Add security assessment via {oysteR}

DESCRIPTION

@@ -45,7 +45,8 @@ Suggests:
     dplyr,
     testthat,
     webmockr,
-    jsonlite
+    jsonlite,
+    oysteR
 RoxygenNote: 7.2.3
 VignetteBuilder: knitr
 Config/testthat/edition: 3

NAMESPACE

@@ -41,6 +41,7 @@ S3method(assess_remote_checks,default)
 S3method(assess_remote_checks,pkg_bioc_remote)
 S3method(assess_remote_checks,pkg_cran_remote)
 S3method(assess_reverse_dependencies,default)
+S3method(assess_security,default)
 S3method(assess_size_codebase,default)
 S3method(assess_size_codebase,pkg_install)
 S3method(assess_size_codebase,pkg_source)
@@ -66,6 +67,7 @@ S3method(metric_score,pkg_metric_news_current)
 S3method(metric_score,pkg_metric_r_cmd_check)
 S3method(metric_score,pkg_metric_remote_checks)
 S3method(metric_score,pkg_metric_reverse_dependencies)
+S3method(metric_score,pkg_metric_security)
 S3method(metric_score,pkg_metric_size_codebase)
 S3method(names,pkg_ref)
 S3method(pillar_shaft,list_of_pkg_metric)
@@ -105,6 +107,7 @@ export(assess_news_current)
 export(assess_r_cmd_check)
 export(assess_remote_checks)
 export(assess_reverse_dependencies)
+export(assess_security)
 export(assess_size_codebase)
 export(assessment_error_as_warning)
 export(assessment_error_empty)
@@ -151,6 +154,8 @@ importFrom(utils,available.packages)
 importFrom(utils,capture.output)
 importFrom(utils,getS3method)
 importFrom(utils,head)
+importFrom(utils,install.packages)
+importFrom(utils,menu)
 importFrom(utils,packageDescription)
 importFrom(utils,packageName)
 importFrom(utils,packageVersion)

R/assess_security.R

@@ -0,0 +1,62 @@
+#' Assess a package for known security vulnerabilities in the OSS Index
+#'
+#' @param x a \code{pkg_ref} package reference object
+#' @param ... additional arguments passed on to S3 methods, rarely used
+#' @return a \code{pkg_metric} containing Assess for any known security vulnerabilities in the OSS Index via oysteR
+#' @seealso \code{\link{metric_score.pkg_metric_security}}
+#'
+#' @importFrom utils install.packages menu
+#' @export
+assess_security <- function(x, ...) {
+  # TODO: discuss preferred approach for handling packages within Suggests
+  if (!requireNamespace("oysteR", quietly = TRUE)) {
+    if (interactive()) {
+      inst_yn <- utils::menu(
+        choices = c("Yes", "No"),
+        title = paste(
+          "Assessing security requires installation of the oysteR package.",
+          "Would you like to install this now?"
+        )
+      )
+
+      if (inst_yn == "1") {
+        utils::install.packages("oysteR")
+      } else {
+        stop(
+          paste(
+            "asssess_security not run. Please install the oysteR package if you", "
+        wish to assess security."
+          )
+        )
+      }
+    }
+  }
+
+  UseMethod("assess_security")
+}
+
+attributes(assess_security)$column_name <- "security"
+attributes(assess_security)$label <- "OSS Scan Results"
+attributes(assess_security)$suggests <- TRUE
+
+#' @export
+assess_security.default <- function(x, ...) {
+  pkg_metric_eval(class = "pkg_metric_security", {
+    x$security
+  })
+}
+
+
+#' Score a package for known security vulnerabilities in the OSS Index
+#'
+#' Coerce the count of reported vulnerabilities to a binary indicator.
+#'
+#' @eval roxygen_score_family("security", dontrun = TRUE)
+#' @return \code{1} if no vulnerabilities are found, otherwise \code{0}
+#'
+#' @export
+metric_score.pkg_metric_security <- function(x, ...) {
+  as.numeric(x < 1)
+}
+attributes(metric_score.pkg_metric_security)$label <-
+  "A binary indicator of whether a package has OSS Index listed vulnerabilities."

R/pkg_assess.R

@@ -75,19 +75,34 @@ roxygen_assess_family_catalog <- function() {
     "}")
 }
 
-
+#' Helper to determine if assessment depends on package in Suggests
+#'
+#' @param assess_obj An assessment function object
+#' @returns \code{TRUE} if the object does not have an attribute named
+#'   \code{"suggests"} and the negated attribute value if present
+not_suggests <- function(assess_obj) {
+  sg <- attr(assess_obj, "suggests")
+  ifelse(is.null(sg), yes = TRUE, no = !sg)
+}
 
 #' A default list of assessments to perform for each package
 #'
+#' @param include_suggests Logical indicating if assessments requiring
+#'    dependency packages listed in \code{Suggests} be included in the list of
+#'    assessments?
 #' @return a list of assess_* functions exported from riskmetric
 #'
 #' @importFrom utils packageName
 #' @export
-all_assessments <- function() {
+all_assessments <- function(include_suggests = FALSE) {
   fs <- grep("^assess_[^.]*$",
     getNamespaceExports(utils::packageName()),
     value = TRUE)
-  Map(getExportedValue, fs, ns = list(utils::packageName()))
+  fn_objs <- Map(getExportedValue, fs, ns = list(utils::packageName()))
+  if (!include_suggests) {
+    fn_objs <- Filter(not_suggests, fn_objs)
+  }
+  fn_objs
 }
 
 #' Get a specific set of assess_* functions for pkg_assess

R/pkg_ref_cache_security.R

@@ -0,0 +1,37 @@
+#' Run R CMD check and capture the results
+#'
+#' @inheritParams pkg_ref_cache
+#' @family package reference cache
+#' @return a \code{pkg_ref} object
+#' @keywords internal
+pkg_ref_cache.security <- function(x, ...) {
+  UseMethod("pkg_ref_cache.security")
+}
+
+#' Check OSS Index lists any vulnerabilities for the package and it's
+#' dependencies
+#'
+#' @inheritParams pkg_ref_cache
+#' @return a \code{pkg_ref} object
+pkg_ref_cache.security.default <- function(x, ...) {
+
+  # TODO: is this the right way to invoke the functionality to get this info?
+  deps <- assess_dependencies(x)
+
+  # when will this break? is as_pkg_metric_na?
+  dep_names <- sapply(strsplit(deps[["package"]], " "), "[[", 1)
+
+  # is this the best way to get relevant versions?
+  bundle_ref <- pkg_ref(c(x$name, dep_names), source = x$source)
+  bundle_names <- sapply(bundle_ref, "[[", "name")
+  bundle_versions <- sapply(bundle_ref, function(r) as.character(r[["version"]]))
+
+  scan_results <- oysteR::audit(
+    pkg = bundle_names,
+    version = bundle_versions,
+    type = "cran",
+    verbose = FALSE
+  )
+
+  return(sum(scan_results[["no_of_vulnerabilities"]]))
+}