✨ Added github codeowners to contributors list influencing contributors check (#4611)

lharrison13 · web-flow · commit f08e8fbdb73d · 2025-05-27T10:29:40.000-06:00
* ✨ added github codeowners to contributors list

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ deduped code owners and contributors plus other fixes

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ index out of bounds check

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ fixed cog complexity linting error

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ updated e2e repo and rename file param

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ removed duplicate e2e test repo

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

* ✨ removed export of github codeowner paths

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;

---------

Signed-off-by: Luke Harrison &lt;Luke.Harrison1@ibm.com&gt;
diff --git a/checks/raw/contributors.go b/checks/raw/contributors.go
@@ -36,6 +36,7 @@ func Contributors(cr *checker.CheckRequest) (checker.ContributorsData, error) {
 		user := clients.User{
 			Login:            contrib.Login,
 			NumContributions: contrib.NumContributions,
+			IsCodeOwner:      contrib.IsCodeOwner,
 		}
 
 		for _, org := range contrib.Organizations {
diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
@@ -223,7 +223,15 @@ func (client *Client) ListReleases() ([]clients.Release, error) {
 
 // ListContributors implements RepoClient.ListContributors.
 func (client *Client) ListContributors() ([]clients.User, error) {
-	return client.contributors.getContributors()
+	var fileReader io.ReadCloser
+	for _, path := range codeOwnerPaths {
+		var err error
+		fileReader, err = client.GetFileReader(path)
+		if err == nil {
+			break
+		}
+	}
+	return client.contributors.getContributors(fileReader)
 }
 
 // IsArchived implements RepoClient.IsArchived.
diff --git a/clients/githubrepo/contributors.go b/clients/githubrepo/contributors.go
@@ -17,14 +17,26 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"io"
+	"maps"
+	"net/http"
 	"strings"
 	"sync"
 
 	"github.com/google/go-github/v53/github"
+	"github.com/hmarr/codeowners"
 
 	"github.com/ossf/scorecard/v5/clients"
 )
 
+// these are the paths where CODEOWNERS files can be found see
+// https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-file-location
+//
+//nolint:lll
+var (
+	codeOwnerPaths []string = []string{"CODEOWNERS", ".github/CODEOWNERS", "docs/CODEOWNERS"}
+)
+
 type contributorsHandler struct {
 	ghClient     *github.Client
 	once         *sync.Once
@@ -42,28 +54,26 @@ func (handler *contributorsHandler) init(ctx context.Context, repourl *Repo) {
 	handler.contributors = nil
 }
 
-func (handler *contributorsHandler) setup() error {
+func (handler *contributorsHandler) setup(codeOwnerFile io.ReadCloser) error {
+	defer codeOwnerFile.Close()
 	handler.once.Do(func() {
 		if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
 			handler.errSetup = fmt.Errorf("%w: ListContributors only supported for HEAD queries", clients.ErrUnsupportedFeature)
 			return
 		}
-		contribs, _, err := handler.ghClient.Repositories.ListContributors(
-			handler.ctx, handler.repourl.owner, handler.repourl.repo, &github.ListContributorsOptions{})
-		if err != nil {
-			handler.errSetup = fmt.Errorf("error during ListContributors: %w", err)
+
+		contributors := make(map[string]clients.User)
+		mapContributors(handler, contributors)
+		if handler.errSetup != nil {
+			return
+		}
+		mapCodeOwners(handler, codeOwnerFile, contributors)
+		if handler.errSetup != nil {
 			return
 		}
 
