scorecard/checks/security_policy.go

// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package checks

import (
	"path"

	"github.com/dlorenc/scorecard/checker"
	"github.com/google/go-github/v32/github"
)

func init() {
	registerCheck("Security-Policy", SecurityPolicy)
}

func SecurityPolicy(c checker.Checker) checker.CheckResult {
	for _, securityFile := range []string{"SECURITY.md", "security.md"} {
		for _, dirs := range []string{"", ".github", "docs"} {
			fp := path.Join(dirs, securityFile)
			dc, err := c.Client.Repositories.DownloadContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{})
			if err != nil {
				continue
			}
			dc.Close()
			c.Logf("security policy found: %s", fp)
			return checker.CheckResult{
				Pass:       true,
				Confidence: 10,
			}
		}
	}
	return checker.CheckResult{
		Pass:       false,
		Confidence: 10,
	}
}
Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`// Copyright 2020 Security Scorecard Authors`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Initial commit. 2020-10-09 17:47:59 +03:00			`package checks`

			`import (`
Add docs directory for security.md Part of doc at https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository 2020-10-17 09:20:46 +03:00			`"path"`

Initial commit. 2020-10-09 17:47:59 +03:00			`"github.com/dlorenc/scorecard/checker"`
			`"github.com/google/go-github/v32/github"`
			`)`

			`func init() {`
Add docs directory for security.md Part of doc at https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository 2020-10-17 09:20:46 +03:00			`registerCheck("Security-Policy", SecurityPolicy)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

Add docs directory for security.md Part of doc at https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository 2020-10-17 09:20:46 +03:00			`func SecurityPolicy(c checker.Checker) checker.CheckResult {`
			`for _, securityFile := range []string{"SECURITY.md", "security.md"} {`
			`for _, dirs := range []string{"", ".github", "docs"} {`
			`fp := path.Join(dirs, securityFile)`
			`dc, err := c.Client.Repositories.DownloadContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{})`
			`if err != nil {`
			`continue`
			`}`
			`dc.Close()`
			`c.Logf("security policy found: %s", fp)`
			`return checker.CheckResult{`
			`Pass: true,`
			`Confidence: 10,`
			`}`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
			`}`
Start to add support for detailed logging. 2020-10-13 18:35:55 +03:00			`return checker.CheckResult{`
Initial commit. 2020-10-09 17:47:59 +03:00			`Pass: false,`
			`Confidence: 10,`
			`}`
			`}`