mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
✨ Raw results for Signed-Release check (#1789)
* Raw results for Signed-Releases * updates * linter
This commit is contained in:
parent
e8c633a41b
commit
27dbf9c7e5
@ -18,6 +18,7 @@ import "time"
|
|||||||
|
|
||||||
// RawResults contains results before a policy
|
// RawResults contains results before a policy
|
||||||
// is applied.
|
// is applied.
|
||||||
|
//nolint
|
||||||
type RawResults struct {
|
type RawResults struct {
|
||||||
VulnerabilitiesResults VulnerabilitiesData
|
VulnerabilitiesResults VulnerabilitiesData
|
||||||
BinaryArtifactResults BinaryArtifactData
|
BinaryArtifactResults BinaryArtifactData
|
||||||
@ -27,6 +28,7 @@ type RawResults struct {
|
|||||||
CodeReviewResults CodeReviewData
|
CodeReviewResults CodeReviewData
|
||||||
WebhookResults WebhooksData
|
WebhookResults WebhooksData
|
||||||
MaintainedResults MaintainedData
|
MaintainedResults MaintainedData
|
||||||
|
SignedReleasesResults SignedReleasesData
|
||||||
}
|
}
|
||||||
|
|
||||||
// MaintainedData contains the raw results
|
// MaintainedData contains the raw results
|
||||||
@ -63,6 +65,12 @@ type BinaryArtifactData struct {
|
|||||||
Files []File
|
Files []File
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SignedReleasesData contains the raw results
|
||||||
|
// for the Signed-Releases check.
|
||||||
|
type SignedReleasesData struct {
|
||||||
|
Releases []Release
|
||||||
|
}
|
||||||
|
|
||||||
// DependencyUpdateToolData contains the raw results
|
// DependencyUpdateToolData contains the raw results
|
||||||
// for the Dependency-Update-Tool check.
|
// for the Dependency-Update-Tool check.
|
||||||
type DependencyUpdateToolData struct {
|
type DependencyUpdateToolData struct {
|
||||||
@ -227,3 +235,17 @@ type Vulnerability struct {
|
|||||||
ID string
|
ID string
|
||||||
// TODO(vuln): Add additional fields, if needed.
|
// TODO(vuln): Add additional fields, if needed.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Release represents a project release.
|
||||||
|
type Release struct {
|
||||||
|
Tag string
|
||||||
|
URL string
|
||||||
|
Assets []ReleaseAsset
|
||||||
|
// TODO: add needed fields, e.g. Path.
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReleaseAsset represents a release asset.
|
||||||
|
type ReleaseAsset struct {
|
||||||
|
Name string
|
||||||
|
URL string
|
||||||
|
}
|
||||||
|
91
checks/evaluation/signed_releases.go
Normal file
91
checks/evaluation/signed_releases.go
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
// Copyright 2021 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package evaluation
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/ossf/scorecard/v4/checker"
|
||||||
|
sce "github.com/ossf/scorecard/v4/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var artifactExtensions = []string{".asc", ".minisig", ".sig", ".sign"}
|
||||||
|
|
||||||
|
const releaseLookBack = 5
|
||||||
|
|
||||||
|
// SignedReleases applies the score policy for the Signed-Releases check.
