Skip to content

Commit

Permalink
modify report according to sphinx and doc8 convention
Browse files Browse the repository at this point in the history 
Signed-off-by: 404-geek <[email protected]>
  • Loading branch information
@404-geek
404-geek committed Aug 25, 2024
1 parent c6391a2 commit be38e51
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 20 deletions.
1 change: 1 addition & 0 deletions docs/source/archive/gsoc-toc.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ GSoC 2024
:maxdepth: 2

gsoc/reports/2024/scancode_toolkit_swastkk
gsoc/reports/2024/scancode_scorecode_pranay

GSoC 2022
---------
Expand Down
70 changes: 50 additions & 20 deletions docs/source/archive/gsoc/reports/2024/scancode_scorecode_pranay.rst
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
==============================================================================
====================================================================================
Integrating OpenSSF Scorecard into Scancode.io for Enhanced Vulnerability Analysis
==============================================================================
====================================================================================


**Organization:** `AboutCode <https://aboutcode.org>`_

Expand All @@ -21,15 +22,25 @@ Integrating OpenSSF Scorecard into Scancode.io for Enhanced Vulnerability Analys
Overview
--------

The primary objective of this project was to integrate the OpenSSF Scorecard into the Scancode.io platform, thereby enhancing its capabilities for vulnerability analysis. The project involved work on two key repositories: `Scorecode`, which was developed as a PyPI package, and `Scancode.io`, where the integration with Scorecard data was implemented within scanning pipelines.
The primary objective of this project was to integrate the OpenSSF Scorecard into the
Scancode.io platform, thereby enhancing its capabilities for vulnerability analysis.
The project involved work on two key repositories: `Scorecode`,which was developed as a
PyPI package, and `Scancode.io`, where the integration with Scorecard data was
implemented within scanning pipelines.

**Scorecode**

`Scorecode` serves as a PyPI package that encapsulates the business logic for fetching OpenSSF Scorecard data using the OpenSSF API. It also includes Django mixin models that can be extended and integrated into other platforms with databases, such as Scancode.io and PurlDB, ensuring seamless utilization of Scorecard data across various projects.
`Scorecode` serves as a PyPI package that encapsulates the business logic for fetching
OpenSSF Scorecard data using the OpenSSF API. It also includes Django mixin models that
can be extended and integrated into other platforms with databases, such as Scancode.io
and PurlDB, ensuring seamless utilization of Scorecard data across various projects.

**Scancode.io**

In the `Scancode.io` project, I developed a pipeline that interacts with the `Scorecode` package to fetch and store Scorecard data in the Scancode.io database. The data can then be exported into Bill of Materials (BOM) files in formats like CycloneDX and SPDX, providing comprehensive security insights in standardized formats.
In the `Scancode.io` project, I developed a pipeline that interacts with the `Scorecode`
package to fetch and store Scorecard data in the Scancode.io database. The data can then
be exported into Bill of Materials (BOM) files in formats like CycloneDX and SPDX,
providing comprehensive security insights in standardized formats.

--------------------------------------------------------------------------------

Expand All @@ -38,18 +49,24 @@ Implementation

**1. Scorecode Repository:**

- Developed a PyPI package to interact with the OpenSSF API and fetch Scorecard data for various software packages.
- Created Django mixin models to enable easy extension and integration of Scorecard data into platforms with databases like Scancode.io.
- Developed a PyPI package to interact with the OpenSSF API and fetch Scorecard data
for various software packages.
- Created Django mixin models to enable easy extension and integration of Scorecard
data into platforms with databases like Scancode.io.

**2. Scancode.io Integration:**

- Developed a pipeline within Scancode.io to call `Scorecode` functions, retrieve Scorecard data, and save it in the Scancode.io database.
- Enhanced the existing BOM export functionality to include Scorecard data, allowing for detailed security posture analysis in CycloneDX and SPDX formats.
- Developed a pipeline within Scancode.io to call `Scorecode` functions, retrieve
Scorecard data, and save it in the Scancode.io database.
- Enhanced the existing BOM export functionality to include Scorecard data, allowing
for detailed security posture analysis in CycloneDX and SPDX formats.

