Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⚠️ Add ProjectPackageVersions to raw data collection #4104

Merged
merged 13 commits into from
May 30, 2024

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

Adds ProjectPackageVersion data to SignedReleasesData, which will let a probe consume the data. Also add mock for ProjectPackageClient.

⚠️ breaking change: implementers of the Repo interface must now implement Path().

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul raghavkaul requested a review from a team as a code owner May 13, 2024 17:26
@raghavkaul raghavkaul requested review from naveensrinivasan and spencerschrock and removed request for a team May 13, 2024 17:26
checker/raw_result.go Outdated Show resolved Hide resolved
clients/repo.go Outdated Show resolved Hide resolved
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remind me what the intended purpose is? There's a lot of data being added to the raw results. But hard to reason about the necessity of it when there's no accompanying probe.

If we consider the ossf/scorecard response for example:
https://api.deps.dev/v3/projects/github.com%2Fossf%2Fscorecard:packageversions

checker/raw_result.go Outdated Show resolved Hide resolved
checker/raw_result.go Outdated Show resolved Hide resolved
@raghavkaul
Copy link
Contributor Author

The probe will be something like releasesHaveVerifiedProvenance, which returns a proportional finding depending on how many releases have provenance. I think we'll need System (ecosystem), Name, and Version to create a unique VersionKey (as deps.dev does) to return proportional results. Then we'll need IsVerified for the actual probe. I left Commit in there if we'll eventually want to deduplicate GitHub releases attestations from other system release attestations.

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@spencerschrock
Copy link
Member

/scdiff generate Signed-Releases

Copy link

@spencerschrock
Copy link
Member

spencerschrock commented May 17, 2024

Getting segfaults and e2e test failures, which would need to be fixed. I'm also curious how errors in the deps dev response would be handled right now (if it would mess up other data collection)

Copy link

codecov bot commented May 20, 2024

Codecov Report

Attention: Patch coverage is 0% with 27 lines in your changes are missing coverage. Please review.

Project coverage is 59.96%. Comparing base (6815161) to head (5d12fc1).
Report is 12 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4104      +/-   ##
==========================================
- Coverage   66.06%   59.96%   -6.11%     
==========================================
  Files         226      214      -12     
  Lines       16291    15551     -740     
==========================================
- Hits        10763     9325    -1438     
- Misses       4854     5535     +681     
- Partials      674      691      +17     

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
Copy link
Contributor Author

how errors in the deps dev response would be handled right now (if it would mess up other data collection)

They're propagated up to the check level, so they'll cause the check to fail.

@raghavkaul
Copy link
Contributor Author

/scdiff generate Signed-Releases

Copy link

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
Copy link
Contributor Author

/scdiff generate Signed-Releases

Copy link

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
Copy link
Contributor Author

/scdiff generate Signed-Releases

Copy link

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. I think the cron client (as-is) will panic on a nil pointer deref, so let's fix that.

cron/internal/worker/main.go Show resolved Hide resolved
clients/gitlabrepo/client.go Show resolved Hide resolved
clients/repo.go Outdated Show resolved Hide resolved
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul raghavkaul merged commit 77dce6f into ossf:main May 30, 2024
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants