🌱 convert CII Best Practices check to probes (#3520)

* 🌱 convert CII Best Practices check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'NOT' to 'not' Signed-off-by: AdamKorcz <adam@adalogics.com> * Change wording in probes Signed-off-by: AdamKorcz <adam@adalogics.com> * add links to text Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Edit text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasBadgeNotFound probe Signed-off-by: AdamKorcz <adam@adalogics.com> * remove 'that' from text Signed-off-by: AdamKorcz <adam@adalogics.com> * use CreateMinScoreResult instead of CreateResultWithScore Signed-off-by: AdamKorcz <adam@adalogics.com> * use MaxResultScore instead of maxScore Signed-off-by: AdamKorcz <adam@adalogics.com> * return CreateRuntimeErrorResult sooner rather than later Signed-off-by: AdamKorcz <adam@adalogics.com> * Combine probes into one Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove minScore variable Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'hasInProgressBadge' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * make badge levels global variables Signed-off-by: Adam Korczynski <adam@adalogics.com> * return -1 for unsupported badge Signed-off-by: Adam Korczynski <adam@adalogics.com> * change text for unknown and unsupported badges Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>
2024-09-11 08:55:27 +03:00 · 2023-11-28 20:02:26 +00:00 · 2023-11-28 20:02:26 +00:00 · 9b5d762a7d
commit 9b5d762a7d
parent 68573209d6
7 changed files with 421 additions and 93 deletions
--- a/checks/cii_best_practices.go
+++ b/checks/cii_best_practices.go
@ -19,6 +19,8 @@ import (
 	"github.com/ossf/scorecard/v4/checks/evaluation"
 	"github.com/ossf/scorecard/v4/checks/raw"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/probes"
+	"github.com/ossf/scorecard/v4/probes/zrunner"
 )

 // CheckCIIBestPractices is the registered name for CIIBestPractices.
@ -40,11 +42,17 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult {
 		return checker.CreateRuntimeErrorResult(CheckCIIBestPractices, e)
 	}

-	// Return raw results.
-	if c.RawResults != nil {
-		c.RawResults.CIIBestPracticesResults = rawData
+	// Set the raw results.
+	pRawResults := getRawResults(c)
+	pRawResults.CIIBestPracticesResults = rawData
+
+	// Evaluate the probes.
+	findings, err := zrunner.Run(pRawResults, probes.CIIBestPractices)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckCIIBestPractices, e)
 	}

 	// Return the score evaluation.
-	return evaluation.CIIBestPractices(CheckCIIBestPractices, c.Dlogger, &rawData)
+	return evaluation.CIIBestPractices(CheckCIIBestPractices, findings, c.Dlogger)
 }
--- a/checks/evaluation/cii_best_practices.go
+++ b/checks/evaluation/cii_best_practices.go
@ -15,14 +15,12 @@
 package evaluation

 import (
-	"fmt"
-
 	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/hasOpenSSFBadge"
 )

-// Note: exported for unit tests.
 const (
 	silverScore = 7
 	// Note: if this value is changed, please update the action's threshold score
@ -32,31 +30,54 @@ const (
 )

 // CIIBestPractices applies the score policy for the CIIBestPractices check.
-func CIIBestPractices(name string, _ checker.DetailLogger, r *checker.CIIBestPracticesData) checker.CheckResult {
-	if r == nil {
-		e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
+func CIIBestPractices(name string,
+	findings []finding.Finding, dl checker.DetailLogger,
+) checker.CheckResult {
+	expectedProbes := []string{
+		hasOpenSSFBadge.Probe,
+	}
+
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
 		return checker.CreateRuntimeErrorResult(name, e)
 	}

-	var results checker.CheckResult
-	switch r.Badge {
-	case clients.NotFound:
-		results = checker.CreateMinScoreResult(name, "no effort to earn an OpenSSF best practices badge detected")
-	case clients.InProgress:
-		msg := fmt.Sprintf("badge detected: %v", r.Badge)
-		results = checker.CreateResultWithScore(name, msg, inProgressScore)
-	case clients.Passing:
-		msg := fmt.Sprintf("badge detected: %v", r.Badge)
-		results = checker.CreateResultWithScore(name, msg, passingScore)
-	case clients.Silver:
-		msg := fmt.Sprintf("badge detected: %v", r.Badge)
-		results = checker.CreateResultWithScore(name, msg, silverScore)
-	case clients.Gold:
-		msg := fmt.Sprintf("badge detected: %v", r.Badge)
-		results = checker.CreateMaxScoreResult(name, msg)
-	case clients.Unknown:
-		e := sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("unsupported badge: %v", r.Badge))
-		results = checker.CreateRuntimeErrorResult(name, e)
+	var score int
+	var text string
+
+	if len(findings) != 1 {
+		errText := "invalid probe results: multiple findings detected"
+		e := sce.WithMessage(sce.ErrScorecardInternal, errText)
+		return checker.CreateRuntimeErrorResult(name, e)
 	}
-	return results
+
+	f := &findings[0]
+	if f.Outcome == finding.OutcomeNegative {
+		text = "no effort to earn an OpenSSF best practices badge detected"
+		return checker.CreateMinScoreResult(name, text)
+	}
+	//nolint:nestif
+	if _, hasKey := f.Values[hasOpenSSFBadge.GoldLevel]; hasKey {
+		score = checker.MaxResultScore
+		text = "badge detected: Gold"
+	} else if _, hasKey := f.Values[hasOpenSSFBadge.SilverLevel]; hasKey {
+		score = silverScore
+		text = "badge detected: Silver"
+	} else if _, hasKey := f.Values[hasOpenSSFBadge.PassingLevel]; hasKey {
+		score = passingScore
+		text = "badge detected: Passing"
+	} else if _, hasKey := f.Values[hasOpenSSFBadge.InProgressLevel]; hasKey {
+		score = inProgressScore
+		text = "badge detected: InProgress"
+	} else if _, hasKey := f.Values[hasOpenSSFBadge.UnknownLevel]; hasKey {
+		text = "unknown badge detected"
+		e := sce.WithMessage(sce.ErrScorecardInternal, text)
+		return checker.CreateRuntimeErrorResult(name, e)
+	} else {
+		text = "unsupported badge detected"
+		e := sce.WithMessage(sce.ErrScorecardInternal, text)
+		return checker.CreateRuntimeErrorResult(name, e)
+	}
+
+	return checker.CreateResultWithScore(name, text, score)
 }
--- a/checks/evaluation/cii_best_practices_test.go
+++ b/checks/evaluation/cii_best_practices_test.go
@ -16,71 +16,136 @@ package evaluation
 import (
 	"testing"

-	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/clients"
+	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/hasOpenSSFBadge"
+	scut "github.com/ossf/scorecard/v4/utests"
 )

