smithy-security · andream16 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024 · Oct 25, 2024
diff --git a/components/enrichers/custom-annotation/main.go b/components/enrichers/custom-annotation/main.go
@@ -69,9 +69,8 @@ func run(name, annotations string) error {
 }
 
 func main() {
-	flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", ""), "what are the annotations this enricher will add to the issues")
+	flag.StringVar(&annotations, "annotations", enrichers.LookupEnvOrString("ANNOTATIONS", "{}"), "what are the annotations this enricher will add to the issues")
 	flag.StringVar(&name, "annotation-name", enrichers.LookupEnvOrString("NAME", defaultName), "what is the name this enricher will masquerade as")
-
 	if err := enrichers.ParseFlags(); err != nil {
 		log.Fatal(err)
 	}

diff --git a/components/producers/ossf-scorecard/examples/scorecard-out.json b/components/producers/ossf-scorecard/examples/scorecard-out.json
diff --git a/components/producers/ossf-scorecard/examples/scorecard-out.pb b/components/producers/ossf-scorecard/examples/scorecard-out.pb
diff --git a/components/producers/ossf-scorecard/main.go b/components/producers/ossf-scorecard/main.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"log/slog"
 
 	v1 "github.com/smithy-security/smithy/api/proto/v1"
 
@@ -36,19 +37,28 @@ func main() {
 }
 
 func parseIssues(out *ScorecardOut) []*v1.Issue {
+	slog.Info("read ", slog.Int("numChecks", len(out.Checks)))
 	issues := []*v1.Issue{}
 	repo := out.Repo.Name
 	commit := out.Repo.Commit
+
 	for _, r := range out.Checks {
-		desc, _ := json.Marshal(r)
+		desc := fmt.Sprintf("Overall Score: %.1f\nCheck Details:\n", out.Score)
+
+		for i, deet := range r.Details {
+			d := deet
+			if i != len(r.Details)-1 {
+				d += "\n"
+			}
+			desc += d
+		}
 		issues = append(issues, &v1.Issue{
 			Target:      fmt.Sprintf("%s:%s", repo, commit),
 			Type:        r.Name,
 			Title:       r.Reason,
 			Severity:    scorecardToSmithySeverity(r.Score),
-			Cvss:        0.0,
 			Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
-			Description: string(desc),
+			Description: desc,
 		})
 	}
 	return issues
@@ -72,36 +82,37 @@ func scorecardToSmithySeverity(score float64) v1.Severity {
 
 // ScorecardOut represents the output of a ScoreCard run.
 type ScorecardOut struct {
-	Date      string
-	Repo      RepoInfo
-	Scorecard ScorecardInfo
-	Score     float64
-	Checks    []Check `json:"checks"`
+	Date      string        `json:"date,omitempty"`
+	Repo      RepoInfo      `json:"repo,omitempty"`
+	Scorecard ScorecardInfo `json:"scorecard,omitempty"`
+	Score     float64       `json:"score,omitempty"`
+	Checks    []Check       `json:"checks,omitempty"`
+	Metadata  any           `json:"metadata,omitempty"`
 }
 
 // Check represents a ScoreCard Result.
 type Check struct {
-	Details       []string
-	Score         float64
-	Reason        string
-	Name          string
-	Documentation Docs
+	Details       []string `json:"details,omitempty"`
+	Score         float64  `json:"score,omitempty"`
+	Reason        string   `json:"reason,omitempty"`
+	Name          string   `json:"name,omitempty"`
+	Documentation Docs     `json:"documentation,omitempty"`
 }
 
 // Docs represents a ScoreCard "docs" section.
 type Docs struct {
-	URL   string
-	Short string
+	URL   string `json:"url,omitempty"`
+	Short string `json:"short,omitempty"`
 }
 
 // ScorecardInfo represents a "scorecardinfo" section.
 type ScorecardInfo struct {
-	Version string
-	Commit  string
+	Version string `json:"version,omitempty"`
+	Commit  string `json:"commit,omitempty"`
 }
 