**4. Testing:**

- Conducted comprehensive testing in both repositories to ensure accurate fetching, storage, and export of Scorecard data.
- Verified seamless integration across different package ecosystems supported by Scancode.io.
- Conducted comprehensive testing in both repositories to ensure accurate fetching,
storage, and export of Scorecard data.
- Verified seamless integration across different package ecosystems supported by
Scancode.io.

--------------------------------------------------------------------------------

Expand Down Expand Up @@ -100,7 +117,8 @@ Related Issues
- Compute summary and clarity for EACH package in a codebase
- `#3 <https://github.com/aboutcode-org/scorecode/issues/3>`_
* - 5
- Provide data values in scan results to correspond with license_clarity_score elements
- Provide data values in scan results to correspond with license_clarity_score
elements
- `#2 <https://github.com/aboutcode-org/scorecode/issues/2>`_


Expand All @@ -116,35 +134,47 @@ Project Reference Links
Pre GSOC Work
-----------------------

Before GSoC officially started, I had the opportunity to contribute to the `ScanCode.io <https://github.com/aboutcode-org/scancode.io>`_ and `purldb.io <https://github.com/aboutcode-org/purldb>`_ project. During this
period, I
focused on enhancing various functionalities and laying the groundwork for the upcoming integration of the OpenSSF Scorecard. Below is a list of key pull requests I made:
Before GSoC officially started, I had the opportunity to contribute to the
`ScanCode.io <https://github.com/aboutcode-org/scancode.io>`_ and
`purldb.io <https://github.com/aboutcode-org/purldb>`_ project. During this
period, I focused on enhancing various functionalities and laying the groundwork for
the upcoming integration of the OpenSSF Scorecard. Below is a list of key pull requests
I made:

- `Add endpoint to create or update a package set <https://github.com/aboutcode-org/purldb/pull/350>`_
- `Fixes Github Mapper route <https://github.com/aboutcode-org/purldb/pull/370>`_
- `removed redundant PackageViewSet class code and added history field into package API nexB#389 nexB#221 <https://github.com/aboutcode-org/purldb/pull/390>`_
- `alpine url bug fix and AGPL License version issue <https://github.com/aboutcode-org/scancode-toolkit/pull/3744>`_

These contributions were essential in building a solid foundation for the integration of the ScoreCode repository during GSoC.
These contributions were essential in building a solid foundation for the integration of
the ScoreCode repository during GSoC.

Post GSoC
---------

After GSoC, the goal is to merge the pull requests into their respective repositories, enabling users to leverage the OpenSSF Scorecard integration for enhanced vulnerability analysis in Scancode.io. Future work includes extending this integration to other platforms like PurlDB.
After GSoC, the goal is to merge the pull requests into their respective repositories,
enabling users to leverage the OpenSSF Scorecard integration for enhanced vulnerability
analysis in Scancode.io. Future work includes extending this integration to other
platforms like PurlDB.

--------------------------------------------------------------------------------

Acknowledgements
----------------

This project wouldn't have been possible without the incredible support and mentorship of an outstanding team:
This project wouldn't have been possible without the incredible support and mentorship
of an outstanding team:

- `Philippe Ombredanne <https://github.com/pombredanne>`_
- `Ayan Sinha Mahapatra <https://github.com/AyanSinhaMahapatra>`_
- `Thomas Druez <https://github.com/thomasdruez>`_
- `Jonathan Yang <https://github.com/JonoYang>`_
- `Tushar Goel <https://github.com/tushar-goel>`_

The weekly status calls were more than just updates; they were a source of inspiration, ideas, and camaraderie. And the 1:1 calls with `Ayan Sinha Mahapatra`_ and `Philippe Ombredanne`_ were like mini-masterclasses in software development.
The weekly status calls were more than just updates; they were a source of inspiration,
ideas, and camaraderie. And the 1:1 calls with `Ayan Sinha Mahapatra`_ and
`Philippe Ombredanne`_ were like mini-masterclasses in software development.

To my mentors: Thank you for not just teaching me the ropes but for showing me how to swing from them! This journey was as much about learning as it was about having fun, and I couldn't have asked for a better crew to sail with.
To my mentors: Thank you for not just teaching me the ropes but for showing me how to
swing from them! This journey was as much about learning as it was about having fun,
and I couldn't have asked for a better crew to sail with.

0 comments on commit be38e51

Please sign in to comment.