 func TestCIIBestPractices(t *testing.T) {
-	t.Run("CIIBestPractices", func(t *testing.T) {
-		t.Run("in progress", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.InProgress,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != inProgressScore {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, inProgressScore)
+	t.Parallel()
+	tests := []struct {
+		name     string
+		findings []finding.Finding
+		result   scut.TestReturn
+	}{
+		{
+			name: "Unsupported badge found with negative finding",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomeNegative,
+					Values: map[string]int{
+						"Unsupported": 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: 0,
+			},
+		},
+		{
+			name: "Unsupported badge found with positive finding",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						"Unsupported": 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: -1,
+				Error: sce.ErrScorecardInternal,
+			},
+		},
+		{
+			name: "Has InProgress Badge",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						hasOpenSSFBadge.InProgressLevel: 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: 2,
+			},
+		},
+		{
+			name: "Has Passing Badge",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						hasOpenSSFBadge.PassingLevel: 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: 5,
+			},
+		},
+		{
+			name: "Has Silver Badge",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						hasOpenSSFBadge.SilverLevel: 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: 7,
+			},
+		},
+		{
+			name: "Has Gold Badge",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						hasOpenSSFBadge.GoldLevel: 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: 10,
+			},
+		},
+		{
+			name: "Has Unknown Badge",
+			findings: []finding.Finding{
+				{
+					Probe:   "hasOpenSSFBadge",
+					Outcome: finding.OutcomePositive,
+					Values: map[string]int{
+						"Unknown": 1,
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score: -1,
+				Error: sce.ErrScorecardInternal,
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Parallel testing
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			dl := scut.TestDetailLogger{}
+			got := CIIBestPractices(tt.name, tt.findings, &dl)
+			if !scut.ValidateTestReturn(t, tt.name, &tt.result, &got, &dl) {
+				t.Errorf("got %v, expected %v", got, tt.result)
 			}
 		})
-		t.Run("passing", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.Passing,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != passingScore {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, passingScore)
-			}
-		})
-		t.Run("silver", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.Silver,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != silverScore {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, silverScore)
-			}
-		})
-		t.Run("gold", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.Gold,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != checker.MaxResultScore {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, checker.MaxResultScore)
-			}
-		})
-		t.Run("not found", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.NotFound,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != checker.MinResultScore {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, checker.MinResultScore)
-			}
-		})
-		t.Run("error", func(t *testing.T) {
-			r := &checker.CIIBestPracticesData{
-				Badge: clients.Unknown,
-			}
-			result := CIIBestPractices("CIIBestPractices", nil, r)
-			if result.Score != -1 {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, -1)
-			}
-		})
-		t.Run("nil response", func(t *testing.T) {
-			result := CIIBestPractices("CIIBestPractices", nil, nil)
-			if result.Score != -1 {
-				t.Errorf("CIIBestPractices() = %v, want %v", result.Score, -1)
-			}
-		})
-	})
+	}
 }
--- a/probes/entries.go
+++ b/probes/entries.go
@ -36,6 +36,7 @@ import (
 	"github.com/ossf/scorecard/v4/probes/hasLicenseFile"
 	"github.com/ossf/scorecard/v4/probes/hasLicenseFileAtTopDir"
 	"github.com/ossf/scorecard/v4/probes/hasOSVVulnerabilities"
+	"github.com/ossf/scorecard/v4/probes/hasOpenSSFBadge"
 	"github.com/ossf/scorecard/v4/probes/hasRecentCommits"
 	"github.com/ossf/scorecard/v4/probes/issueActivityByProjectMember"
 	"github.com/ossf/scorecard/v4/probes/notArchived"
@ -117,6 +118,9 @@ var (
 		issueActivityByProjectMember.Run,
 		notCreatedRecently.Run,
 	}
+	CIIBestPractices = []ProbeImpl{
+		hasOpenSSFBadge.Run,
+	}
 )

