GSoC’21@ CHAOSS- Coding Period -Week 1&2

Before getting to what I worked on , it would make more sense if I explained my project in brief. My project is about building a shared data resource focused on Dependencies, Risk and Vulnerabilities. Dependencies are basically piece of code that your project depends on. So, if there is something wrong with the dependency, then that would mean there might be something wrong with your project too.

So my Week 1 was mostly about design discussion with my Mentor and getting started. I started by extending the current Dependency Worker in Augur to collect OSSF Scorecard data. Scorecard is an open-source project written in ‘go’ programming language. So to make it work , first thing that came to my mind was to use ‘Subprocess’ in python (since augur is in python). The current Value Worker in augur also calls an external Go-based open-source project ‘SCC’ to calculate the code complexity of any project. It uses subprocess too, but we are using it in different ways!

So what does Scorecard do?

Basically, scorecard takes an input which is any GitHub project as an argument and does all the work and give us 16 tests with name of the test , pass/fail status and score of that particular test.

In augur we get the data, clean out as per our needs , and generate a python list of lists which in turn get inserted into the database. Well, by the end of week 1 it was working for me , but wouldn’t work for anyone else.

I didn’t want my project to end up like this 🙈

Why would it not work for anyone else if it is working for me?

Well, this is what my Week 2 was about and some schema changes. So there is a list of reasons that it is only working for me.

1- They might not have Go installed — Scorecard is a project based on Go, to run it obviously we do need Go locally. So for this I added a check in augur’s Installation script to check if ‘Go’ exisits. Just a note , if anytime in future you get into checking things like this , never use ‘which go’. Instead use something like — command -v go >/dev/null 2>&1 || { echo >&2 "We require 'go' to run Scorecard project to get data, Please install GO first....Aborting"; exit 1; } . This is not true just about Go but for any package check.

2- They might not have scorecard cloned locally and built — We need Scorecard to generate data, so for this I added some more scripts to clone and build scorecard project to get ready to use by deps worker.

3- We need path to Scorecard — It was working for me because I knew where my project was cloned. This information is necessary because in Subprocess we have to pass a cwd(current working directory) path i.e. path to scorecard project for us. This is handled by cloning the project in a fixed directory and passing that path to subprocess.

4- Getting the Environment Variables — Scorecard need some environment variables which is mostly your GitHub API key so that it can make necessary API calls to get data. Since I had it all set for me locally , it was working for me. I am still figuring out ways to make it happen for everyone , maybe I will tell you the solution that I came up with in the next week’s blog :)

So this was it, my Week 1&2 of Google Summer of Code at CHAOSS. I am learning a lot and very excited to see this completely working in augur!

Open Source Enthusiast and a Computer Science Student