scorecard/checks/code_review.go

// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package checks

import (
	"github.com/dlorenc/scorecard/checker"
	"github.com/google/go-github/v32/github"
)

func init() {
	registerCheck("Code-Review", DoesCodeReview)
}

// DoesCodeReview attempts to determine whether a project requires review before code gets merged.
// It uses a set of heuristics:
// - Looking at the repo configuration to see if reviews are required
// - Checking if most of the recent merged PRs were "Approved"
// - Looking for other well-known review labels
func DoesCodeReview(c checker.Checker) checker.CheckResult {
	return checker.MultiCheck(
		IsPrReviewRequired,
		GithubCodeReview,
		ProwCodeReview,
	)(c)
}

func GithubCodeReview(c checker.Checker) checker.CheckResult {
	// Look at some merged PRs to see if they were reviewed
	prs, _, err := c.Client.PullRequests.List(c.Ctx, c.Owner, c.Repo, &github.PullRequestListOptions{
		State: "closed",
	})
	if err != nil {
		return checker.InconclusiveResult
	}

	totalMerged := 0
	totalReviewed := 0
	for _, pr := range prs {
		if pr.MergedAt == nil {
			continue
		}
		totalMerged++
		// Merged PR!
		reviews, _, err := c.Client.PullRequests.ListReviews(c.Ctx, c.Owner, c.Repo, pr.GetNumber(), &github.ListOptions{})
		if err != nil {
			continue
		}
		for _, r := range reviews {
			if r.GetState() == "APPROVED" {
				totalReviewed++
				break
			}
		}
	}

	if totalReviewed > 0 {
		c.Logf("github code reviews found")
	}
	return checker.ProportionalResult(totalReviewed, totalMerged, .75)
}

func IsPrReviewRequired(c checker.Checker) checker.CheckResult {
	// Look to see if review is enforced.
	r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
	if err != nil {
		return checker.RetryResult(err)
	}

	// Check the branch protection rules, we may not be able to get these though.
	bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch())
	if err != nil {
		return checker.InconclusiveResult
	}
	if bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 {
		c.Logf("pr review policy enforced")
		return checker.CheckResult{
			Pass:       true,
			Confidence: 5,
		}
	}
	return checker.InconclusiveResult
}

func ProwCodeReview(c checker.Checker) checker.CheckResult {
	// Look at some merged PRs to see if they were reviewed
	prs, _, err := c.Client.PullRequests.List(c.Ctx, c.Owner, c.Repo, &github.PullRequestListOptions{
		State: "closed",
	})
	if err != nil {
		return checker.InconclusiveResult
	}

	totalMerged := 0
	totalReviewed := 0
	for _, pr := range prs {
		if pr.MergedAt == nil {
			continue
		}
		totalMerged++
		for _, l := range pr.Labels {
			if l.GetName() == "lgtm" || l.GetName() == "approved" {
				totalReviewed++
				break
			}
		}
	}

	if totalReviewed == 0 {
		return checker.InconclusiveResult
	}
	c.Logf("prow code reviews found")
	return checker.ProportionalResult(totalReviewed, totalMerged, .75)
}
Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`// Copyright 2020 Security Scorecard Authors`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Initial commit. 2020-10-09 17:47:59 +03:00			`package checks`

			`import (`
			`"github.com/dlorenc/scorecard/checker"`
			`"github.com/google/go-github/v32/github"`
			`)`

			`func init() {`
Register Helper 2020-10-13 21:55:14 +03:00			`registerCheck("Code-Review", DoesCodeReview)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

			`// DoesCodeReview attempts to determine whether a project requires review before code gets merged.`
			`// It uses a set of heuristics:`
			`// - Looking at the repo configuration to see if reviews are required`
			`// - Checking if most of the recent merged PRs were "Approved"`
			`// - Looking for other well-known review labels`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`func DoesCodeReview(c checker.Checker) checker.CheckResult {`
			`return checker.MultiCheck(`
Initial commit. 2020-10-09 17:47:59 +03:00			`IsPrReviewRequired,`
			`GithubCodeReview,`
			`ProwCodeReview,`
			`)(c)`
			`}`

Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`func GithubCodeReview(c checker.Checker) checker.CheckResult {`
Initial commit. 2020-10-09 17:47:59 +03:00			`// Look at some merged PRs to see if they were reviewed`
			`prs, _, err := c.Client.PullRequests.List(c.Ctx, c.Owner, c.Repo, &github.PullRequestListOptions{`
			`State: "closed",`
			`})`
			`if err != nil {`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.InconclusiveResult`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

			`totalMerged := 0`
			`totalReviewed := 0`
			`for _, pr := range prs {`
			`if pr.MergedAt == nil {`
			`continue`
			`}`
			`totalMerged++`
			`// Merged PR!`
			`reviews, _, err := c.Client.PullRequests.ListReviews(c.Ctx, c.Owner, c.Repo, pr.GetNumber(), &github.ListOptions{})`
			`if err != nil {`
			`continue`
			`}`
			`for _, r := range reviews {`
			`if r.GetState() == "APPROVED" {`
			`totalReviewed++`
			`break`
			`}`
			`}`
			`}`

fix check 2020-10-24 20:24:27 +03:00			`if totalReviewed > 0 {`
			`c.Logf("github code reviews found")`
Add some missing detail messages, improve others. 2020-10-24 20:20:49 +03:00			`}`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.ProportionalResult(totalReviewed, totalMerged, .75)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`func IsPrReviewRequired(c checker.Checker) checker.CheckResult {`
Initial commit. 2020-10-09 17:47:59 +03:00			`// Look to see if review is enforced.`
			`r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)`
			`if err != nil {`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.RetryResult(err)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

			`// Check the branch protection rules, we may not be able to get these though.`
			`bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch())`
			`if err != nil {`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.InconclusiveResult`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
			`if bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 {`
Lower pr review policy confidence to enforce GithubCodeReview (#19) PR review policy is good to check but keep its confidence low since actual enforcement is checked by GithubCodeReview and ProwCodeReview and those values should be used. 2020-10-18 03:09:35 +03:00			`c.Logf("pr review policy enforced")`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.CheckResult{`
Initial commit. 2020-10-09 17:47:59 +03:00			`Pass: true,`
Lower pr review policy confidence to enforce GithubCodeReview (#19) PR review policy is good to check but keep its confidence low since actual enforcement is checked by GithubCodeReview and ProwCodeReview and those values should be used. 2020-10-18 03:09:35 +03:00			`Confidence: 5,`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
			`}`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.InconclusiveResult`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`func ProwCodeReview(c checker.Checker) checker.CheckResult {`
Initial commit. 2020-10-09 17:47:59 +03:00			`// Look at some merged PRs to see if they were reviewed`
			`prs, _, err := c.Client.PullRequests.List(c.Ctx, c.Owner, c.Repo, &github.PullRequestListOptions{`
			`State: "closed",`
			`})`
			`if err != nil {`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.InconclusiveResult`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

			`totalMerged := 0`
			`totalReviewed := 0`
			`for _, pr := range prs {`
			`if pr.MergedAt == nil {`
			`continue`
			`}`
			`totalMerged++`
			`for _, l := range pr.Labels {`
			`if l.GetName() == "lgtm" \|\| l.GetName() == "approved" {`
			`totalReviewed++`
			`break`
			`}`
			`}`
			`}`
Fix bugs in test and code review detection. 2020-10-12 20:18:40 +03:00
			`if totalReviewed == 0 {`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.InconclusiveResult`
Fix bugs in test and code review detection. 2020-10-12 20:18:40 +03:00			`}`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`c.Logf("prow code reviews found")`
			`return checker.ProportionalResult(totalReviewed, totalMerged, .75)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`