|
||||||
|
func SignedReleases(name string, dl checker.DetailLogger, r *checker.SignedReleasesData) checker.CheckResult {
|
||||||
|
if r == nil {
|
||||||
|
e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
|
||||||
|
return checker.CreateRuntimeErrorResult(name, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
totalReleases := 0
|
||||||
|
totalSigned := 0
|
||||||
|
|
||||||
|
for _, release := range r.Releases {
|
||||||
|
if len(release.Assets) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
dl.Debug(&checker.LogMessage{
|
||||||
|
Text: fmt.Sprintf("GitHub release found: %s", release.Tag),
|
||||||
|
})
|
||||||
|
|
||||||
|
totalReleases++
|
||||||
|
signed := false
|
||||||
|
|
||||||
|
for _, asset := range release.Assets {
|
||||||
|
for _, suffix := range artifactExtensions {
|
||||||
|
if strings.HasSuffix(asset.Name, suffix) {
|
||||||
|
dl.Info(&checker.LogMessage{
|
||||||
|
Path: asset.URL,
|
||||||
|
Type: checker.FileTypeURL,
|
||||||
|
Text: fmt.Sprintf("signed release artifact: %s", asset.Name),
|
||||||
|
})
|
||||||
|
signed = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if signed {
|
||||||
|
totalSigned++
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !signed {
|
||||||
|
dl.Warn(&checker.LogMessage{
|
||||||
|
Path: release.URL,
|
||||||
|
Type: checker.FileTypeURL,
|
||||||
|
Text: fmt.Sprintf("release artifact %s not signed", release.Tag),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
if totalReleases >= releaseLookBack {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if totalReleases == 0 {
|
||||||
|
dl.Warn(&checker.LogMessage{
|
||||||
|
Text: "no GitHub releases found",
|
||||||
|
})
|
||||||
|
// Generic summary.
|
||||||
|
return checker.CreateInconclusiveResult(name, "no releases found")
|
||||||
|
}
|
||||||
|
|
||||||
|
reason := fmt.Sprintf("%d out of %d artifacts are signed", totalSigned, totalReleases)
|
||||||
|
return checker.CreateProportionalScoreResult(name, reason, totalSigned, totalReleases)
|
||||||
|
}
|
49
checks/raw/signed_releases.go
Normal file
49
checks/raw/signed_releases.go
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
// Copyright 2020 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package raw
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/ossf/scorecard/v4/checker"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SignedReleases checks for presence of signed release check.
|
||||||
|
func SignedReleases(c *checker.CheckRequest) (checker.SignedReleasesData, error) {
|
||||||
|
releases, err := c.RepoClient.ListReleases()
|
||||||
|
if err != nil {
|
||||||
|
return checker.SignedReleasesData{}, fmt.Errorf("%w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
var results checker.SignedReleasesData
|
||||||
|
for i, r := range releases {
|
||||||
|
results.Releases = append(results.Releases,
|
||||||
|
checker.Release{
|
||||||
|
Tag: r.TagName,
|
||||||
|
URL: r.URL,
|
||||||
|
})
|
||||||
|
|
||||||
|
for _, asset := range r.Assets {
|
||||||
|
a := checker.ReleaseAsset{
|
||||||
|
URL: asset.URL,
|
||||||
|
Name: asset.Name,
|
||||||
|
}
|
||||||
|
results.Releases[i].Assets = append(results.Releases[i].Assets, a)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return raw results.
|
||||||
|
return results, nil
|
||||||
|
}
|
@ -15,28 +15,29 @@
|
|||||||
package raw
|
package raw
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
"github.com/ossf/scorecard/v4/checker"
|
"github.com/ossf/scorecard/v4/checker"
|
||||||
"github.com/ossf/scorecard/v4/clients"
|
"github.com/ossf/scorecard/v4/clients"
|
||||||
sce "github.com/ossf/scorecard/v4/errors"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var errNoCommitFound = errors.New("no commit found")
|
||||||
|
|
||||||
// Vulnerabilities retrieves the raw data for the Vulnerabilities check.
|
// Vulnerabilities retrieves the raw data for the Vulnerabilities check.
