feat(scorecard): add support for GitLab

Author: PierreDemailly

README.md

@@ -167,7 +167,7 @@ Since version 0.6.0 of Node-secure the UI include a brand new searchbar that all
 - author (author name/email/url).
 - ext (list of available file extensions in the current payload/tree).
 - builtin (available Node.js core module name).
-- size (see [here](https://github.com/NodeSecure/size-satisfies#usage-example)
+- size (see [here](https://github.com/NodeSecure/size-satisfies#usage-example)).
 
 Exemple of query:
 
@@ -187,7 +187,6 @@ other side will bundle and remove most of the useless files from the tarball (Li
 ### Why some packages don't have OSSF Scorecard ?
 See [Scorecard Public Data](https://github.com/ossf/scorecard#public-data):
 > We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.
-> Currently, this list is derived from projects hosted on GitHub ONLY.
 
 ## Contributors guide
 

bin/index.js

@@ -83,6 +83,7 @@ prog
 prog
   .command("scorecard [repository]")
   .describe(i18n.getTokenSync("cli.commands.scorecard.desc"))
+  .option("--vcs", "Version control platform (GitHub, GitLab", "github")
   .action(commands.scorecard.main);
 
 prog

package.json

@@ -80,7 +80,7 @@
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/i18n": "^3.2.2",
     "@nodesecure/npm-registry-sdk": "^1.6.1",
-    "@nodesecure/ossf-scorecard-sdk": "^2.0.0",
+    "@nodesecure/ossf-scorecard-sdk": "^3.1.0",
     "@nodesecure/rc": "^1.5.0",
     "@nodesecure/scanner": "^5.0.1",
     "@nodesecure/utils": "^1.1.0",

public/js/components/package/pannels/scorecard.js

@@ -6,16 +6,16 @@ import * as utils from "../../../utils.js";
 
 export class Scorecard {
   static ExternalLinks = {
-    visualizer: "https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/"
+    visualizer: (platform) => `https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/${platform}/`
   }
 
   constructor(pkg) {
     this.package = pkg;
   }
 
-  async fetchScorecardData(repoName) {
+  async fetchScorecardData(repoName, platform) {
     try {
-      const { data } = (await getJSON(`/scorecard/${repoName}`));
+      const { data } = (await getJSON(`/scorecard/${repoName}?platform=${platform}`));
       if (!data) {
         return null;
       }
@@ -36,28 +36,36 @@ export class Scorecard {
     }
   }
 
-  /**
-   * @param {!HTMLTemplateElement} clone
-   */
-  generate(clone) {
-    const githubURL = this.package.links.github;
-    if (!githubURL.href) {
-      return this.hide();
+  versionControlUrl(vc) {
+    if (!vc || !vc.href) {
+      return null;
     }
 
-    const github = new URL(githubURL.href);
-    const repoName = github.pathname.slice(
+    const url = new URL(vc.href);
+
+    return url.pathname.slice(
       1,
-      github.pathname.includes(".git") ? -4 : github.pathname.length
+      url.pathname.includes(".git") ? -4 : url.pathname.length
     );
+  }
+
+  /**
+   * @param {!HTMLTemplateElement} clone
+   */
+  generate(clone) {
+    const links = this.package.links;
+    const repoName = this.versionControlUrl(links.github?.href) ?? this.versionControlUrl(links.gitlab?.href) ?? this.versionControlUrl(links.homepage) ?? this.package.name;
 
     const pannel = clone.getElementById("pan-scorecard");
-    this.fetchScorecardData(repoName).then((data) => {
+    const isGitlab = this.package.links.gitlab || this.package.links.homepage?.href?.includes("gitlab.com");
+    const platform = isGitlab ? "gitlab.com" : "github.com";
+
+    this.fetchScorecardData(repoName, platform).then((data) => {
       if (!data) {
         return this.hide();
       }
 
-      pannel.appendChild(this.renderScorecard(data, repoName));
+      pannel.appendChild(this.renderScorecard(data, repoName, platform));
       document.getElementById('scorecard-menu').style.display = 'flex';
     });
   }
@@ -76,7 +84,7 @@ export class Scorecard {
     return "green";
   }
 
-  renderScorecard(data, repoName) {
+  renderScorecard(data, repoName, platform) {
     const { score, checks } = data;
 
     const container = utils.createDOMElement('div', {
@@ -94,7 +102,7 @@ export class Scorecard {
     document.getElementById('head-score').innerText = score;
     document
       .querySelector(".score-header .visualizer a")
-      .setAttribute('href', Scorecard.ExternalLinks.visualizer + repoName);
+      .setAttribute('href', Scorecard.ExternalLinks.visualizer(platform) + repoName);
 
     container.childNodes.forEach((check, checkKey) => {
       check.addEventListener('click', () => {

src/commands/scorecard.js

@@ -14,28 +14,34 @@ function separatorLine() {
   return grey("-".repeat(80));
 }
 
-export function getCurrentRepository() {
+export function getCurrentRepository(vcs = "github") {
   const config = ini.parse(fs.readFileSync(".git/config", "utf-8"));
 
   const originMetadata = config["remote \"origin\""];
   if (!originMetadata) {
     return Err("Cannot find origin remote.");
   }
 
