scorecard/probes/hasBinaryArtifacts/def.yml

# Copyright 2023 OpenSSF Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

id: hasBinaryArtifacts
lifecycle: stable
short: Checks if the project has any binary files in its source tree.
motivation: >
  Binary files are not human readable so users and reviewers can't easily see what they do.
implementation: >
  The implementation looks for the presence of binary files. This is a more restrictive probe than "hasUnverifiedBinaryArtifacts" which excludes verified binary files.
outcome:
  - If the probe finds binary files, it returns one OutcomeTrue for each binary file found.
  - If the probe finds no binary files, it returns a single OutcomeFalse.
remediation:
  onOutcome: True
  effort: Medium
  text:
    - Remove the generated executable artifacts from the repository.
    - Build from source.
ecosystem:
  languages:
    - all
  clients:
    - github
    - gitlab
    - localdir
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`# Copyright 2023 OpenSSF Scorecard Authors`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

:warning: Allow probes to specify their own bad outcomes (#4020) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-11 00:12:53 +03:00			`id: hasBinaryArtifacts`
:seedling: Add lifecycle field to probes (#4147) * add lifecycle field to probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * classify existing probes Some are listed as stable if they're not expected to change, others are listed as experimental if there are still expected changes. Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle to probe readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle for new probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add probe lifecycle to documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-07-02 20:11:19 +03:00			`lifecycle: stable`
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`short: Checks if the project has any binary files in its source tree.`
			`motivation: >`
:book: Review and update some probe documentation (#4023) * polish some probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * update references to probe naming and outcomes now that #3654 is addressed, the naming restrictions can be relaxed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-12 08:08:55 +03:00			`Binary files are not human readable so users and reviewers can't easily see what they do.`
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`implementation: >`
:warning: Allow probes to specify their own bad outcomes (#4020) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-11 00:12:53 +03:00			`The implementation looks for the presence of binary files. This is a more restrictive probe than "hasUnverifiedBinaryArtifacts" which excludes verified binary files.`
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`outcome:`
:book: Review and update some probe documentation (#4023) * polish some probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * update references to probe naming and outcomes now that #3654 is addressed, the naming restrictions can be relaxed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-12 08:08:55 +03:00			`- If the probe finds binary files, it returns one OutcomeTrue for each binary file found.`
			`- If the probe finds no binary files, it returns a single OutcomeFalse.`
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`remediation:`
:warning: Allow probes to specify their own bad outcomes (#4020) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-11 00:12:53 +03:00			`onOutcome: True`
:seedling: convert binary artifact check to probe (#3508) * :seedling: convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> 2023-12-05 11:24:16 +03:00			`effort: Medium`
			`text:`
			`- Remove the generated executable artifacts from the repository.`
			`- Build from source.`
:sparkles: Add probe metadata about supported ecosystems (#3797) * :seedling: Add probe metadata about supported ecosystems Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add metadata for the rest of the probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix wrong formatting Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove oss-fuzz, osv, cii_blob, cii_http clients Signed-off-by: Adam Korczynski <adam@adalogics.com> * add github and gitlab clients for 2 probes Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> 2024-02-08 21:20:07 +03:00			`ecosystem:`
			`languages:`
			`- all`
			`clients:`
			`- github`
			`- gitlab`
:book: Review and update some probe documentation (#4023) * polish some probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * update references to probe naming and outcomes now that #3654 is addressed, the naming restrictions can be relaxed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-12 08:08:55 +03:00			`- localdir`