aggregdepscore

package module
v0.0.0-...-8e7f7da Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

README

Aggregated Dependency Score: A Dependency Score that Includes Transitive Dependencies

Implementations of the algorithm described in this blog post: "Aggregated Dependency Score: A Dependency Score that Includes Transitive Dependencies"

[!WARNING]

Work in progress: the code in this repository is only suitable for testing as of October 2024

Python Implementation

The Python implementation is in the python directory.

As of October 2024 it implements an older version of the aggregated dependency score; it must be updated to match the algorithm that ended up being published.

Go Implementation

As it is usually done with Go code, the main module is located at the root of the repository. As a result, most of what's not in the python directory should be considered as part of the Go implementation unless explicitely mentionned otherwise.

Note that module github.com/DataDog/aggregated-dependency-score does not provide dependency enumeration or intrinsic score evaluation; the user must provide its own. Right now, a function NewDepsDotDevClient provides an client for https://deps.dev that can do both, but in the future this client will be moved to a separate module (and most likely a separate repository) so that users not wanting to use it don't have to import its dependencies.

To see an example of how to use the package, see cmd/depscore:

$ go run ./cmd/depscore --ecosystem pypi --package requests --version 2.28.1
0.18347983371997253

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewDepsDotDevClient deprecated 

func NewDepsDotDevClient() (*client, error)

NewDepsDotDevClient creates an object that satisfies both the IntrinsicTrustworthinessEvaluator and DependencyResolver interfaces, using the deps.dev API as the source of data. The intrinsic trustworthiness is calculated based on the OSSF scorecard that is returned by the deps.dev API.

Deprecated: in version 1 of package aggregdepscore, the deps.dev client will be moved to a new Go module, most likely in a new repository, and this function will be removed.

Types

type DefaultScoreTrustworthinessConverter 

type DefaultScoreTrustworthinessConverter struct{}

func (*DefaultScoreTrustworthinessConverter) ScoreFromTrustworthiness 

func (c *DefaultScoreTrustworthinessConverter) ScoreFromTrustworthiness(trustworthiness float64) float64

func (*DefaultScoreTrustworthinessConverter) TrustworthinessFromScore 

func (c *DefaultScoreTrustworthinessConverter) TrustworthinessFromScore(score float64) float64

type DependencyResolver 

type DependencyResolver interface {
	GetDirectDependencies(ctx context.Context, p Package) ([]Package, error)
}

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

func NewEvaluator 

func NewEvaluator(intrinsic IntrinsicTrustworthinessEvaluator, deps DependencyResolver) (*Evaluator, error)

func (*Evaluator) EvaluateScore 

func (e *Evaluator) EvaluateScore(ctx context.Context, p Package) (float64, error)

type IntrinsicTrustworthinessEvaluator 

type IntrinsicTrustworthinessEvaluator interface {
	EvaluateIntrinsicTrustworthiness(ctx context.Context, p Package) (float64, error)
}

type Package 

type Package struct {
	Ecosystem string
	Name      string
	Version   string
}

type ScoreTrustworthinessConverter 

type ScoreTrustworthinessConverter interface {
	ScoreFromTrustworthiness(trustworthiness float64) float64
	TrustworthinessFromScore(score float64) float64
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
depscore

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.