aboutcode-org · 404-geek · Jun 26, 2024 · Jun 26, 2024 · Jun 26, 2024 · Jun 26, 2024
diff --git a/docs/built-in-pipelines.rst b/docs/built-in-pipelines.rst
@@ -229,3 +229,9 @@ Scan Single Package
 .. autoclass:: scanpipe.pipelines.scan_single_package.ScanSinglePackage()
     :members:
     :member-order: bysource
+
+Fetch ScoreCode Info for Package
+---------------------------------
+.. autoclass:: scanpipe.pipelines.fetch_scorecode_info.FetchScoreCodeInfo()
+    :members:
+    :member-order: bysource
diff --git a/pyproject.toml b/pyproject.toml
@@ -94,7 +94,10 @@ dependencies = [
   "aboutcode.hashid==0.2.0",
   # AboutCode pipeline
   "aboutcode.pipeline==0.2.1",
-  "scipy==1.15.3"
+  "scipy==1.15.3",
+  # ScoreCode
+  "scorecode==0.0.4",
+
 ]
 
 [project.optional-dependencies]
@@ -134,6 +137,7 @@ collect_symbols_ctags = "scanpipe.pipelines.collect_symbols_ctags:CollectSymbols
 collect_symbols_pygments = "scanpipe.pipelines.collect_symbols_pygments:CollectSymbolsPygments"
 collect_symbols_tree_sitter = "scanpipe.pipelines.collect_symbols_tree_sitter:CollectSymbolsTreeSitter"
 enrich_with_purldb = "scanpipe.pipelines.enrich_with_purldb:EnrichWithPurlDB"
+fetch_scorecode_info = "scanpipe.pipelines.fetch_scorecode_info:FetchScoreCodeInfo"
 find_vulnerabilities = "scanpipe.pipelines.find_vulnerabilities:FindVulnerabilities"
 inspect_elf_binaries = "scanpipe.pipelines.inspect_elf_binaries:InspectELFBinaries"
 inspect_packages = "scanpipe.pipelines.inspect_packages:InspectPackages"

