aboutcode-org
diff --git a/‎CHANGELOG.rst‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.rst‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/built-in-pipelines.rst‎
Lines changed: 10 additions & 6 deletions b/‎docs/built-in-pipelines.rst‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎docs/policies.rst‎
Lines changed: 2 additions & 1 deletion b/‎docs/policies.rst‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎scanpipe/migrations/0076_discoveredpackagescore_scorecardcheck_and_more.py‎
Lines changed: 64 additions & 0 deletions b/‎scanpipe/migrations/0076_discoveredpackagescore_scorecardcheck_and_more.py‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎scanpipe/models.py‎
Lines changed: 100 additions & 2 deletions b/‎scanpipe/models.py‎
Lines changed: 100 additions & 2 deletions
diff --git a/‎scanpipe/pipelines/fetch_scores.py‎
Lines changed: 66 additions & 0 deletions b/‎scanpipe/pipelines/fetch_scores.py‎
Lines changed: 66 additions & 0 deletions
@@ -22,6 +22,11 @@ v35.2.0 (unreleased)
   Vulnerabilities and compliance alert are displayed along the dependency entries.
   https://github.com/aboutcode-org/scancode.io/pull/1742
 
+- Add new ``fetch_scores`` pipeline.
+  This pipeline retrieves ScoreCode data for each discovered package in the project
+  and stores it in the corresponding package instances.
+  https://github.com/aboutcode-org/scancode.io/pull/1294
+
 v35.1.0 (2025-07-02)
 --------------------
 
 
@@ -82,7 +82,6 @@ Collect symbols and string with Tree-Sitter (addon)
 
 Enrich With PurlDB (addon)
 --------------------------
-
 .. warning::
     This pipeline requires access to a PurlDB service.
     Refer to :ref:`scancodeio_settings_purldb` to configure access to PurlDB in your
@@ -96,7 +95,6 @@ Enrich With PurlDB (addon)
 
 Find Vulnerabilities (addon)
 ----------------------------
-
 .. warning::
     This pipeline requires access to a VulnerableCode database.
     Refer to :ref:`scancodeio_settings_vulnerablecode` to configure access to
@@ -150,7 +148,6 @@ Resolve Dependencies
 
 Map Deploy To Develop
 ---------------------
-
 .. warning::
     This pipeline requires input files to be tagged with the following:
 
@@ -168,7 +165,6 @@ Map Deploy To Develop
 
 Match to MatchCode (addon)
 --------------------------
-
 .. warning::
     This pipeline requires access to a MatchCode.io service.
     Refer to :ref:`scancodeio_settings_matchcodeio` to configure access to
@@ -182,7 +178,6 @@ Match to MatchCode (addon)
 
 Populate PurlDB (addon)
 -----------------------
-
 .. warning::
     This pipeline requires access to a PurlDB service.
     Refer to :ref:`scancodeio_settings_purldb` to configure access to PurlDB in your
@@ -196,7 +191,6 @@ Populate PurlDB (addon)
 
 Publish To FederatedCode (addon)
 --------------------------------
-
 .. warning::
     This pipeline requires access to a FederatedCode service.
     Refer to :ref:`scancodeio_settings_federatedcode` to configure access to
@@ -229,3 +223,13 @@ Scan Single Package
 .. autoclass:: scanpipe.pipelines.scan_single_package.ScanSinglePackage()
     :members:
     :member-order: bysource
+
+Fetch Scores (addon)
+--------------------
+.. warning::
+    This pipeline is preconfigured to access the "OpenSSF Scorecard API"
+    available at https://api.securityscorecards.dev/
+
+.. autoclass:: scanpipe.pipelines.fetch_scores.FetchScores()
+    :members:
+    :member-order: bysource
@@ -152,7 +152,8 @@ REST API
 --------
 
 For more details on retrieving compliance data through the REST API, see the
-:ref:`rest_api_compliance` section and :ref:`rest_api_clarity_compliance` section.
+:ref:`rest_api_compliance` section and :ref:`rest_api_license_clarity_compliance`
+section.
 