 //nolint:gochecknoinits
--- a/probes/hasOpenSSFBadge/def.yml
+++ b/probes/hasOpenSSFBadge/def.yml
@ -0,0 +1,29 @@
+# Copyright 2023 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id: hasOpenSSFBadge
+short: This check determines whether the project has an OpenSSF (formerly CII) Best Practices Badge.
+motivation: >
+  The OpenSSF Best Practices badge indicates whether or not the project uses a set of security-focused best development practices for open source software.
+implementation: >
+  The probe checks the type of the badge from the raw results.
+outcome:
+  - If the project has a badge, the probe returns one OutcomePositive (1). The finding includes an entry in the `Values` map with the key describing the badge level.
+  - If the project does not have a badge, the probe returns one OutcomeNegative (0).
+remediation:
+  effort: High
+  text:
+    - Learn about best practices by following [the OpenSSF Best Practices Badge criteria](https://www.bestpractices.dev/en/criteria/0).
+  markdown:
+    - Learn about best practices by following [the OpenSSF Best Practices Badge criteria](https://www.bestpractices.dev/en/criteria/0).
--- a/probes/hasOpenSSFBadge/impl.go
+++ b/probes/hasOpenSSFBadge/impl.go
@ -0,0 +1,80 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:stylecheck
+package hasOpenSSFBadge
+
+import (
+	"embed"
+	"fmt"
+
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/clients"
+	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/internal/utils/uerror"
+)
+
+//go:embed *.yml
+var fs embed.FS
+
+const (
+	Probe           = "hasOpenSSFBadge"
+	GoldLevel       = "Gold"
+	SilverLevel     = "Silver"
+	PassingLevel    = "Passing"
+	InProgressLevel = "InProgress"
+	UnknownLevel    = "Unknown"
+)
+
+func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
+	if raw == nil {
+		return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil)
+	}
+
+	r := raw.CIIBestPracticesResults
+	var badgeLevel string
+
+	switch r.Badge {
+	case clients.Gold:
+		badgeLevel = GoldLevel
+	case clients.Silver:
+		badgeLevel = SilverLevel
+	case clients.Passing:
+		badgeLevel = PassingLevel
+	case clients.InProgress:
+		badgeLevel = InProgressLevel
+	case clients.Unknown:
+		badgeLevel = UnknownLevel
+	default:
+		f, err := finding.NewWith(fs, Probe,
+			"Project does not have an OpenSSF badge", nil,
+			finding.OutcomeNegative)
+		if err != nil {
+			return nil, Probe, fmt.Errorf("create finding: %w", err)
+		}
+		return []finding.Finding{*f}, Probe, nil
+	}
+
+	f, err := finding.NewWith(fs, Probe,
+		fmt.Sprintf("OpenSSF best practice badge found at %s level.", badgeLevel),
+		nil, finding.OutcomePositive)
+	if err != nil {
+		return nil, Probe, fmt.Errorf("create finding: %w", err)
+	}
+
+	f = f.WithValues(map[string]int{
+		badgeLevel: 1,
+	})
+	return []finding.Finding{*f}, Probe, nil
+}
--- a/probes/hasOpenSSFBadge/impl_test.go
+++ b/probes/hasOpenSSFBadge/impl_test.go
@ -0,0 +1,121 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:stylecheck
+package hasOpenSSFBadge
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/clients"
+	"github.com/ossf/scorecard/v4/finding"
+)
+
+func Test_Run(t *testing.T) {
+	t.Parallel()
+	//nolint:govet
+	tests := []struct {
+		name     string
+		raw      *checker.RawResults
+		outcomes []finding.Outcome
+		err      error
+	}{
+		{
+			name: "Has Gold badge",
+			raw: &checker.RawResults{
+				CIIBestPracticesResults: checker.CIIBestPracticesData{
+					Badge: clients.Gold,
+				},
+			},
+			outcomes: []finding.Outcome{
+				finding.OutcomePositive,
+			},
+		},
+		{
+			name: "Has Silver badge",
+			raw: &checker.RawResults{
+				CIIBestPracticesResults: checker.CIIBestPracticesData{
+					Badge: clients.Silver,
+				},
+			},
+			outcomes: []finding.Outcome{
+				finding.OutcomePositive,
+			},
+		},
+		{
+			name: "Has Passing badge",
+			raw: &checker.RawResults{
+				CIIBestPracticesResults: checker.CIIBestPracticesData{
+					Badge: clients.Passing,
+				},
+			},
+			outcomes: []finding.Outcome{
+				finding.OutcomePositive,
+			},
+		},
+		{
+			name: "Has InProgress badge",
+			raw: &checker.RawResults{
+				CIIBestPracticesResults: checker.CIIBestPracticesData{
+					Badge: clients.InProgress,
+				},
+			},
+			outcomes: []finding.Outcome{
+				finding.OutcomePositive,
+			},
+		},
+		{
+			name: "Has Unknown badge",
+			raw: &checker.RawResults{
+				CIIBestPracticesResults: checker.CIIBestPracticesData{
+					Badge: clients.Unknown,
+				},
+			},
+			outcomes: []finding.Outcome{
+				finding.OutcomePositive,
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			findings, s, err := Run(tt.raw)
+			if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) {
+				t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors()))
+			}
+			if err != nil {
+				return
+			}
+			if diff := cmp.Diff(Probe, s); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(len(tt.outcomes), len(findings)); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+			for i := range tt.outcomes {
+				outcome := &tt.outcomes[i]
+				f := &findings[i]
+				if diff := cmp.Diff(*outcome, f.Outcome); diff != "" {
+					t.Errorf("mismatch (-want +got):\n%s", diff)
+				}
+			}
+		})
+	}
+}