-		for _, contrib := range contribs {
-			if contrib.GetLogin() == "" {
-				continue
-			}
-			contributor := clients.User{
-				NumContributions: contrib.GetContributions(),
-				Login:            contrib.GetLogin(),
-			}
-			orgs, _, err := handler.ghClient.Organizations.List(handler.ctx, contrib.GetLogin(), nil)
+		for contributor := range maps.Values(contributors) {
+			orgs, _, err := handler.ghClient.Organizations.List(handler.ctx, contributor.Login, nil)
 			// This call can fail due to token scopes. So ignore error.
 			if err == nil {
 				for _, org := range orgs {
@@ -72,20 +82,94 @@ func (handler *contributorsHandler) setup() error {
 					})
 				}
 			}
-			user, _, err := handler.ghClient.Users.Get(handler.ctx, contrib.GetLogin())
+			user, _, err := handler.ghClient.Users.Get(handler.ctx, contributor.Login)
 			if err != nil {
 				handler.errSetup = fmt.Errorf("error during Users.Get: %w", err)
 			}
 			contributor.Companies = append(contributor.Companies, user.GetCompany())
 			handler.contributors = append(handler.contributors, contributor)
 		}
+
 		handler.errSetup = nil
 	})
 	return handler.errSetup
 }
 
-func (handler *contributorsHandler) getContributors() ([]clients.User, error) {
-	if err := handler.setup(); err != nil {
+func mapContributors(handler *contributorsHandler, contributors map[string]clients.User) {
+	// getting contributors from the github API
+	contribs, _, err := handler.ghClient.Repositories.ListContributors(
+		handler.ctx, handler.repourl.owner, handler.repourl.repo, &github.ListContributorsOptions{})
+	if err != nil {
+		handler.errSetup = fmt.Errorf("error during ListContributors: %w", err)
+		return
+	}
+
+	// adding contributors to contributor map
+	for _, contrib := range contribs {
+		if contrib.GetLogin() == "" {
+			continue
+		}
+		contributors[contrib.GetLogin()] = clients.User{
+			Login: contrib.GetLogin(), NumContributions: contrib.GetContributions(),
+			IsCodeOwner: false,
+		}
+	}
+}
+
+func mapCodeOwners(handler *contributorsHandler, codeOwnerFile io.ReadCloser, contributors map[string]clients.User) {
+	ruleset, err := codeowners.ParseFile(codeOwnerFile)
+	if err != nil {
+		handler.errSetup = fmt.Errorf("error during ParseFile: %w", err)
+		return
+	}
+
+	// expanding owners
+	owners := make([]*clients.User, 0)
+	for _, rule := range ruleset {
+		for _, owner := range rule.Owners {
+			switch owner.Type {
+			case codeowners.UsernameOwner:
+				// if usernameOwner just add to owners list
+				owners = append(owners, &clients.User{Login: owner.Value, NumContributions: 0, IsCodeOwner: true})
+			case codeowners.TeamOwner:
+				// if teamOwner expand and add to owners list (only accessible by org members with read:org token scope)
+				splitTeam := strings.Split(owner.Value, "/")
+				if len(splitTeam) == 2 {
+					users, response, err := handler.ghClient.Teams.ListTeamMembersBySlug(
+						handler.ctx,
+						splitTeam[0],
+						splitTeam[1],
+						&github.TeamListTeamMembersOptions{},
+					)
+					if err == nil && response.StatusCode == http.StatusOK {
+						for _, user := range users {
+							owners = append(owners, &clients.User{Login: user.GetLogin(), NumContributions: 0, IsCodeOwner: true})
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// adding owners to contributor map and deduping
+	for _, owner := range owners {
+		if owner.Login == "" {
+			continue
+		}
+		value, ok := contributors[owner.Login]
+		if ok {
+			// if contributor exists already set IsCodeOwner to true
+			value.IsCodeOwner = true
+			contributors[owner.Login] = value
+		} else {
+			// otherwise add new contributor
+			contributors[owner.Login] = *owner
+		}
+	}
+}
+
+func (handler *contributorsHandler) getContributors(codeOwnerFile io.ReadCloser) ([]clients.User, error) {
+	if err := handler.setup(codeOwnerFile); err != nil {
 		return nil, fmt.Errorf("error during contributorsHandler.setup: %w", err)
 	}
 	return handler.contributors, nil
diff --git a/clients/githubrepo/contributors_e2e_test.go b/clients/githubrepo/contributors_e2e_test.go
@@ -16,6 +16,7 @@ package githubrepo
 
 import (
 	"context"
+	"io"
 	"net/http"
 
