Skip to content
  • Jamie Tanna's avatar
    feat: add ability to `import scorecard` for Security Scorecards · 4b7eae1c
    Jamie Tanna authored
    OpenSSF Security Scorecards are great for determining any potential
    supply chain security concerns in repositories that are used to develop
    packages you depend on.
    
    However, not everyone will rely upon the scorecards data being available
    in the public API, but will instead fetch the data themselves through
    the `scorecard` CLI.
    
    To make it easier to work with this data, we can add an `import
    scorecard` subcommand which will take the Scorecard report and import it
    into the DB.
    
    This requires we:
    
    - Create a `Parser` to parse the resulting JSON
    - Retrieve the `repo.name` out of the JSON
    - Look up that repo URL in Ecosystems' lookup API, if possible
    - Import the data at the relevant package name/package manager
      combinations
    - Limit concurrency of requests to Ecosystems due to #459
    - Re-use `securityScorecardsResult#Copy` for brevity
    - Duplicate `purlToPackageName` to make sure we correctly store package
      names
    
    Closes #474.
    4b7eae1c