✨ Add support for github GHES (ossf#2999)

patelniketm · naveensrinivasan · raghavkaul · balteravishay · commit 32a5ed43c563 · 2023-06-11T15:59:55.000Z
* ✨ adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (ossf#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (ossf#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
diff --git a/README.md b/README.md
@@ -404,6 +404,20 @@ RESULTS
 |---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
 ```
 
+##### Using GitHub Enterprise Server (GHES) based Repository
+
+To use a GitHub Enterprise host `github.corp.com`, use the `GH_HOST` environment variable.
+
+```shell
+# Set the GitHub Enterprise host without https prefix or slash with relevant authentication token
+export GH_HOST=github.corp.com
+export GITHUB_AUTH_TOKEN=token
+
+scorecard --repo=github.corp.com/org/repo
+# OR without github host url
+scorecard --repo=org/repo
+```
+
 ##### Using a Package manager
 
 For projects in the `--npm`, `--pypi`, `--rubygems`, or `--nuget` ecosystems, you have the
diff --git a/checker/client_test.go b/checker/client_test.go
@@ -39,6 +39,7 @@ func TestGetClients(t *testing.T) { //nolint:gocognit
 		shouldCIIBeNil        bool
 		wantErr               bool
 		experimental          bool
+		isGhHost              bool
 	}{
 		{
 			name: "localURI is not empty",
@@ -94,6 +95,21 @@ func TestGetClients(t *testing.T) { //nolint:gocognit
 			wantErr:               false,
 			experimental:          true,
 		},
+		{
+			name: "repoURI is corp github host",
+			args: args{
+				ctx:      context.Background(),
+				repoURI:  "https://github.corp.com/ossf/scorecard",
+				localURI: "",
+			},
+			shouldOSSFuzzBeNil:    false,
+			shouldRepoClientBeNil: false,
+			shouldVulnClientBeNil: false,
+			shouldRepoBeNil:       false,
+			shouldCIIBeNil:        false,
+			wantErr:               false,
+			isGhHost:              true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -102,6 +118,10 @@ func TestGetClients(t *testing.T) { //nolint:gocognit
 			if tt.experimental {
 				t.Setenv("SCORECARD_EXPERIMENTAL", "true")
 			}
+			if tt.isGhHost {
+				t.Setenv("GH_HOST", "github.corp.com")
+				t.Setenv("GH_TOKEN", "PAT")
+			}
 			got, repoClient, ossFuzzClient, ciiClient, vulnsClient, err := GetClients(tt.args.ctx, tt.args.repoURI, tt.args.localURI, tt.args.logger) //nolint:lll
 			if (err != nil) != tt.wantErr {
 				t.Fatalf("GetClients() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
@@ -20,6 +20,8 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/google/go-github/v38/github"
@@ -59,6 +61,8 @@ type Client struct {
 	commitDepth   int
 }
 
+const defaultGhHost = "github.com"
+
 // InitRepo sets up the GitHub repo in local storage for improving performance and GitHub token usage efficiency.
 func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitDepth int) error {
 	ghRepo, ok := inputRepo.(*repoURL)
@@ -126,7 +130,11 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD
 
 // URI implements RepoClient.URI.
 func (client *Client) URI() string {
-	return fmt.Sprintf("github.com/%s/%s", client.repourl.owner, client.repourl.repo)
+	host, isHost := os.LookupEnv("GH_HOST")
+	if !isHost {
+		host = defaultGhHost
+	}
+	return fmt.Sprintf("%s/%s/%s", host, client.repourl.owner, client.repourl.repo)
 }
 
 // LocalPath implements RepoClient.LocalPath.
@@ -259,8 +267,26 @@ func CreateGithubRepoClientWithTransport(ctx context.Context, rt http.RoundTripp
 	httpClient := &http.Client{
 		Transport: rt,
 	}
-	client := github.NewClient(httpClient)
-	graphClient := githubv4.NewClient(httpClient)
+
+	var client *github.Client
+	var graphClient *githubv4.Client
+	githubHost, isGhHost := os.LookupEnv("GH_HOST")
+
+	if isGhHost && githubHost != defaultGhHost {
+		githubRestURL := fmt.Sprintf("https://%s/api/v3", strings.TrimSpace(githubHost))
+		githubGraphqlURL := fmt.Sprintf("https://%s/api/graphql", strings.TrimSpace(githubHost))
+
+		var err error
+		client, err = github.NewEnterpriseClient(githubRestURL, githubRestURL, httpClient)
+		if err != nil {
+			panic(fmt.Errorf("error during CreateGithubRepoClientWithTransport:EnterpriseClient: %w", err))
+		}
+
+		graphClient = githubv4.NewEnterpriseClient(githubGraphqlURL, httpClient)
+	} else {
+		client = github.NewClient(httpClient)
+		graphClient = githubv4.NewClient(httpClient)
+	}
 
 	return &Client{
 		ctx:        ctx,
diff --git a/clients/githubrepo/repo.go b/clients/githubrepo/repo.go
@@ -17,6 +17,7 @@ package githubrepo
 import (
 	"fmt"
 	"net/url"
+	"os"
 	"strings"
 
 	"github.com/ossf/scorecard/v4/clients"
@@ -42,7 +43,11 @@ func (r *repoURL) parse(input string) error {
 	// This will takes care for repo/owner format.
 	// By default it will use github.com
 	case l == two:
-		t = "github.com/" + c[0] + "/" + c[1]
+		githubHost, isGhHost := os.LookupEnv("GH_HOST")
+		if !isGhHost {
+			githubHost = "github.com"
+		}
+		t = githubHost + "/" + c[0] + "/" + c[1]
 	case l >= three:
 		t = input
 	}
@@ -83,8 +88,10 @@ func (r *repoURL) String() string {
 
 // IsValid implements Repo.IsValid.
 func (r *repoURL) IsValid() error {
+	githubHost := os.Getenv("GH_HOST")
 	switch r.host {
 	case "github.com":
+	case githubHost:
 	default:
 		return sce.WithMessage(sce.ErrorUnsupportedHost, r.host)
 	}
diff --git a/clients/githubrepo/repo_test.go b/clients/githubrepo/repo_test.go
@@ -20,13 +20,15 @@ import (
 	"github.com/google/go-cmp/cmp"
 )
 
+// nolint:paralleltest
+// because we are using t.Setenv.
 func TestRepoURL_IsValid(t *testing.T) {
-	t.Parallel()
 	tests := []struct {
 		name     string
 		inputURL string
 		expected repoURL
 		wantErr  bool
+		ghHost   bool
 	}{
 		{
 			name: "Valid http address",
@@ -59,7 +61,7 @@ func TestRepoURL_IsValid(t *testing.T) {
 			wantErr:  true,
 		},
 		{
-			name: "github repository",
+			name: "Github repository",
 			expected: repoURL{
 				host:  "github.com",
 				owner: "foo",
@@ -69,7 +71,7 @@ func TestRepoURL_IsValid(t *testing.T) {
 			wantErr:  false,
 		},
 		{
-			name: "github repository",
+			name: "Github repository with host",
 			expected: repoURL{
 				host:  "github.com",
 				owner: "foo",
@@ -78,11 +80,36 @@ func TestRepoURL_IsValid(t *testing.T) {
 			inputURL: "https://github.com/foo/kubeflow",
 			wantErr:  false,
 		},
+		{
+			name: "Enterprise github repository with host",
+			expected: repoURL{
+				host:  "github.corp.com",
+				owner: "corpfoo",
+				repo:  "kubeflow",
+			},
+			inputURL: "https://github.corp.com/corpfoo/kubeflow",
+			wantErr:  false,
+			ghHost:   true,
+		},
+		{
+			name: "Enterprise github repository",
+			expected: repoURL{
+				host:  "github.corp.com",
+				owner: "corpfoo",
+				repo:  "kubeflow",
+			},
+			inputURL: "corpfoo/kubeflow",
+			wantErr:  false,
+			ghHost:   true,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			if tt.ghHost {
+				t.Setenv("GH_HOST", "github.corp.com")
+			}
+
 			r := repoURL{
 				host:  tt.expected.host,
 				owner: tt.expected.owner,
@@ -97,7 +124,6 @@ func TestRepoURL_IsValid(t *testing.T) {
 			if !tt.wantErr && !cmp.Equal(tt.expected, r, cmp.AllowUnexported(repoURL{})) {
 				t.Errorf("Got diff: %s", cmp.Diff(tt.expected, r))
 			}
-
 			if !cmp.Equal(r.Host(), tt.expected.host) {
 				t.Errorf("%s expected host: %s got host %s", tt.inputURL, tt.expected.host, r.Host())
 			}