|
||||||
func Vulnerabilities(c *checker.CheckRequest) (checker.VulnerabilitiesData, error) {
|
func Vulnerabilities(c *checker.CheckRequest) (checker.VulnerabilitiesData, error) {
|
||||||
commits, err := c.RepoClient.ListCommits()
|
commits, err := c.RepoClient.ListCommits()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return checker.VulnerabilitiesData{},
|
return checker.VulnerabilitiesData{}, fmt.Errorf("repoClient.ListCommits: %w", err)
|
||||||
sce.WithMessage(sce.ErrScorecardInternal, "Client.Repositories.ListCommits")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(commits) < 1 || commits[0].SHA == "" {
|
if len(commits) < 1 || commits[0].SHA == "" {
|
||||||
return checker.VulnerabilitiesData{},
|
return checker.VulnerabilitiesData{}, fmt.Errorf("%w", errNoCommitFound)
|
||||||
sce.WithMessage(sce.ErrScorecardInternal, "no commits found")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resp, err := c.VulnerabilitiesClient.HasUnfixedVulnerabilities(c.Ctx, commits[0].SHA)
|
resp, err := c.VulnerabilitiesClient.HasUnfixedVulnerabilities(c.Ctx, commits[0].SHA)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return checker.VulnerabilitiesData{},
|
return checker.VulnerabilitiesData{}, fmt.Errorf("vulnerabilitiesClient.HasUnfixedVulnerabilities: %w", err)
|
||||||
sce.WithMessage(sce.ErrScorecardInternal, "VulnerabilitiesClient.HasUnfixedVulnerabilities")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
vulnIDs := getVulnerabilities(&resp)
|
vulnIDs := getVulnerabilities(&resp)
|
||||||
|
@ -15,20 +15,14 @@
|
|||||||
package checks
|
package checks
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/ossf/scorecard/v4/checker"
|
"github.com/ossf/scorecard/v4/checker"
|
||||||
|
"github.com/ossf/scorecard/v4/checks/evaluation"
|
||||||
|
"github.com/ossf/scorecard/v4/checks/raw"
|
||||||
sce "github.com/ossf/scorecard/v4/errors"
|
sce "github.com/ossf/scorecard/v4/errors"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
// CheckSignedReleases is the registered name for SignedReleases.
|
||||||
// CheckSignedReleases is the registered name for SignedReleases.
|
const CheckSignedReleases = "Signed-Releases"
|
||||||
CheckSignedReleases = "Signed-Releases"
|
|
||||||
releaseLookBack = 5
|
|
||||||
)
|
|
||||||
|
|
||||||
var artifactExtensions = []string{".asc", ".minisig", ".sig", ".sign"}
|
|
||||||
|
|
||||||
//nolint:gochecknoinits
|
//nolint:gochecknoinits
|
||||||
func init() {
|
func init() {
|
||||||
@ -40,60 +34,17 @@ func init() {
|
|||||||
|
|
||||||
// SignedReleases runs Signed-Releases check.
|
// SignedReleases runs Signed-Releases check.
|
||||||
func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
|
func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
|
||||||
releases, err := c.RepoClient.ListReleases()
|
rawData, err := raw.SignedReleases(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
e := sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("Client.Repositories.ListReleases: %v", err))
|
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
||||||
return checker.CreateRuntimeErrorResult(CheckSignedReleases, e)
|
return checker.CreateRuntimeErrorResult(CheckSignedReleases, e)
|
||||||
}
|
}
|
||||||
|
|
||||||
totalReleases := 0
|
// Return raw results.
|
||||||
totalSigned := 0
|
if c.RawResults != nil {
|
||||||
for _, r := range releases {
|
c.RawResults.SignedReleasesResults = rawData
|
||||||
if len(r.Assets) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
c.Dlogger.Debug(&checker.LogMessage{
|
|
||||||
Text: fmt.Sprintf("GitHub release found: %s", r.TagName),
|
|
||||||
})
|
|
||||||
totalReleases++
|
|
||||||
signed := false
|
|
||||||
for _, asset := range r.Assets {
|
|
||||||
for _, suffix := range artifactExtensions {
|
|
||||||
if strings.HasSuffix(asset.Name, suffix) {
|
|
||||||
c.Dlogger.Info(&checker.LogMessage{
|
|
||||||
Path: asset.URL,
|
|
||||||
Type: checker.FileTypeURL,
|
|
||||||
Text: fmt.Sprintf("signed release artifact: %s", asset.Name),
|
|
||||||
})
|
|
||||||
signed = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if signed {
|
|
||||||
totalSigned++
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !signed {
|
|
||||||
c.Dlogger.Warn(&checker.LogMessage{
|
|
||||||
Path: r.URL,
|
|
||||||
Type: checker.FileTypeURL,
|
|
||||||
Text: fmt.Sprintf("release artifact %s not signed", r.TagName),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
if totalReleases >= releaseLookBack {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if totalReleases == 0 {
|
// Return the score evaluation.
