Select Git revision
-
Jamie Tanna authoredOpenSSF Security Scorecards are great for determining any potential supply chain security concerns in repositories that are used to develop packages you depend on. However, not everyone will rely upon the scorecards data being available in the public API, but will instead fetch the data themselves through the `scorecard` CLI. To make it easier to work with this data, we can add an `import scorecard` subcommand which will take the Scorecard report and import it into the DB. This requires we: - Create a `Parser` to parse the resulting JSON - Retrieve the `repo.name` out of the JSON - Look up that repo URL in Ecosystems' lookup API, if possible - Import the data at the relevant package name/package manager combinations - Limit concurrency of requests to Ecosystems due to #459 - Re-use `securityScorecardsResult#Copy` for brevity - Duplicate `purlToPackageName` to make sure we correctly store package names Closes #474.
Jamie Tanna authoredOpenSSF Security Scorecards are great for determining any potential supply chain security concerns in repositories that are used to develop packages you depend on. However, not everyone will rely upon the scorecards data being available in the public API, but will instead fetch the data themselves through the `scorecard` CLI. To make it easier to work with this data, we can add an `import scorecard` subcommand which will take the Scorecard report and import it into the DB. This requires we: - Create a `Parser` to parse the resulting JSON - Retrieve the `repo.name` out of the JSON - Look up that repo URL in Ecosystems' lookup API, if possible - Import the data at the relevant package name/package manager combinations - Limit concurrency of requests to Ecosystems due to #459 - Re-use `securityScorecardsResult#Copy` for brevity - Duplicate `purlToPackageName` to make sure we correctly store package names Closes #474.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.