✨ Included documentation for Active check

[naveensrinivasan]

• Please check if the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process

• What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
  Feature

• What is the current behavior? (You can also link to an open issue here)
  The check results didn't provide a description and remediation.

• What is the new behavior (if this is a feature change)?

  • Included the documentation for Active check
  • The building block for SARIF Integration with CI/CD and GitHub Code Scanning Results #193

• Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
  None

• Other information:
  None

[github-actions]

Integration tests success for 73e6676695e692677e328e01143b62927a33f24d

[inferno-chromium]

Some things i noticed

• json file is not the source of truth, both checks.json and checks.md are generated files from checks.yaml, so i think program should use checks.yaml directly and we shouldn't modify json file here (like indent can be fixed in auto-generation logic).
• i dont think we want to add long description and remediation in output, since it will inflate latest.json significantly. i think the point was for checks.json would be read by some utility directly alongwith latest.json. however, I do see the point of showing this info when tool is run in standalone fashion like one repo only, so need to see how to show it only for that usecase.

i would let @azeemshaikh38 @oliverchang and @naveensrinivasan to sync here and discuss a solution here, just added my thoughts above.

[naveensrinivasan]

Some things i noticed

• json file is not the source of truth, both checks.json and checks.md are generated files from checks.yaml, so i think program should use checks.yaml directly and we shouldn't modify json file here (like indent can be fixed in auto-generation logic).
• i dont think we want to add long description and remediation in output, since it will inflate latest.json significantly. i think the point was for checks.json would be read by some utility directly alongwith latest.json. however, I do see the point of showing this info when tool is run in standalone fashion like one repo only, so need to see how to show it only for that usecase.

i would let @azeemshaikh38 @oliverchang and @naveensrinivasan to sync here and discuss a solution here, just added my thoughts above.

I agree , I will change the implementation to use the YAML and will add HelpURL which points to the GitHub instead of remediation.

[naveensrinivasan]

Some things i noticed

• json file is not the source of truth, both checks.json and checks.md are generated files from checks.yaml, so i think program should use checks.yaml directly and we shouldn't modify json file here (like indent can be fixed in auto-generation logic).
• i dont think we want to add long description and remediation in output, since it will inflate latest.json significantly. i think the point was for checks.json would be read by some utility directly alongwith latest.json. however, I do see the point of showing this info when tool is run in standalone fashion like one repo only, so need to see how to show it only for that usecase.

i would let @azeemshaikh38 @oliverchang and @naveensrinivasan to sync here and discuss a solution here, just added my thoughts above.

I agree , I will change the implementation to use the YAML and will add HelpURL which points to the GitHub instead of remediation.

Updated the implementation to utilize the YAML instead of the json

[github-actions]

Integration tests failure for 14d6deeb3beb1d7ef53a34ea3d29d78828c14847

[github-actions]

Integration tests success for 9214dd3dc18519a8a26929ce54d2f1437ef0017a

[azeemshaikh38]

If this change is attempting to solve the "upload a SARIF file to GitHub" problem, should we first figure out the design? IMO, we should hold off on this PR before we have a consensus on how the design for the bigger problem would look like.

[azeemshaikh38]

Let's not bloat CheckResult with Description and HelpURL. We should have a separate struct for these which other packages can access as/when needed.

[naveensrinivasan]

The result is where the Help documentation needs to have the necessary stuff and this is what is being used in output.

Where else do you think this could be used?

How do you see this as bloat?

Also, what would be your suggestion?

[azeemshaikh38]

Change filename -> check_documentation.go

[naveensrinivasan]

It is already within the checks package. Adding prefix doesn't add any value and also _ aren't common within standard go naming though there are few exceptions.

[azeemshaikh38]

We can expose this struct to other packages to get Description/HelpURL.

[azeemshaikh38]

Everytime a *HelpDocumentation is called, we will read the YAML file, unmarshal it and then send the result back. Instead, could we only unmarshal the first time, and have a var which saves this in memory so that the next time these fn calls happen, we only read from the in-memory var?

[naveensrinivasan]

The idea behind this is to avoid a global state. This performance is negligible. IMO avoiding state is cleaner design.

[naveensrinivasan]

If this change is attempting to solve the "upload a SARIF file to GitHub" problem, should we first figure out the design? IMO, we should hold off on this PR before we have a consensus on how the design for the bigger problem would look like.

It is not just for SARIF, anyone who uses the tool would like to know details and steps to address these issues #63

[oliverchang]

This is a lot of repetition and makes maintenance difficult. Can we marshal these into a map[string]CheckDescription or something similar?

[naveensrinivasan]

There is also a con with that approach, we lose the type-safety and strings are all over the codebase.

We would have to define a constant for the string and use it which beats the purpose.

[oliverchang]

I also don't think we should include these long strings in these results by default. It will blow up the latest.json and cause a lot of duplication.

If we need this for another use case, we should figure out another way to do this.

[naveensrinivasan]

I can think of a flag that either dumps the help information in the json or not.

Do you have any other suggestions?

[azeemshaikh38]

Me and Oliver synced over this today. This is what we thought - #63 wants to address the problem that if Scorecard tool fails, the user should know "why the check failed", "how confident are we about this result" and "how to fix it". This PR won't solve that issue. A simple example - if the check failed due to too many retries, we'd simply be outputting a generic description and helpURL. This does not help our case in making the tool more user friendly.

So here's my suggestion -

1. Let's update all of our checks to return error_codes on failure. Each unique case of failure should have a unique error_code. These can simply be appended to []details of CheckResult for now.
2. We should then update the YAML to add details/remediation corresponding to these unique failures.
3. Update cmd/root.go to include the remediation string from YAML if any of the checks fail.

What do you think? Also adding @oliverchang @inferno-chromium for feedback/opinions.

[inferno-chromium]

Sounds like a plan, yes giving actual remediation instead of everything is a nice idea. and in yes in tool run, it does not make sense to give everything, (although it can say at end, for more information on check, please see doc at ).

[oliverchang]

Sounds like a good plan to me too. Raising more relevant errors messages seems way more useful. @naveensrinivasan WDYT?

[laurentsimon]

SG.

Shall we also provide additional information about the checks we make in the command line output (when --show-details is provided)? I personally find it useful - even if somehow redundant with the YAML document file. Here's an example output (YES implicitly means it's a positive check outcome):

$ scorecard <> --show-details
RESULTS
-------
Repo: some-repo
Active: Fail 
	Confidence: 100%
	Commits in last 90 days greater than 2: NO (1)
Branch-Protection: Fail 
	Confidence: 60%
	AllowForcePushes disabled: YES
	AllowDeletions disabled: YES
	EnforceAdmins enabled: YES
	RequireLinearHistory enabled: YES
	RequiredStatusChecks enabled: YES but has no contexts
	RequiredPullRequestReviews enabled: YES but with only 1 reviews
	DismissStaleReviews enabled: YES
	DismissalRestrictions enabled: NO
	RequireCodeOwnerReviews enabled: YES

This is just a first attempt and be changed, of course.

On a related note, I'm not sure the term Confidence makes sense in all cases. In some cases it does (say, if we find a commit with no PR we have high confidence it's not branch-protected). In other case, confidence seems to mean 'degree of protection' (Branch-Protection above)