|
||||||
c.Dlogger.Warn(&checker.LogMessage{
|
return evaluation.SignedReleases(CheckSignedReleases, c.Dlogger, &rawData)
|
||||||
Text: "no GitHub releases found",
|
|
||||||
})
|
|
||||||
// Generic summary.
|
|
||||||
return checker.CreateInconclusiveResult(CheckSignedReleases, "no releases found")
|
|
||||||
}
|
|
||||||
|
|
||||||
reason := fmt.Sprintf("%d out of %d artifacts are signed", totalSigned, totalReleases)
|
|
||||||
return checker.CreateProportionalScoreResult(CheckSignedReleases, reason, totalSigned, totalReleases)
|
|
||||||
}
|
}
|
||||||
|
@ -119,6 +119,19 @@ type jsonIssue struct {
|
|||||||
// TODO: add fields, e.g., state=[opened|closed]
|
// TODO: add fields, e.g., state=[opened|closed]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type jsonRelease struct {
|
||||||
|
Tag string `json:"tag"`
|
||||||
|
URL string `json:"url"`
|
||||||
|
Assets []jsonReleaseAsset `json:"assets"`
|
||||||
|
// TODO: add needed fields, e.g. Path.
|
||||||
|
}
|
||||||
|
|
||||||
|
type jsonReleaseAsset struct {
|
||||||
|
Path string `json:"path"`
|
||||||
|
URL string `json:"url"`
|
||||||
|
}
|
||||||
|
|
||||||
|
//nolint
|
||||||
type jsonRawResults struct {
|
type jsonRawResults struct {
|
||||||
// List of recent issues.
|
// List of recent issues.
|
||||||
RecentIssues []jsonIssue `json:"issues"`
|
RecentIssues []jsonIssue `json:"issues"`
|
||||||
@ -138,14 +151,33 @@ type jsonRawResults struct {
|
|||||||
DefaultBranchCommits []jsonDefaultBranchCommit `json:"default-branch-commits"`
|
DefaultBranchCommits []jsonDefaultBranchCommit `json:"default-branch-commits"`
|
||||||
// Archived status of the repo.
|
// Archived status of the repo.
|
||||||
ArchivedStatus jsonArchivedStatus `json:"archived"`
|
ArchivedStatus jsonArchivedStatus `json:"archived"`
|
||||||
|
// Releases.
|
||||||
|
Releases []jsonRelease `json:"releases"`
|
||||||
|
}
|
||||||
|
|
||||||
|
//nolint:unparam
|
||||||
|
func (r *jsonScorecardRawResult) addSignedReleasesRawResults(sr *checker.SignedReleasesData) error {
|
||||||
|
r.Results.Releases = []jsonRelease{}
|
||||||
|
for i, release := range sr.Releases {
|
||||||
|
r.Results.Releases = append(r.Results.Releases,
|
||||||
|
jsonRelease{
|
||||||
|
Tag: release.Tag,
|
||||||
|
URL: release.URL,
|
||||||
|
})
|
||||||
|
for _, asset := range release.Assets {
|
||||||
|
r.Results.Releases[i].Assets = append(r.Results.Releases[i].Assets,
|
||||||
|
jsonReleaseAsset{
|
||||||
|
Path: asset.Name,
|
||||||
|
URL: asset.URL,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getRepoAssociation(author *checker.User) *string {
|
func getRepoAssociation(author *checker.User) *string {
|
||||||
if author == nil {
|
if author == nil || author.RepoAssociation == nil {
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if author.RepoAssociation == nil {
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -367,6 +399,11 @@ func (r *jsonScorecardRawResult) fillJSONRawResults(raw *checker.RawResults) err
|
|||||||
return sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
return sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Signed-Releases.
|
||||||
|
if err := r.addSignedReleasesRawResults(&raw.SignedReleasesResults); err != nil {
|
||||||
|
return sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user