diff --git a/components/enrichers/custom-annotation/main.go b/components/enrichers/custom-annotation/main.go index 066f1e3af..cbdecfcb5 100644 --- a/components/enrichers/custom-annotation/main.go +++ b/components/enrichers/custom-annotation/main.go @@ -69,9 +69,8 @@ func run(name, annotations string) error { } func main() { - flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", ""), "what are the annotations this enricher will add to the issues") + flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", "{}"), "what are the annotations this enricher will add to the issues") flag.StringVar(&name, "annotation-name", enrichers.LookupEnvOrString("NAME", defaultName), "what is the name this enricher will masquerade as") - if err := enrichers.ParseFlags(); err != nil { log.Fatal(err) } diff --git a/components/producers/ossf-scorecard/main.go b/components/producers/ossf-scorecard/main.go index 74e091bc5..ccb2536ef 100644 --- a/components/producers/ossf-scorecard/main.go +++ b/components/producers/ossf-scorecard/main.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "log" + "log/slog" v1 "github.com/smithy-security/smithy/api/proto/v1" @@ -36,19 +37,22 @@ func main() { } func parseIssues(out *ScorecardOut) []*v1.Issue { + slog.Info("read ", slog.Int("numChecks", len(out.Checks))) issues := []*v1.Issue{} repo := out.Repo.Name commit := out.Repo.Commit for _, r := range out.Checks { - desc, _ := json.Marshal(r) + var desc string + for _, deet := range r.Details { + desc += deet + "\n" + } issues = append(issues, &v1.Issue{ Target: fmt.Sprintf("%s:%s", repo, commit), Type: r.Name, Title: r.Reason, Severity: scorecardToSmithySeverity(r.Score), - Cvss: 0.0, Confidence: v1.Confidence_CONFIDENCE_UNSPECIFIED, - Description: string(desc), + Description: desc, }) } return issues @@ -72,36 +76,37 @@ func scorecardToSmithySeverity(score float64) v1.Severity { // ScorecardOut represents the output of a ScoreCard run. type ScorecardOut struct { - Date string - Repo RepoInfo - Scorecard ScorecardInfo - Score float64 - Checks []Check `json:"checks"` + Date string `json:"date,omitempty"` + Repo RepoInfo `json:"repo,omitempty"` + Scorecard ScorecardInfo `json:"scorecard,omitempty"` + Score float64 `json:"score,omitempty"` + Checks []Check `json:"checks,omitempty"` + Metadata any `json:"metadata,omitempty"` } // Check represents a ScoreCard Result. type Check struct { - Details []string - Score float64 - Reason string - Name string - Documentation Docs + Details []string `json:"details,omitempty"` + Score float64 `json:"score,omitempty"` + Reason string `json:"reason,omitempty"` + Name string `json:"name,omitempty"` + Documentation Docs `json:"documentation,omitempty"` } // Docs represents a ScoreCard "docs" section. type Docs struct { - URL string - Short string + URL string `json:"url,omitempty"` + Short string `json:"short,omitempty"` } // ScorecardInfo represents a "scorecardinfo" section. type ScorecardInfo struct { - Version string - Commit string + Version string `json:"version,omitempty"` + Commit string `json:"commit,omitempty"` } // RepoInfo represents a repository information section. type RepoInfo struct { - Name string - Commit string + Name string `json:"name,omitempty"` + Commit string `json:"commit,omitempty"` } diff --git a/components/producers/ossf-scorecard/main_test.go b/components/producers/ossf-scorecard/main_test.go index 0a52cc509..dffaa04bd 100644 --- a/components/producers/ossf-scorecard/main_test.go +++ b/components/producers/ossf-scorecard/main_test.go @@ -53,7 +53,7 @@ func TestParseIssues(t *testing.T) { Type: "Branch-Protection", Title: "branch protection is not maximal on development and all release branches", Severity: v1.Severity_SEVERITY_MEDIUM, - Description: "{\"Details\":[\"Info: 'force pushes' disabled on branch 'main'\",\"Info: 'allow deletion' disabled on branch 'main'\",\"Warn: no status checks found to merge onto branch 'main'\",\"Info: number of required reviewers is 2 on branch 'main'\"],\"Score\":6,\"Reason\":\"branch protection is not maximal on development and all release branches\",\"Name\":\"Branch-Protection\",\"Documentation\":{\"URL\":\"https://github.com/ossf/scorecard/blob/23b0ddb8aa96356321cf31a2709723e29b15a951/docs/checks.md#branch-protection\",\"Short\":\"Determines if the default and release branches are protected with GitHub's branch protection settings.\"}}", + Description: "Info: 'force pushes' disabled on branch 'main'\nInfo: 'allow deletion' disabled on branch 'main'\nWarn: no status checks found to merge onto branch 'main'\nInfo: number of required reviewers is 2 on branch 'main'\n", } assert.Equal(t, []*v1.Issue{expectedIssue}, issues) diff --git a/components/producers/ossf-scorecard/task.yaml b/components/producers/ossf-scorecard/task.yaml index 05b90664a..eeef6615e 100644 --- a/components/producers/ossf-scorecard/task.yaml +++ b/components/producers/ossf-scorecard/task.yaml @@ -24,16 +24,16 @@ spec: description: The workspace containing the source-code to scan. steps: - name: run-ossf-scorecard - image: '{{ default "ghcr.io/smithy-security/smithy" .Values.image.registry }}/components/producers/ossf-scorecard/scorecard-smithy:{{ .Chart.AppVersion }}' + image: 'gcr.io/openssf/scorecard:v5.0.0' env: - name: GITHUB_AUTH_TOKEN value: "$(params.producer-ossf-scorecard-github-auth-token)" - script: | - /scorecard \ - --format=json \ - --show-details \ - --repo=$(params.producer-ossf-scorecard-input-repo) >/scratch/out.json - # TODO(spyros): add flags here once scorecard can write results to file + command: ["/scorecard"] + args: + - --format=json + - --show-details + - --output=/scratch/out.json + - --repo=$(params.producer-ossf-scorecard-input-repo) volumeMounts: - mountPath: /scratch name: scratch