 Command Line Interface
 ----------------------
 
@@ -94,7 +94,10 @@ dependencies = [
   "aboutcode.hashid==0.2.0",
   # AboutCode pipeline
   "aboutcode.pipeline==0.2.1",
-  "scipy==1.15.3"
+  "scipy==1.15.3",
+  # ScoreCode
+  "scorecode==0.0.4",
+
 ]
 
 [project.optional-dependencies]
@@ -134,6 +137,7 @@ collect_symbols_ctags = "scanpipe.pipelines.collect_symbols_ctags:CollectSymbols
 collect_symbols_pygments = "scanpipe.pipelines.collect_symbols_pygments:CollectSymbolsPygments"
 collect_symbols_tree_sitter = "scanpipe.pipelines.collect_symbols_tree_sitter:CollectSymbolsTreeSitter"
 enrich_with_purldb = "scanpipe.pipelines.enrich_with_purldb:EnrichWithPurlDB"
+fetch_scores = "scanpipe.pipelines.fetch_scores:FetchScores"
 find_vulnerabilities = "scanpipe.pipelines.find_vulnerabilities:FindVulnerabilities"
 inspect_elf_binaries = "scanpipe.pipelines.inspect_elf_binaries:InspectELFBinaries"
 inspect_packages = "scanpipe.pipelines.inspect_packages:InspectPackages"
 
@@ -0,0 +1,64 @@
+# Generated by Django 5.1.11 on 2025-07-25 12:55
+
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0075_codebaseresource_parent_path_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DiscoveredPackageScore',
+            fields=[
+                ('scoring_tool', models.CharField(blank=True, choices=[('ossf-scorecard', 'Ossf'), ('others', 'Others')], help_text='Defines the source of a score or any other scoring metricsFor example: ossf-scorecard for scorecard data', max_length=100)),
+                ('scoring_tool_version', models.CharField(blank=True, help_text='Defines the version of the scoring tool used for scanning thepackageFor Eg : 4.6 current version of OSSF - scorecard', max_length=50)),
+                ('score', models.CharField(blank=True, help_text='Score of the package which is scanned', max_length=50)),
+                ('scoring_tool_documentation_url', models.CharField(blank=True, help_text='Documentation URL of the scoring tool used', max_length=100)),
+                ('score_date', models.DateTimeField(blank=True, editable=False, help_text='Date when the scoring was calculated on the package', null=True)),
+                ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')),
+                ('discovered_package', models.ForeignKey(editable=False, help_text='The package for which the score is given', on_delete=django.db.models.deletion.CASCADE, related_name='scores', to='scanpipe.discoveredpackage')),
+            ],
+            options={
+                'verbose_name': 'discovered package score',
+                'verbose_name_plural': 'discovered package scores',
+                'ordering': ['-score'],
+            },
+        ),
+        migrations.CreateModel(
+            name='ScorecardCheck',
+            fields=[
+                ('check_name', models.CharField(blank=True, help_text='Defines the name of check corresponding to the OSSF scoreFor example: Code-Review or CII-Best-PracticesThese are the some of the checks which are performed on a scanned package', max_length=100)),
+                ('check_score', models.CharField(blank=True, help_text='Defines the score of the check for the package scannedFor Eg : 9 is a score given for Code-Review', max_length=50)),
+                ('reason', models.CharField(blank=True, help_text='Gives a reason why a score was given for a specific checkFor eg, : Found 9/10 approved changesets -- score normalized to 9', max_length=300)),
+                ('details', models.JSONField(blank=True, default=list, help_text='A list of details/errors regarding the score')),
+                ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')),
+                ('package_score', models.ForeignKey(editable=False, help_text='The checks for which the score is given', on_delete=django.db.models.deletion.CASCADE, related_name='checks', to='scanpipe.discoveredpackagescore')),
+            ],
+            options={
+                'verbose_name': 'scorecard check',
+                'verbose_name_plural': 'scorecard checks',
+                'ordering': ['-check_score'],
+            },
+        ),
+        migrations.AddIndex(
+            model_name='discoveredpackagescore',
+            index=models.Index(fields=['score'], name='scanpipe_di_score_078964_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='discoveredpackagescore',
+            index=models.Index(fields=['scoring_tool_version'], name='scanpipe_di_scoring_7fa482_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scorecardcheck',
+            index=models.Index(fields=['check_score'], name='scanpipe_sc_check_s_e189f7_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scorecardcheck',
+            index=models.Index(fields=['check_name'], name='scanpipe_sc_check_n_1df2b1_idx'),
+        ),
+    ]
@@ -88,6 +88,8 @@
 from rq.exceptions import NoSuchJobError
 from rq.job import Job
 from rq.job import JobStatus
+from scorecode.contrib.django.models import PackageScoreMixin
+from scorecode.contrib.django.models import ScorecardChecksMixin
 from taggit.managers import TaggableManager
 from taggit.models import GenericUUIDTaggedItemBase
 from taggit.models import TaggedItemBase
@@ -3932,9 +3934,9 @@ class DiscoveredDependency(
 
     3. Dependencies can be either direct or transitive:
        - A **direct dependency** is explicitly declared in a package manifest or
-         lockfile.
+       lockfile.
        - A **transitive dependency** is not declared directly, but is required by one
-         of the project's direct dependencies.
+       of the project's direct dependencies.
 