 	"github.com/google/go-github/v53/github"
@@ -24,11 +25,18 @@ import (
 
 	"github.com/ossf/scorecard/v5/clients"
 	"github.com/ossf/scorecard/v5/clients/githubrepo/roundtripper"
+	"github.com/ossf/scorecard/v5/internal/gitfile"
 	"github.com/ossf/scorecard/v5/log"
 )
 
 var _ = Describe("E2E TEST: githubrepo.contributorsHandler", func() {
 	var contribHandler *contributorsHandler
+	var fileHandler io.ReadCloser
+	repoURL := Repo{
+		owner:     "ossf-tests",
+		repo:      "scorecard-check-contributors-e2e",
+		commitSHA: clients.HeadSHA,
+	}
 
 	BeforeEach(func() {
 		ctx := context.Background()
@@ -41,18 +49,24 @@ var _ = Describe("E2E TEST: githubrepo.contributorsHandler", func() {
 			ghClient: client,
 			ctx:      ctx,
 		}
+		//nolint:errcheck
+		repo, _, _ := contribHandler.ghClient.Repositories.Get(contribHandler.ctx, repoURL.owner, repoURL.repo)
+		gitFileHandler := gitfile.Handler{}
+		gitFileHandler.Init(contribHandler.ctx, repo.GetCloneURL(), repoURL.commitSHA)
+		// searching for CODEOWNERS file
+		for _, path := range codeOwnerPaths {
+			var err error
+			fileHandler, err = gitFileHandler.GetFile(path)
+			if err == nil {
+				break
+			}
+		}
 	})
 	Context("getContributors()", func() {
 		skipIfTokenIsNot(patTokenType, "PAT only")
 		It("returns contributors for valid HEAD query", func() {
-			repoURL := Repo{
-				owner:     "ossf",
-				repo:      "scorecard",
-				commitSHA: clients.HeadSHA,
-			}
-
 			contribHandler.init(context.Background(), &repoURL)
-			Expect(contribHandler.getContributors()).ShouldNot(BeNil())
+			Expect(contribHandler.getContributors(fileHandler)).ShouldNot(BeNil())
 			Expect(contribHandler.errSetup).Should(BeNil())
 		})
 	})
diff --git a/clients/user.go b/clients/user.go
@@ -22,6 +22,7 @@ type User struct {
 	NumContributions int
 	ID               int64
 	IsBot            bool
+	IsCodeOwner      bool
 }
 
 // RepoAssociation is how a user is associated with a repository.
diff --git a/go.mod b/go.mod
@@ -43,6 +43,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/google/go-github/v53 v53.2.0
 	github.com/google/osv-scanner v1.9.2
+	github.com/hmarr/codeowners v1.2.1
 	github.com/in-toto/attestation v1.1.1
 	github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
 	github.com/onsi/ginkgo/v2 v2.23.4
diff --git a/go.sum b/go.sum
@@ -505,6 +505,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hmarr/codeowners v1.2.1 h1:+9yndrwG0UVP1GkLBEQMSbSUNeLpbrbL924SRthA/9k=
+github.com/hmarr/codeowners v1.2.1/go.mod h1:KPlR1p/B4owPjwfNIBueWlOP4CmqlQFX9b6nANG6j40=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20240912202439-0a2b6291aafd h1:EVX1s+XNss9jkRW9K6XGJn2jL2lB1h5H804oKPsxOec=

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ func Contributors(cr *checker.CheckRequest) (checker.ContributorsData, error) {`
`36`	`36`	`user := clients.User{`
`37`	`37`	`Login: contrib.Login,`
`38`	`38`	`NumContributions: contrib.NumContributions,`
	`39`	`+ IsCodeOwner: contrib.IsCodeOwner,`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`for _, org := range contrib.Organizations {`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ type User struct {`
`22`	`22`	`NumContributions int`
`23`	`23`	`ID int64`
`24`	`24`	`IsBot bool`
	`25`	`+ IsCodeOwner bool`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`// RepoAssociation is how a user is associated with a repository.`