feat: initial logic of staticCodeAnalysis validator

bjohansebas · bjohansebas · commit 6ff75b8e9dd2 · 2025-02-11T20:29:55.000-05:00
diff --git a/__tests__/checks/validators/staticCodeAnalysis.test.js b/__tests__/checks/validators/staticCodeAnalysis.test.js
@@ -111,7 +111,7 @@ describe('staticCodeAnalysis', () => {
           project_id: 1,
           compliance_check_id: 1,
           severity: 'medium',
-          title: '3 (66.7%) repositories in org1, org2 organizations do not have a static code analysis tool',
+          title: '2 (66.7%) repositories do not have a static code analysis tool',
           description: 'Check the details on https://example.com'
         }
       ],
@@ -120,8 +120,8 @@ describe('staticCodeAnalysis', () => {
           project_id: 1,
           compliance_check_id: 1,
           severity: 'medium',
-          status: 'passed',
-          rationale: '3 (66.7%) repositories in org1, org2 organizations do not have a static code analysis tool'
+          status: 'failed',
+          rationale: '2 (66.7%) repositories do not have a static code analysis tool'
         },
         {
           compliance_check_id: 1,
@@ -137,7 +137,7 @@ describe('staticCodeAnalysis', () => {
           description: 'Check the details on https://example.com',
           project_id: 1,
           severity: 'medium',
-          title: 'Add a code analysis tool for 2 (66.7%) repositories (org1/test, org2/.github)'
+          title: 'Add a code analysis tool for 2 (66.7%) repositories (org1/test, org2/.github) in GitHub'
         }
       ]
     })
@@ -147,7 +147,6 @@ describe('staticCodeAnalysis', () => {
     data[0].repositories[0].ossf_results = null
     data[0].repositories[1].ossf_results = null
     data[1].repositories[0].ossf_results = null
-    data[2].repositories[0].ossf_results = null
 
     const analysis = staticCodeAnalysis({ data, check, projects })
     expect(analysis).toEqual({
@@ -184,7 +183,7 @@ describe('staticCodeAnalysis', () => {
           compliance_check_id: 1,
           severity: 'medium',
           status: 'unknown',
-          rationale: '1 (33.3%) repositories have not generated results from the OSSF Scorecard'
+          rationale: '1 (33.3%) repositories do not generated results from the OSSF Scorecard'
         },
         {
           compliance_check_id: 1,
@@ -197,6 +196,7 @@ describe('staticCodeAnalysis', () => {
       tasks: []
     })
   })
+
   it('Should generate an unknown result if some repositories have unknown static code analysis', () => {
     data[2].repositories[0].ossf_results.sast_score = null
 
diff --git a/src/checks/validators/staticCodeAnalysis.js b/src/checks/validators/staticCodeAnalysis.js
@@ -1,13 +1,100 @@
-const debug = require('debug')('checks:validator:adminRepoCreationOnly')
+const debug = require('debug')('checks:validator:staticCodeAnalysis')
+const {
+  groupArrayItemsByCriteria,
+  getSeverityFromPriorityGroup,
+  generatePercentage
+} = require('../../utils')
+
+const groupByProject = groupArrayItemsByCriteria('project_id')
+
+const minumumStaticCodeAnalysis = 7
 
 // @see: https://github.com/OpenPathfinder/visionBoard/issues/75
-module.exports = ({ data = [], check, projects = [] }) => {
+module.exports = ({ data: ghOrgs, check, projects = [] }) => {
   debug('Validating that the repositories have static code analysis...')
+  debug('Grouping repositories by project...')
+  const ghOrgsGroupedByProject = groupByProject(ghOrgs)
 
   const alerts = []
   const results = []
   const tasks = []
 