     Understanding the distinction between direct and transitive dependencies is
     important for analyzing dependency trees, resolving version conflicts, and
@@ -4760,3 +4762,99 @@ def create_auth_token(sender, instance=None, created=False, **kwargs):
     """Create an API key token on user creation, using the signal system."""
     if created:
         Token.objects.create(user_id=instance.pk)
+
+
+class DiscoveredPackageScore(UUIDPKModel, PackageScoreMixin):
+    """Represents a security or quality score for a DiscoveredPackage."""
+
+    discovered_package = models.ForeignKey(
+        DiscoveredPackage,
+        related_name="scores",
+        help_text=_("The package for which the score is given"),
+        on_delete=models.CASCADE,
+        editable=False,
+    )
+
+    class Meta:
+        verbose_name = "discovered package score"
+        verbose_name_plural = "discovered package scores"
+        ordering = ["-score"]
+        indexes = [
+            models.Index(fields=["score"]),
+            models.Index(fields=["scoring_tool_version"]),
+        ]
+
+    def __str__(self):
+        return self.score or str(self.uuid)
+
+    @classmethod
+    def create_from_scorecard_data(
+        cls, discovered_package, scorecard_data, scoring_tool="ossf-scorecard"
+    ):
+        """Create ScoreCard object from scorecard data and discovered package"""
+        final_data = {
+            "score": scorecard_data.score,
+            "scoring_tool_version": scorecard_data.scoring_tool_version,
+            "scoring_tool_documentation_url": (
+                scorecard_data.scoring_tool_documentation_url
+            ),
+            "score_date": cls.parse_score_date(scorecard_data.score_date),
+        }
+
+        scorecard_object = cls.objects.create(
+            **final_data,
+            discovered_package=discovered_package,
+            scoring_tool=scoring_tool,
+        )
+
+        for check in scorecard_data.checks:
+            ScorecardCheck.create_from_data(package_score=scorecard_object, check=check)
+
+        return scorecard_object
+
+    @classmethod
+    def create_from_package_and_scorecard(cls, scorecard_data, package):
+        score_object = cls.create_from_scorecard_data(
+            discovered_package=package,
+            scorecard_data=scorecard_data,
+            scoring_tool="ossf-scorecard",
+        )
+        return score_object
+
+
+class ScorecardCheck(UUIDPKModel, ScorecardChecksMixin):
+    """
+    Represents an individual check within a Scorecard evaluation for a
+    DiscoveredPackageScore.
+    """
+
+    package_score = models.ForeignKey(
+        DiscoveredPackageScore,
+        related_name="checks",
+        help_text=_("The checks for which the score is given"),
+        on_delete=models.CASCADE,
+        editable=False,
+    )
+
+    class Meta:
+        verbose_name = "scorecard check"
+        verbose_name_plural = "scorecard checks"
+        ordering = ["-check_score"]
+        indexes = [
+            models.Index(fields=["check_score"]),
+            models.Index(fields=["check_name"]),
+        ]
+
+    def __str__(self):
+        return self.check_score or str(self.uuid)
+
+    @classmethod
+    def create_from_data(cls, package_score, check):
+        """Create a ScorecardCheck instance from provided data."""
+        return cls.objects.create(
+            check_name=check.check_name,
+            check_score=check.check_score,
+            reason=check.reason or "",
+            details=check.details or [],
+            package_score=package_score,
+        )
@@ -0,0 +1,66 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+
+from scorecode import ossf_scorecard
+
+from scanpipe.models import DiscoveredPackageScore
+from scanpipe.pipelines import Pipeline
+
+
+class FetchScores(Pipeline):
+    """
+    Fetch ScoreCode information for packages.
+
+    This pipeline retrieves ScoreCode data for each package in the project
+    and stores it in the corresponding package instances.
+
+    ScoreCode data refers to metadata retrieved from the OpenSSF Scorecard tool,
+    which evaluates open source packages based on security and quality checks.
+    This data includes an overall score, individual check results (such as use
+    of branch protection, fuzzing, dependency updates, etc.), the version of the
+    scoring tool used, and the date of evaluation
+    """
+
+    download_inputs = False
+    is_addon = True
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.check_scorecode_service_availability,
+            cls.fetch_packages_scorecode_info,
+        )
+
+    def check_scorecode_service_availability(self):
+        """Check if the ScoreCode service is configured and available."""
+        if not ossf_scorecard.is_available():
+            raise Exception("ScoreCode service is not available.")
+
+    def fetch_packages_scorecode_info(self):
+        """Fetch ScoreCode information for each of the project's discovered packages."""
+        for package in self.project.discoveredpackages.all():
+            if scorecard_data := ossf_scorecard.fetch_scorecard_info(package=package):
+                DiscoveredPackageScore.create_from_package_and_scorecard(
+                    scorecard_data=scorecard_data,
+                    package=package,
+                )