-  const [, rawPkg] = originMetadata.url.match(/github\.com(.+)\.git/) ?? [];
+  const [, rawPkg] = originMetadata.url.match(/(?:github|gitlab)\.com(.+)\.git/) ?? [];
+
   if (!rawPkg) {
-    return Err("OSSF Scorecard supports projects hosted on Github only.");
+    return Err("Cannot find version control host.");
   }
 
-  return Ok(rawPkg.slice(1));
+  // vcs is github by default.
+  return Ok([rawPkg.slice(1), originMetadata.url.includes("gitlab") ? "gitlab" : vcs]);
 }
 
-export async function main(repo) {
-  const result = typeof repo === "string" ? Ok(repo) : getCurrentRepository();
+export async function main(repo, opts) {
+  const vcs = opts.vcs.toLowerCase();
+  const result = typeof repo === "string" ? Ok([repo, vcs]) : getCurrentRepository(vcs);
 
   let repository;
+  let platform;
   try {
-    repository = result.unwrap();
+    const [repo, vcs] = result.unwrap();
+    repository = repo;
+    platform = vcs.slice(-4) === ".com" ? vsc : `${vcs}.com`;
   }
   catch (error) {
     console.log(white().bold(result.err));
@@ -45,7 +51,10 @@ export async function main(repo) {
 
   let data;
   try {
-    data = await scorecard.result(repository);
+    data = await scorecard.result(repository, {
+      resolveOnVersionControl: Boolean(process.env.GITHUB_TOKEN || opts.resolveOnVersionControl),
+      platform
+    });
   }
   catch (error) {
     console.log(

src/http-server/endpoints/ossf-scorecard.js

@@ -4,15 +4,19 @@ import send from "@polka/send-type";
 
 export async function get(req, res) {
   const { org, pkgName } = req.params;
+  const { platform = "github.com" } = req.query;
 
   try {
-    const data = await scorecard.result(`${org}/${pkgName}`);
+    const data = await scorecard.result(`${org}/${pkgName}`, {
+      resolveOnVersionControl: Boolean(process.env.GITHUB_TOKEN),
+      resolveOnNpmRegistry: false,
+      platform
+    });
 
     return send(res, 200, {
       data
     });
   }
-
   catch (error) {
     return send(
       res,

test/commands/scorecard.test.js

@@ -74,7 +74,7 @@ test("scorecard should display fastify scorecard", async() => {
 });
 
 test("should not display scorecard for unknown repository", async() => {
-  const packageName = "unkown/repository";
+  const packageName = "fastify/fastify";
   const scorecardCliOptions = {
     path: kProcessPath,
     args: [packageName],
@@ -109,7 +109,7 @@ test("should retrieve repository whithin git config", async() => {
     }
   });
 
-  assert.deepEqual(testingModule.getCurrentRepository(), Ok("myawesome/repository"));
+  assert.deepEqual(testingModule.getCurrentRepository(), Ok(["myawesome/repository", "github"]));
 });
 
 test("should not find origin remote", async() => {
@@ -123,23 +123,3 @@ test("should not find origin remote", async() => {
   assert.equal(result.err, true);
   assert.equal(result.val, "Cannot find origin remote.");
 });
-
-test("should support github only", async() => {
-  const testingModule = await esmock("../../src/commands/scorecard.js", {
-    fs: {
-      readFileSync: () => [
-        "[remote \"origin\"]",
-        "\turl = [email protected]:myawesome/repository.git"
-      ].join("\n")
-    }
-  });
-  // NOTE: we can then test that the only expected one console.log is correct
-  // it's a bit simpler that running the process to parse stdout
-  const logs = [];
-  console.log = (str) => logs.push(str);
-
-  await testingModule.main();
-
-  assert.equal(logs.length, 1);
-  assert.equal(stripAnsi(logs[0]), "OSSF Scorecard supports projects hosted on Github only.");
-});

test/httpServer.test.js

@@ -289,6 +289,13 @@ describe("httpServer", () => {
     assert.equal(result.data.data.repo.name, "github.com/NodeSecure/cli");
   });
 
+  test("'/scorecard/:org/:pkgName' should return scorecard data for GitLab repo", async() => {
+    const result = await get(new URL("/scorecard/gitlab-org/gitlab-ui?platform=gitlab.com", HTTP_URL));
+
+    assert.equal(result.statusCode, 200);
+    assert.equal(result.data.data.repo.name, "gitlab.com/gitlab-org/gitlab-ui");
+  });
+
   test("'/scorecard/:org/:pkgName' should not find repo", async() => {
     const wrongPackageName = "br-br-br-brah";
 

test/process/scorecard.js

@@ -2,4 +2,4 @@
 import * as scorecard from "../../src/commands/scorecard.js";
 import { prepareProcess } from "../helpers/cliCommandRunner.js";
 
-prepareProcess(scorecard.main);
+prepareProcess(scorecard.main, ["fastify/fastify", { resolveOnVersionControl: true, vcs: "github" }]);

workspaces/vis-network/src/utils.js

@@ -17,6 +17,15 @@ export async function getJSON(path, customHeaders = Object.create(null)) {
     headers: Object.assign({}, headers, customHeaders)
   });
 
+  if (raw.ok === false) {
+    const { status, statusText } = raw;
+
+    return {
+      status,
+      statusText
+    };
+  }
+
   return raw.json();
 }