -type Dependency struct { +type DependencyCheckResult struct { // Package URL is a short link for a package. PackageURL *string `json:"packageUrl"` From c733ba50239430c5b7b194574aa5889b36cbeb2d Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 11:32:12 -0700 Subject: [PATCH 10/15] temp --- pkg/check-depdiff/dependencies.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 6fd4c7cec71..402ab758c4e 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -63,7 +63,7 @@ type rawDependency struct { Version *string `json:"version"` } -// Dependency is the dependency structure used in the returned results. +// DependencyCheckResult is the dependency structure used in the returned results. type DependencyCheckResult struct { // Package URL is a short link for a package. PackageURL *string `json:"packageUrl"` From 137908272d20a451f79f212827d69d73a2d751a8 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 11:32:35 -0700 Subject: [PATCH 11/15] temp --- pkg/check-depdiff/dependencies.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 402ab758c4e..35b9526b540 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -87,5 +87,5 @@ type DependencyCheckResult struct { Version *string `json:"version"` // ScReresults is the scorecard result for the dependency repo. - ScReresults pkg.ScorecardResult `json:"scorecardResults"` + ScReresults *pkg.ScorecardResult `json:"scorecardResults"` } From cdd18406a4e8da090307371c46507323446a9d6a Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 13:00:28 -0700 Subject: [PATCH 12/15] temp --- pkg/check-depdiff/dependencies.go | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 35b9526b540..14c0a3a51cc 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -38,31 +38,6 @@ func (ct *ChangeType) IsValid() bool { } } -// rawDependency is the Dependency structure that is used to receive -// the raw results from the GitHub Dependency Review API. -type rawDependency struct { - // Package URL is a short link for a package. - PackageURL *string `json:"package_url"` - - // SrcRepoURL is the source repository URL of the dependency. - SrcRepoURL *string `json:"source_repository_url"` - - // ChangeType indicates whether the dependency is added, updated, or removed. - ChangeType *ChangeType `json:"change_type"` - - // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. - ManifestPath *string `json:"manifest"` - - // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. - Ecosystem *string `json:"ecosystem"` - - // Name is the name of the dependency. - Name string `json:"name"` - - // Version is the package version of the dependency. - Version *string `json:"version"` -} - // DependencyCheckResult is the dependency structure used in the returned results. type DependencyCheckResult struct { // Package URL is a short link for a package. From 0e1223dcf61c63f233d4d065a0a39d17876e24b5 Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 13:28:46 -0700 Subject: [PATCH 13/15] temp --- pkg/check-depdiff/dependencies.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 14c0a3a51cc..502366902c7 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -44,13 +44,13 @@ type DependencyCheckResult struct { PackageURL *string `json:"packageUrl"` // SrcRepoURL is the source repository URL of the dependency. - SrcRepoURL *string `json:"srcRepoUrl"` + SrcRepoURL *string `json:"sourceRepositoryURL"` // ChangeType indicates whether the dependency is added, updated, or removed. ChangeType *ChangeType `json:"changeType"` // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. - ManifestPath *string `json:"manifest"` + ManifestPath *string `json:"manifestPath"` // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. Ecosystem *string `json:"ecosystem"` From 2ac26d7c09c2156c9247e13ea81050512f46213c Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 13:32:13 -0700 Subject: [PATCH 14/15] temp --- pkg/check-depdiff/dependencies.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index 502366902c7..e05fb3da631 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -62,5 +62,5 @@ type DependencyCheckResult struct { Version *string `json:"version"` // ScReresults is the scorecard result for the dependency repo. - ScReresults *pkg.ScorecardResult `json:"scorecardResults"` + ScorecardResults *pkg.ScorecardResult `json:"scorecardResults"` } From 2b0ffed4138f98bc60b112c6570a060552d8efee Mon Sep 17 00:00:00 2001 From: aidenwang Date: Mon, 11 Jul 2022 14:10:54 -0700 Subject: [PATCH 15/15] temp --- pkg/check-depdiff/dependencies.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/check-depdiff/dependencies.go b/pkg/check-depdiff/dependencies.go index e05fb3da631..bf386d592c8 100644 --- a/pkg/check-depdiff/dependencies.go +++ b/pkg/check-depdiff/dependencies.go @@ -43,24 +43,24 @@ type DependencyCheckResult struct { // Package URL is a short link for a package. PackageURL *string `json:"packageUrl"` - // SrcRepoURL is the source repository URL of the dependency. - SrcRepoURL *string `json:"sourceRepositoryURL"` + // SourceRepository is the source repository URL of the dependency. + SourceRepository *string `json:"sourceRepository"` // ChangeType indicates whether the dependency is added, updated, or removed. ChangeType *ChangeType `json:"changeType"` - // ManifestFileName is the name of the manifest file of the dependency, such as go.mod for Go. + // ManifestPath is the name of the manifest file of the dependency, such as go.mod for Go. ManifestPath *string `json:"manifestPath"` // Ecosystem is the name of the package management system, such as NPM, GO, PYPI. Ecosystem *string `json:"ecosystem"` - // Name is the name of the dependency. - Name string `json:"name"` - // Version is the package version of the dependency. Version *string `json:"version"` - // ScReresults is the scorecard result for the dependency repo. + // ScorecardResults is the scorecard result for the dependency repo. ScorecardResults *pkg.ScorecardResult `json:"scorecardResults"` + + // Name is the name of the dependency. + Name string `json:"name"` }