+  debug('Processing repositories...')
+  ghOrgsGroupedByProject.forEach((projectOrgs) => {
+    debug(`Processing Project (${projectOrgs[0].github_organization_id})`)
+    const project = projects.find(p => p.id === projectOrgs[0].project_id)
+    const projectRepositories = projectOrgs.map(org => org.repositories).flat()
+
+    const baseData = {
+      project_id: project.id,
+      compliance_check_id: check.id,
+      severity: getSeverityFromPriorityGroup(check.default_priority_group)
+    }
+
+    const allOSSFResultsPass = projectRepositories.every(
+      repo => repo.ossf_results?.sast_score >= minumumStaticCodeAnalysis
+    )
+
+    if (allOSSFResultsPass) {
+      results.push({
+        ...baseData,
+        status: 'passed',
+        rationale: 'All repositories in all organizations have a static code analysis tool'
+      })
+      debug(`Processed project (${project.id}) - All passed`)
+      return
+    }
+
+    const failedRepos = projectRepositories.filter(repo => Number.parseInt(repo.ossf_results?.sast_score) < minumumStaticCodeAnalysis).map(org => org.full_name)
+    const unknownRepos = projectRepositories.filter(repo => repo.ossf_results?.sast_score === null).map(org => org.full_name)
+    const noGenerateResults = projectRepositories.filter(repo => repo?.ossf_results == null).map(org => org.full_name)
+
+    const result = { ...baseData }
+    const task = { ...baseData }
+    const alert = { ...baseData }
+
+    if (noGenerateResults.length === projectRepositories.length) {
+      result.status = 'unknown'
+      result.rationale = 'No results have been generated from the OSSF Scorecard'
+    } else if (failedRepos.length) {
+      const percentage = generatePercentage(projectRepositories.length, failedRepos.length)
+
+      result.status = 'failed'
+      result.rationale = `${failedRepos.length} (${percentage}) repositories do not have a static code analysis tool`
+      alert.title = `${failedRepos.length} (${percentage}) repositories do not have a static code analysis tool`
+      alert.description = `Check the details on ${check.details_url}`
+      task.title = `Add a code analysis tool for ${failedRepos.length} (${percentage}) repositories (${failedRepos.join(', ')}) in GitHub`
+      task.description = `Check the details on ${check.details_url}`
+    } else if (unknownRepos.length) {
+      const percentage = generatePercentage(projectRepositories.length, unknownRepos.length)
+
+      result.status = 'unknown'
+      result.rationale = `${unknownRepos.length} (${percentage}) repositories could not be determined to have a code analysis tool`
+    } else if (noGenerateResults.length) {
+      const percentage = generatePercentage(projectRepositories.length, noGenerateResults.length)
+
+      result.status = 'unknown'
+      result.rationale = `${noGenerateResults.length} (${percentage}) repositories do not generated results from the OSSF Scorecard`
+    }
+
+    // Include only the task if was populated
+    if (Object.keys(task).length > Object.keys(baseData).length) {
+      debug(`Adding task for project (${project.id})`)
+      tasks.push(task)
+    }
+    // Include only the alert if was populated
+    if (Object.keys(alert).length > Object.keys(baseData).length) {
+      debug(`Adding alert for project (${project.id})`)
+      alerts.push(alert)
+    }
+    // Always include the result
+    results.push(result)
+    debug(`Processed project (${project.id})`)
+
+    results.push(result)
+    debug(`Processed project (${project.id})`)
+  })
+
   return {
     alerts,
     results,
diff --git a/src/store/index.js b/src/store/index.js
@@ -224,7 +224,6 @@ const getAllOSSFResultsOfRepositoriesByProjectId = async (knex, projectIds) => {
         exclude: ['repo_id', 'ossf_id']
       })
       orgData.repositories = []
-      orgData.ossf_results = []
       organizationsMap.set(orgId, orgData)
     }
 

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,6 @@ const getAllOSSFResultsOfRepositoriesByProjectId = async (knex, projectIds) => {`
`224`	`224`	`exclude: ['repo_id', 'ossf_id']`
`225`	`225`	`})`
`226`	`226`	`orgData.repositories = []`
`227`		`- orgData.ossf_results = []`
`228`	`227`	`organizationsMap.set(orgId, orgData)`
`229`	`228`	`}`
`230`	`229`