ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Remove PullRequest check (#771)

Browse Source 
Co-authored-by: Azeem Shaikh <azeems@google.com>
This commit is contained in:
Azeem Shaikh 2021-07-29 13:58:36 -07:00 committed by GitHub
parent 59e14eef80
commit 1e6d99eb20
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 42 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
README.md
View File

@ -7,22 +7,22 @@
<!-- vim-markdown-toc GFM -->
* [Motivation](#motivation)
* [Goals](#goals)
* [Scorecard Checks](#scorecard-checks)
* [Usage](#usage)
* [Docker](#docker)
* [Using repository URL](#using-repository-url)
* [Using a Package manager](#using-a-package-manager)
* [Running specific checks](#running-specific-checks)
* [Authentication](#authentication)
* [Understanding Scorecard results](#understanding-scorecard-results)
* [Formatting Results](#formatting-results)
* [Public Data](#public-data)
* [Adding a Scorecard Check](#adding-a-scorecard-check)
* [Troubleshooting](#troubleshooting)
* [Supportability](#supportability)
* [Contributing](#contributing)
* [Motivation](#motivation)
* [Goals](#goals)
* [Scorecard Checks](#scorecard-checks)
* [Usage](#usage)
* [Docker](#docker)
* [Using repository URL](#using-repository-url)
* [Using a Package manager](#using-a-package-manager)
* [Running specific checks](#running-specific-checks)
* [Authentication](#authentication)
* [Understanding Scorecard results](#understanding-scorecard-results)
* [Formatting Results](#formatting-results)
* [Public Data](#public-data)
* [Adding a Scorecard Check](#adding-a-scorecard-check)
* [Troubleshooting](#troubleshooting)
* [Supportability](#supportability)
* [Contributing](#contributing)
<!-- vim-markdown-toc -->
@ -43,27 +43,25 @@ passed! All D's ... and an A!"
The following checks are all run against the target project by default:
Name | Description
------------------ | -----------
Active | Did the project get any commits in the last 90 days?
Name | Description
--------------------------- | -----------
Active | Did the project get any commits in the last 90 days?
Automatic-Dependency-Update | Does the project use tools to automatically update its dependencies?
Binary-Artifacts | Is the project free of checked-in binaries?
Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?
CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
Code-Review | Does the project require code review before code is merged?
Contributors | Does the project have contributors from at least two different organizations?
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
Pull-Requests | Does the project use [Pull Requests](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests) for all code changes?
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?
Signed-Tags | Does the project cryptographically sign release tags?
Token-Permissions | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?
Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev).
Binary-Artifacts | Is the project free of checked-in binaries?
Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?
CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
Code-Review | Does the project require code review before code is merged?
Contributors | Does the project have contributors from at least two different organizations?
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?
Signed-Tags | Does the project cryptographically sign release tags?
Token-Permissions | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?
Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev).
To see detailed information about each check and remediation steps, check out
the [checks documentation page](checks/checks.md).
@ -76,7 +74,7 @@ the [checks documentation page](checks/checks.md).
The `GITHUB_AUTH_TOKEN` has to be set to a valid [token](#Authentication)
``` shell
```shell
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:latest --show-details --repo=https://github.com/ossf/scorecard
```
@ -146,13 +144,14 @@ Token-Permissions: Pass 10
```
For more details why a check fails, use the `--show-details` option:
```
./scorecard --repo=github.com/kubernetes/kubernetes --checks Frozen-Deps --show-details
Starting [Frozen-Deps]
Finished [Frozen-Deps]
RESULTS
-------
## RESULTS
Repo: github.com/kubernetes/kubernetes
Frozen-Deps: Fail 10
...
@ -233,10 +232,10 @@ For example, `--checks=CI-Tests,Code-Review`.
Before running Scorecard, you need to, either:
- [create a GitHub access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)
and set it in an environment variable called `GITHUB_AUTH_TOKEN`, `GITHUB_TOKEN`, `GH_AUTH_TOKEN` or `GH_TOKEN`. This helps to avoid
the GitHub's
[api rate limits](https://developer.github.com/v3/#rate-limiting) with
unauthenticated requests.
and set it in an environment variable called `GITHUB_AUTH_TOKEN`,
`GITHUB_TOKEN`, `GH_AUTH_TOKEN` or `GH_TOKEN`. This helps to avoid the
GitHub's [api rate limits](https://developer.github.com/v3/#rate-limiting)
with unauthenticated requests.
```shell
# For posix platforms, e.g. linux, mac:

84
checks/pull_requests.go
View File

@ -1,84 +0,0 @@
// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package checks
import (
"fmt"
"strings"
"github.com/google/go-github/v32/github"
"github.com/ossf/scorecard/v2/checker"
sce "github.com/ossf/scorecard/v2/errors"
)
// CheckPullRequests is the registered name for PullRequests.
const CheckPullRequests = "Pull-Requests"
//nolint:gochecknoinits
func init() {
registerCheck(CheckPullRequests, PullRequests)
}
func PullRequests(c *checker.CheckRequest) checker.CheckResult {
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
if err != nil {
e := sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("Client.Repositories.ListCommits: %v", err))
return checker.CreateRuntimeErrorResult(CheckPullRequests, e)
}
total := 0
totalWithPrs := 0
for _, commit := range commits {
isBot := false
committer := commit.GetCommitter().GetLogin()
for _, substring := range []string{"bot", "gardener"} {
if strings.Contains(committer, substring) {
isBot = true
break
}
}
if isBot {
c.Dlogger.Debug("skip commit from bot account: %s", committer)
continue
}
total++
// check for gerrit use via Reviewed-on
commitMessage := commit.GetCommit().GetMessage()
if strings.Contains(commitMessage, "\nReviewed-on: ") {
totalWithPrs++
c.Dlogger.Debug("Gerrit reviewed commit: %s", commit.GetSHA())
continue
}
prs, _, err := c.Client.PullRequests.ListPullRequestsWithCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA(),
&github.PullRequestListOptions{})
if err != nil {
e := sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("Client.PullRequests.ListPullRequestsWithCommit: %v", err))
return checker.CreateRuntimeErrorResult(CheckPullRequests, e)
}
if len(prs) > 0 {
totalWithPrs++
c.Dlogger.Debug("commit with PR: %s", commit.GetSHA())
} else {
c.Dlogger.Debug("found commit without PR: %s, committer: %s", commit.GetSHA(), commit.GetCommitter().GetLogin())
}
}
reason := fmt.Sprintf("%d ouf of %d commits have a PR", totalWithPrs, total)
return checker.CreateProportionalScoreResult(CheckPullRequests, reason, totalWithPrs, total)
}

11
docs/checks.md
View File

@ -116,17 +116,6 @@ The checks works by (1) looking for the following files in the root directory: g
- For Dockerfiles and GitHub workflows, pin dependencies by hash. See example [gitcache-docker.yaml](https://github.com/ossf/scorecard/blob/main/.github/workflows/gitcache-docker.yaml#L36) and [Dockerfile](https://github.com/ossf/scorecard/blob/main/cron/worker/Dockerfile) examples.
- To help update your dependencies after pinning them, use tools such as Github's [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) or [renovate bot](https://github.com/renovatebot/renovate).
## Pull-Requests
This check tries to determine if the project requires pull requests for all changes to the default branch.
Reviewing code improves quality of code in general. In addition, it ensures compromised contributors cannot intentionally inject malicious code. A low score is therefore considered `High` risk.
The check works by looking at recent commits (first page, ~30) and uses the GitHub API to search for associated pull requests.
**Remediation steps**
- Always open a pull request for any change you intend to make, big or small.
- Make "pull requests" mandatory in your repository configuration. E.g. [GitHub](https://docs.github.com/en/github/administering-a-repository/about-protected-branches#require-pull-request-reviews-before-merging)
- Enforce the rule for administrators / code owners as well. E.g. [GitHub](https://docs.github.com/en/github/administering-a-repository/about-protected-branches#include-administrators)
## SAST
This check tries to determine if the project uses static code analysis systems.

21
docs/checks/checks.yaml
View File

@ -227,27 +227,6 @@ checks:
To help update your dependencies after pinning them, use tools such as
Github's [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/)
or [renovate bot](https://github.com/renovatebot/renovate).
Pull-Requests:
risk: High
description: >-
This check tries to determine if the project requires pull requests for
all changes to the default branch.
Reviewing code improves quality of code in general. In addition, it ensures
compromised contributors cannot intentionally inject malicious code. A low
score is therefore considered `High` risk.
The check works by looking at recent commits (first page, ~30) and uses
the GitHub API to search for associated pull requests.
remediation:
- >-
Always open a pull request for any change you intend to make, big or small.
- >-
Make "pull requests" mandatory in your repository configuration. E.g.
[GitHub](https://docs.github.com/en/github/administering-a-repository/about-protected-branches#require-pull-request-reviews-before-merging)
- >-
Enforce the rule for administrators / code owners as well. E.g.
[GitHub](https://docs.github.com/en/github/administering-a-repository/about-protected-branches#include-administrators)
SAST:
risk: Medium
description: >-

58
e2e/pull_requests_test.go
View File

@ -1,58 +0,0 @@
// Copyright 2021 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package e2e
import (
"context"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/ossf/scorecard/v2/checker"
"github.com/ossf/scorecard/v2/checks"
scut "github.com/ossf/scorecard/v2/utests"
)
var _ = Describe("E2E TEST:PullRequests", func() {
Context("E2E TEST:Validating use of pull requests", func() {
It("Should return use of pull requests", func() {
dl := scut.TestDetailLogger{}
req := checker.CheckRequest{
Ctx: context.Background(),
Client: ghClient,
HTTPClient: httpClient,
RepoClient: nil,
Owner: "apache",
Repo: "airflow",
GraphClient: graphClient,
Dlogger: &dl,
}
expected := scut.TestReturn{
Errors: nil,
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 0,
NumberOfDebug: 30,
}
result := checks.PullRequests(&req)
// UPGRADEv2: to remove.
// Old version.
Expect(result.Error).Should(BeNil())
Expect(result.Pass).Should(BeTrue())
// New version.
Expect(scut.ValidateTestReturn(nil, "pull request used", &expected, &result, &dl)).Should(BeTrue())
})
})
})