diff --git a/scanpipe/migrations/0074_add_discovered_package_score_and_scorecard_check_models.py b/scanpipe/migrations/0074_add_discovered_package_score_and_scorecard_check_models.py
@@ -0,0 +1,64 @@
+# Generated by Django 5.1.11 on 2025-07-17 05:29
+
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0073_add_sha1_git_checksum'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DiscoveredPackageScore',
+            fields=[
+                ('scoring_tool', models.CharField(blank=True, choices=[('ossf-scorecard', 'Ossf'), ('others', 'Others')], help_text='Defines the source of a score or any other scoring metricsFor example: ossf-scorecard for scorecard data', max_length=100)),
+                ('scoring_tool_version', models.CharField(blank=True, help_text='Defines the version of the scoring tool used for scanning thepackageFor Eg : 4.6 current version of OSSF - scorecard', max_length=50)),
+                ('score', models.CharField(blank=True, help_text='Score of the package which is scanned', max_length=50)),
+                ('scoring_tool_documentation_url', models.CharField(blank=True, help_text='Documentation URL of the scoring tool used', max_length=100)),
+                ('score_date', models.DateTimeField(blank=True, editable=False, help_text='Date when the scoring was calculated on the package', null=True)),
+                ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')),
+                ('discovered_package', models.ForeignKey(editable=False, help_text='The package for which the score is given', on_delete=django.db.models.deletion.CASCADE, related_name='scores', to='scanpipe.discoveredpackage')),
+            ],
+            options={
+                'verbose_name': 'discovered package score',
+                'verbose_name_plural': 'discovered package scores',
+                'ordering': ['-score'],
+            },
+        ),
+        migrations.CreateModel(
+            name='ScorecardCheck',
+            fields=[
+                ('check_name', models.CharField(blank=True, help_text='Defines the name of check corresponding to the OSSF scoreFor example: Code-Review or CII-Best-PracticesThese are the some of the checks which are performed on a scanned package', max_length=100)),
+                ('check_score', models.CharField(blank=True, help_text='Defines the score of the check for the package scannedFor Eg : 9 is a score given for Code-Review', max_length=50)),
+                ('reason', models.CharField(blank=True, help_text='Gives a reason why a score was given for a specific checkFor eg, : Found 9/10 approved changesets -- score normalized to 9', max_length=300)),
+                ('details', models.JSONField(blank=True, default=list, help_text='A list of details/errors regarding the score')),
+                ('uuid', models.UUIDField(db_index=True, default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='UUID')),
+                ('package_score', models.ForeignKey(editable=False, help_text='The checks for which the score is given', on_delete=django.db.models.deletion.CASCADE, related_name='checks', to='scanpipe.discoveredpackagescore')),
+            ],
+            options={
+                'verbose_name': 'scorecard check',
+                'verbose_name_plural': 'scorecard checks',
+                'ordering': ['-check_score'],
+            },
+        ),
+        migrations.AddIndex(
+            model_name='discoveredpackagescore',
+            index=models.Index(fields=['score'], name='scanpipe_di_score_078964_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='discoveredpackagescore',
+            index=models.Index(fields=['scoring_tool_version'], name='scanpipe_di_scoring_7fa482_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scorecardcheck',
+            index=models.Index(fields=['check_score'], name='scanpipe_sc_check_s_e189f7_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scorecardcheck',
+            index=models.Index(fields=['check_name'], name='scanpipe_sc_check_n_1df2b1_idx'),
+        ),
+    ]
diff --git a/scanpipe/models.py b/scanpipe/models.py
@@ -88,6 +88,8 @@
 from rq.exceptions import NoSuchJobError
 from rq.job import Job
 from rq.job import JobStatus
+from scorecode.contrib.django.models import PackageScoreMixin
+from scorecode.contrib.django.models import ScorecardChecksMixin
 from taggit.managers import TaggableManager
 from taggit.models import GenericUUIDTaggedItemBase
 from taggit.models import TaggedItemBase
@@ -4457,3 +4459,99 @@ def create_auth_token(sender, instance=None, created=False, **kwargs):
     """Create an API key token on user creation, using the signal system."""
     if created:
         Token.objects.create(user_id=instance.pk)
+
+
+class DiscoveredPackageScore(UUIDPKModel, PackageScoreMixin):
+    """Represents a security or quality score for a DiscoveredPackage."""
+
+    discovered_package = models.ForeignKey(
+        DiscoveredPackage,
+        related_name="scores",
+        help_text=_("The package for which the score is given"),
+        on_delete=models.CASCADE,
+        editable=False,
+    )
+
+    class Meta:
+        verbose_name = "discovered package score"
+        verbose_name_plural = "discovered package scores"
+        ordering = ["-score"]
+        indexes = [
+            models.Index(fields=["score"]),
+            models.Index(fields=["scoring_tool_version"]),
+        ]
+
+    def __str__(self):
+        return self.score or str(self.uuid)
+
+    @classmethod
+    def create_from_scorecard_data(
+        cls, discovered_package, scorecard_data, scoring_tool="ossf-scorecard"
+    ):
+        """Create ScoreCard object from scorecard data and discovered package"""
+        final_data = {
+            "score": scorecard_data.score,
+            "scoring_tool_version": scorecard_data.scoring_tool_version,
+            "scoring_tool_documentation_url": (
+                scorecard_data.scoring_tool_documentation_url
+            ),
+            "score_date": cls.parse_score_date(scorecard_data.score_date),
+        }
+
+        scorecard_object = cls.objects.create(
+            **final_data,
+            discovered_package=discovered_package,
+            scoring_tool=scoring_tool,
+        )
+
+        for check in scorecard_data.checks:
+            ScorecardCheck.create_from_data(package_score=scorecard_object, check=check)
+
+        return scorecard_object
+
+    @classmethod
+    def create_from_package_and_scorecard(cls, scorecard_data, package):
+        score_object = cls.create_from_scorecard_data(
+            discovered_package=package,
+            scorecard_data=scorecard_data,
+            scoring_tool="ossf-scorecard",
+        )
+        return score_object
+
+
+class ScorecardCheck(UUIDPKModel, ScorecardChecksMixin):
+    """
+    Represents an individual check within a Scorecard evaluation for a
+    DiscoveredPackageScore.
+    """
+
+    package_score = models.ForeignKey(
+        DiscoveredPackageScore,
+        related_name="checks",
+        help_text=_("The checks for which the score is given"),
+        on_delete=models.CASCADE,
+        editable=False,
+    )
+
+    class Meta:
+        verbose_name = "scorecard check"
+        verbose_name_plural = "scorecard checks"
+        ordering = ["-check_score"]
+        indexes = [
+            models.Index(fields=["check_score"]),
+            models.Index(fields=["check_name"]),
+        ]
+
+    def __str__(self):
+        return self.check_score or str(self.uuid)
+
+    @classmethod
+    def create_from_data(cls, package_score, check):
+        """Create a ScorecardCheck instance from provided data."""
+        return cls.objects.create(
+            check_name=check.check_name,
+            check_score=check.check_score,
+            reason=check.reason or "",
+            details=check.details or [],
+            package_score=package_score,
+        )
diff --git a/scanpipe/pipelines/fetch_scorecode_info.py b/scanpipe/pipelines/fetch_scorecode_info.py
@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+
+from scorecode import ossf_scorecard
+
+from scanpipe.models import DiscoveredPackageScore
+from scanpipe.pipelines import Pipeline
+
+
+class FetchScoreCodeInfo(Pipeline):
+    """
+    Fetch ScoreCode information for packages.
+
+    This pipeline retrieves ScoreCode data for each package in the project
+    and stores it in the corresponding package instances.
+
+    ScoreCode data refers to metadata retrieved from the OpenSSF Scorecard tool,
+    which evaluates open source packages based on security and quality checks.
+    This data includes an overall score, individual check results (such as use
+    of branch protection, fuzzing, dependency updates, etc.), the version of the
+    scoring tool used, and the date of evaluation
+    """
+
+    download_inputs = False
+    is_addon = True
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.check_scoreCode_service_availability,
+            cls.fetch_packages_scoreCode_info,
+        )
+
+    def check_scoreCode_service_availability(self):
+        """Check if the ScoreCode service is configured and available."""
+        if not ossf_scorecard.is_available():
+            raise Exception("ScoreCode service is not available.")
+
+    def fetch_packages_scoreCode_info(self):
+        """Fetch ScoreCode information for each of the project's discovered packages."""
+        for package in self.project.discoveredpackages.all():
+            scorecard_data = ossf_scorecard.fetch_scorecard_info(package=package)
+
+            if scorecard_data:
+                DiscoveredPackageScore.create_from_package_and_scorecard(
+                    scorecard_data=scorecard_data,
+                    package=package,
+                )
+
+            else:
+                pass
diff --git a/scanpipe/tests/data/d2d-javascript/strings/cesium/source-decodeI3S.js b/scanpipe/tests/data/d2d-javascript/strings/cesium/source-decodeI3S.js
@@ -1653,4 +1653,4 @@ function decodeI3S(parameters, transferableObjects) {
   return decodeAndCreateGltf(parameters, transferableObjects);
 }
 
-export default createTaskProcessorWorker(decodeI3S);
+export default createTaskProcessorWorker(decodeI3S);