 // RepoInfo represents a repository information section.
 type RepoInfo struct {
-	Name   string
-	Commit string
+	Name   string `json:"name,omitempty"`
+	Commit string `json:"commit,omitempty"`
 }
diff --git a/components/producers/ossf-scorecard/main_test.go b/components/producers/ossf-scorecard/main_test.go
@@ -6,7 +6,6 @@ import (
 
 	v1 "github.com/smithy-security/smithy/api/proto/v1"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -53,8 +52,8 @@ func TestParseIssues(t *testing.T) {
 		Type:        "Branch-Protection",
 		Title:       "branch protection is not maximal on development and all release branches",
 		Severity:    v1.Severity_SEVERITY_MEDIUM,
-		Description: "{\"Details\":[\"Info: 'force pushes' disabled on branch 'main'\",\"Info: 'allow deletion' disabled on branch 'main'\",\"Warn: no status checks found to merge onto branch 'main'\",\"Info: number of required reviewers is 2 on branch 'main'\"],\"Score\":6,\"Reason\":\"branch protection is not maximal on development and all release branches\",\"Name\":\"Branch-Protection\",\"Documentation\":{\"URL\":\"https://github.com/ossf/scorecard/blob/23b0ddb8aa96356321cf31a2709723e29b15a951/docs/checks.md#branch-protection\",\"Short\":\"Determines if the default and release branches are protected with GitHub's branch protection settings.\"}}",
+		Description: "Overall Score: 4.0\nCheck Details:\nInfo: 'force pushes' disabled on branch 'main'\nInfo: 'allow deletion' disabled on branch 'main'\nWarn: no status checks found to merge onto branch 'main'\nInfo: number of required reviewers is 2 on branch 'main'",
 	}
 
-	assert.Equal(t, []*v1.Issue{expectedIssue}, issues)
+	require.Equal(t, []*v1.Issue{expectedIssue}, issues)
 }
diff --git a/components/producers/ossf-scorecard/task.yaml b/components/producers/ossf-scorecard/task.yaml
@@ -24,16 +24,16 @@ spec:
       description: The workspace containing the source-code to scan.
   steps:
   - name: run-ossf-scorecard
-    image: '{{ default "ghcr.io/smithy-security/smithy" .Values.image.registry }}/components/producers/ossf-scorecard/scorecard-smithy:{{ .Chart.AppVersion }}'
+    image: 'gcr.io/openssf/scorecard:v5.0.0'
     env:
       - name: GITHUB_AUTH_TOKEN
         value: "$(params.producer-ossf-scorecard-github-auth-token)"
-    script: |
-      /scorecard \
-      --format=json \
-      --show-details \
-      --repo=$(params.producer-ossf-scorecard-input-repo) >/scratch/out.json
-       # TODO(spyros): add flags here once scorecard can write results to file
+    command: ["/scorecard"]
+    args:
+      - --format=json
+      - --show-details
+      - --output=/scratch/out.json
+      - --repo=$(params.producer-ossf-scorecard-input-repo)
     volumeMounts:
     - mountPath: /scratch
       name: scratch

diff --git a/examples/pipelines/scorecard-project/kustomization.yaml b/examples/pipelines/scorecard-project/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+nameSuffix: -scorecard-project
+components:
+  - pkg:helm/smithy-security-oss-components/base
+  - pkg:helm/smithy-security-oss-components/producer-ossf-scorecard
+  - pkg:helm/smithy-security-oss-components/producer-aggregator
+  - pkg:helm/smithy-security-oss-components/enricher-custom-annotation
+  - pkg:helm/smithy-security-oss-components/enricher-aggregator
+  - pkg:helm/smithy-security-oss-components/consumer-stdout-json
diff --git a/examples/pipelines/scorecard-project/pipelinerun.yaml b/examples/pipelines/scorecard-project/pipelinerun.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: smithy-scorecard-project-
+spec:
+  pipelineRef:
+    name: smithy-scorecard-project
+  params:
+  - name: producer-ossf-scorecard-input-repo
+    value: https://github.com/smithy-security/smithy
+  - name: producer-ossf-scorecard-github-auth-token
+    value: $github-auth-token-permissions-to-read-repos
+  - name: enricher-custom-annotation-base-annotation
+    value: '{"foo":"bar","a":"b","1":"2"}'
+  workspaces:
+  - name: output
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi