mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
🐛 Address friction logs' comments (#899)
* fixes * fix * fix * fixes * doc * missing file * fixes * comments * typo
This commit is contained in:
parent
1c7c1e3c31
commit
9eb7929ebc
186
README.md
186
README.md
@ -45,16 +45,16 @@ The following checks are all run against the target project by default:
|
|||||||
|
|
||||||
Name | Description
|
Name | Description
|
||||||
--------------------------- | -----------
|
--------------------------- | -----------
|
||||||
Active | Did the project get any commits in the last 90 days?
|
|
||||||
Automatic-Dependency-Update | Does the project use tools to automatically update its dependencies?
|
|
||||||
Binary-Artifacts | Is the project free of checked-in binaries?
|
Binary-Artifacts | Is the project free of checked-in binaries?
|
||||||
Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?
|
Branch-Protection | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?
|
||||||
CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?
|
CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?
|
||||||
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
|
CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?
|
||||||
Code-Review | Does the project require code review before code is merged?
|
Code-Review | Does the project require code review before code is merged?
|
||||||
Contributors | Does the project have contributors from at least two different organizations?
|
Contributors | Does the project have contributors from at least two different organizations?
|
||||||
|
Dependency-Update-Tool | Does the project use tools to help update its dependencies?
|
||||||
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
|
Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?
|
||||||
Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
|
Maintained | Is the project maintained?
|
||||||
|
Pinned-Dependencies | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
|
||||||
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
|
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
|
||||||
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
|
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
|
||||||
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
|
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
|
||||||
@ -119,80 +119,120 @@ The program can run using just one argument, the URL of the repo:
|
|||||||
|
|
||||||
```shell
|
```shell
|
||||||
$ go get github.com/ossf/scorecard/v2
|
$ go get github.com/ossf/scorecard/v2
|
||||||
$ scorecard --repo=github.com/kubernetes/kubernetes
|
$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
|
||||||
Starting [Automatic-Dependency-Update]
|
Starting [CII-Best-Practices]
|
||||||
Starting [Frozen-Deps]
|
|
||||||
Starting [Fuzzing]
|
Starting [Fuzzing]
|
||||||
Starting [Pull-Requests]
|
Starting [Pinned-Dependencies]
|
||||||
Starting [Branch-Protection]
|
Starting [CI-Tests]
|
||||||
Starting [Code-Review]
|
Starting [Maintained]
|
||||||
Starting [SAST]
|
|
||||||
Starting [Contributors]
|
|
||||||
Starting [Signed-Releases]
|
|
||||||
Starting [Packaging]
|
Starting [Packaging]
|
||||||
|
Starting [SAST]
|
||||||
|
Starting [Dependency-Update-Tool]
|
||||||
Starting [Token-Permissions]
|
Starting [Token-Permissions]
|
||||||
Starting [Security-Policy]
|
Starting [Security-Policy]
|
||||||
Starting [Active]
|
Starting [Signed-Releases]
|
||||||
Starting [Binary-Artifacts]
|
Starting [Binary-Artifacts]
|
||||||
Starting [CI-Tests]
|
Starting [Branch-Protection]
|
||||||
Starting [CII-Best-Practices]
|
Starting [Code-Review]
|
||||||
|
Starting [Contributors]
|
||||||
Finished [Contributors]
|
Starting [Vulnerabilities]
|
||||||
Finished [Signed-Releases]
|
|
||||||
Finished [Active]
|
|
||||||
Finished [Binary-Artifacts]
|
|
||||||
Finished [CI-Tests]
|
Finished [CI-Tests]
|
||||||
Finished [CII-Best-Practices]
|
Finished [Maintained]
|
||||||
Finished [Packaging]
|
Finished [Packaging]
|
||||||
Finished [Token-Permissions]
|
Finished [SAST]
|
||||||
Finished [Security-Policy]
|
Finished [Signed-Releases]
|
||||||
Finished [Automatic-Dependency-Update]
|
Finished [Binary-Artifacts]
|
||||||
Finished [Frozen-Deps]
|
|
||||||
Finished [Fuzzing]
|
|
||||||
Finished [Pull-Requests]
|
|
||||||
Finished [Branch-Protection]
|
Finished [Branch-Protection]
|
||||||
Finished [Code-Review]
|
Finished [Code-Review]
|
||||||
Finished [SAST]
|
Finished [Contributors]
|
||||||
|
Finished [Dependency-Update-Tool]
|
||||||
|
Finished [Token-Permissions]
|
||||||
|
Finished [Security-Policy]
|
||||||
|
Finished [Vulnerabilities]
|
||||||
|
Finished [CII-Best-Practices]
|
||||||
|
Finished [Fuzzing]
|
||||||
|
Finished [Pinned-Dependencies]
|
||||||
|
|
||||||
RESULTS
|
RESULTS
|
||||||
-------
|
-------
|
||||||
Repo: github.com/kubernetes/kubernetes
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Active: Pass 10
|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|
||||||
Automatic-Dependency-Update: Fail 3
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Binary-Artifacts: Pass 10
|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts |
|
||||||
Branch-Protection: Fail 0
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
CI-Tests: Pass 10
|
| 9 / 10 | Branch-Protection | branch protection is not | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
|
||||||
CII-Best-Practices: Pass 10
|
| | | maximal on development and all | |
|
||||||
Code-Review: Pass 10
|
| | | release branches | |
|
||||||
Contributors: Pass 10
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Frozen-Deps: Fail 10
|
| ? | CI-Tests | no pull request found | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests |
|
||||||
Fuzzing: Pass 10
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Packaging: Fail 0
|
| 0 / 10 | CII-Best-Practices | no badge found | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices |
|
||||||
Pull-Requests: Pass 10
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
SAST: Fail 10
|
| 10 / 10 | Code-Review | branch protection for default | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review |
|
||||||
Security-Policy: Fail 5
|
| | | branch is enabled | |
|
||||||
Signed-Releases: Fail 10
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Token-Permissions: Pass 10
|
| 0 / 10 | Contributors | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors |
|
||||||
|
| | | score normalized to 0 | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 0 / 10 | Fuzzing | project is not fuzzed in | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing |
|
||||||
|
| | | OSS-Fuzz | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 1 / 10 | Maintained | 2 commit(s) found in the last | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
|
||||||
|
| | | 90 days -- score normalized to | |
|
||||||
|
| | | 1 | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| ? | Packaging | no published package detected | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 8 / 10 | Pinned-Dependencies | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
|
||||||
|
| | | -- score normalized to 8 | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 0 / 10 | SAST | no SAST tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 0 / 10 | Security-Policy | security policy file not | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy |
|
||||||
|
| | | detected | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| ? | Signed-Releases | no releases found | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions |
|
||||||
|
| | | workflows | |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|
||||||
|
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
```
|
```
|
||||||
|
|
||||||
For more details why a check fails, use the `--show-details` option:
|
For more details why a check fails, use the `--show-details` option:
|
||||||
|
|
||||||
```
|
```
|
||||||
./scorecard --repo=github.com/kubernetes/kubernetes --checks Frozen-Deps --show-details
|
./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details
|
||||||
Starting [Frozen-Deps]
|
Starting [Pinned-Dependencies]
|
||||||
Finished [Frozen-Deps]
|
Finished [Pinned-Dependencies]
|
||||||
|
|
||||||
## RESULTS
|
RESULTS
|
||||||
|
-------
|
||||||
Repo: github.com/kubernetes/kubernetes
|
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
Frozen-Deps: Fail 10
|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|
||||||
...
|
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
!! frozen-deps/docker - cluster/addons/fluentd-elasticsearch/es-image/Dockerfile has non-pinned dependency 'golang:1.16.5'
|
| 9 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
|
||||||
...
|
| | | maximal on development and all | on branch 'main' Info: 'allow | |
|
||||||
!! frozen-deps/fetch-execute - cluster/gce/util.sh is fetching and executing non-pinned program 'curl https://sdk.cloud.google.com | bash'
|
| | | release branches | deletion' disabled on branch | |
|
||||||
...
|
| | | | 'main' Info: linear history | |
|
||||||
!! frozen-deps/fetch-execute - hack/jenkins/benchmark-dockerized.sh is fetching an non-pinned dependency 'GO111MODULE=on go install github.com/cespare/prettybench'
|
| | | | enabled on branch 'main' Info: | |
|
||||||
...
|
| | | | strict status check enabled | |
|
||||||
|
| | | | on branch 'main' Warn: status | |
|
||||||
|
| | | | checks for merging have no | |
|
||||||
|
| | | | specific status to check on | |
|
||||||
|
| | | | branch 'main' Info: number | |
|
||||||
|
| | | | of required reviewers is 2 | |
|
||||||
|
| | | | on branch 'main' Info: Stale | |
|
||||||
|
| | | | review dismissal enabled on | |
|
||||||
|
| | | | branch 'main' Info: Owner | |
|
||||||
|
| | | | review required on branch | |
|
||||||
|
| | | | 'main' Info: 'admininistrator' | |
|
||||||
|
| | | | PRs need reviews before being | |
|
||||||
|
| | | | merged on branch 'main' | |
|
||||||
|
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Using a Package manager
|
### Using a Package manager
|
||||||
@ -211,7 +251,7 @@ Starting [CI-Tests]
|
|||||||
Starting [CII-Best-Practices]
|
Starting [CII-Best-Practices]
|
||||||
Starting [Code-Review]
|
Starting [Code-Review]
|
||||||
Starting [Contributors]
|
Starting [Contributors]
|
||||||
Starting [Frozen-Deps]
|
Starting [Pinned-Dependencies]
|
||||||
Starting [Fuzzing]
|
Starting [Fuzzing]
|
||||||
Starting [Packaging]
|
Starting [Packaging]
|
||||||
Starting [Pull-Requests]
|
Starting [Pull-Requests]
|
||||||
@ -227,7 +267,7 @@ Finished [Packaging]
|
|||||||
Finished [SAST]
|
Finished [SAST]
|
||||||
Finished [Code-Review]
|
Finished [Code-Review]
|
||||||
Finished [Branch-Protection]
|
Finished [Branch-Protection]
|
||||||
Finished [Frozen-Deps]
|
Finished [Pinned-Dependencies]
|
||||||
Finished [Active]
|
Finished [Active]
|
||||||
Finished [Pull-Requests]
|
Finished [Pull-Requests]
|
||||||
Finished [Contributors]
|
Finished [Contributors]
|
||||||
@ -240,7 +280,7 @@ CI-Tests: Pass 10
|
|||||||
CII-Best-Practices: Fail 10
|
CII-Best-Practices: Fail 10
|
||||||
Code-Review: Pass 10
|
Code-Review: Pass 10
|
||||||
Contributors: Pass 10
|
Contributors: Pass 10
|
||||||
Frozen-Deps: Fail 0
|
Pinned-Dependencies: Fail 0
|
||||||
Fuzzing: Fail 10
|
Fuzzing: Fail 10
|
||||||
Packaging: Fail 0
|
Packaging: Fail 0
|
||||||
Pull-Requests: Fail 9
|
Pull-Requests: Fail 9
|
||||||
@ -307,27 +347,7 @@ on other source control systems.
|
|||||||
|
|
||||||
## Adding a Scorecard Check
|
## Adding a Scorecard Check
|
||||||
|
|
||||||
If you'd like to add a check, make sure it is something that meets the following
|
If you'd like to add a check, please see guidance [here](checks/write.md)
|
||||||
criteria and then create a new GitHub Issue:
|
|
||||||
|
|
||||||
- The scorecard must only be composed of automate-able, objective data. For
|
|
||||||
example, a project having 10 contributors doesn’t necessarily mean it’s more
|
|
||||||
secure than a project with say 50 contributors. But, having two maintainers
|
|
||||||
might be preferable to only having one - the larger bus factor and ability
|
|
||||||
to provide code reviews is objectively better.
|
|
||||||
- The scorecard criteria can be as specific as possible and not limited
|
|
||||||
general recommendations. For example, for Go, we can recommend/require
|
|
||||||
specific linters and analyzers to be run on the codebase.
|
|
||||||
- The scorecard can be populated for any open source project without any work
|
|
||||||
or interaction from maintainers.
|
|
||||||
- Maintainers must be provided with a mechanism to correct any automated
|
|
||||||
scorecard findings they feel were made in error, provide "hints" for
|
|
||||||
anything we can't detect automatically, and even dispute the applicability
|
|
||||||
of a given scorecard finding for that repository.
|
|
||||||
- Any criteria in the scorecard must be actionable. It should be possible,
|
|
||||||
with help, for any project to "check all the boxes".
|
|
||||||
- Any solution to compile a scorecard should be usable by the greater open
|
|
||||||
source community to monitor upstream security.
|
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
|
@ -25,11 +25,11 @@ const CheckDependencyUpdateTool = "Dependency-Update-Tool"
|
|||||||
|
|
||||||
//nolint
|
//nolint
|
||||||
func init() {
|
func init() {
|
||||||
registerCheck(CheckDependencyUpdateTool, AutomaticDependencyUpdate)
|
registerCheck(CheckDependencyUpdateTool, UsesDependencyUpdateTool)
|
||||||
}
|
}
|
||||||
|
|
||||||
// AutomaticDependencyUpdate will check the repository if it contains Automatic dependency update.
|
// UsesDependencyUpdateTool will check the repository uses a dependency update tool.
|
||||||
func AutomaticDependencyUpdate(c *checker.CheckRequest) checker.CheckResult {
|
func UsesDependencyUpdateTool(c *checker.CheckRequest) checker.CheckResult {
|
||||||
var r bool
|
var r bool
|
||||||
err := CheckIfFileExists(CheckDependencyUpdateTool, c, fileExists, &r)
|
err := CheckIfFileExists(CheckDependencyUpdateTool, c, fileExists, &r)
|
||||||
if err != nil {
|
if err != nil {
|
@ -23,37 +23,37 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// CheckActive is the exported check name for Active.
|
// CheckMaintained is the exported check name for Maintained.
|
||||||
CheckActive = "Active"
|
CheckMaintained = "Maintained"
|
||||||
lookBackDays = 90
|
lookBackDays = 90
|
||||||
commitsPerWeek = 1
|
commitsPerWeek = 1
|
||||||
daysInOneWeek = 7
|
daysInOneWeek = 7
|
||||||
)
|
)
|
||||||
|
|
||||||
//nolint:gochecknoinits
|
//nolint:gochecknoinits
|
||||||
func init() {
|
func init() {
|
||||||
registerCheck(CheckActive, IsActive)
|
registerCheck(CheckMaintained, IsMaintained)
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsActive runs Active check.
|
// IsMaintained runs Maintained check.
|
||||||
func IsActive(c *checker.CheckRequest) checker.CheckResult {
|
func IsMaintained(c *checker.CheckRequest) checker.CheckResult {
|
||||||
archived, err := c.RepoClient.IsArchived()
|
archived, err := c.RepoClient.IsArchived()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return checker.CreateRuntimeErrorResult(CheckActive, err)
|
return checker.CreateRuntimeErrorResult(CheckMaintained, err)
|
||||||
}
|
}
|
||||||
if archived {
|
if archived {
|
||||||
return checker.CreateMinScoreResult(CheckActive, "repo is marked as archived")
|
return checker.CreateMinScoreResult(CheckMaintained, "repo is marked as archived")
|
||||||
}
|
}
|
||||||
|
|
||||||
commits, err := c.RepoClient.ListCommits()
|
commits, err := c.RepoClient.ListCommits()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return checker.CreateRuntimeErrorResult(CheckActive, err)
|
return checker.CreateRuntimeErrorResult(CheckMaintained, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
tz, err := time.LoadLocation("UTC")
|
tz, err := time.LoadLocation("UTC")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
e := sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("time.LoadLocation: %v", err))
|
e := sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("time.LoadLocation: %v", err))
|
||||||
return checker.CreateRuntimeErrorResult(CheckActive, e)
|
return checker.CreateRuntimeErrorResult(CheckMaintained, e)
|
||||||
}
|
}
|
||||||
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookBackDays)
|
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookBackDays)
|
||||||
totalCommits := 0
|
totalCommits := 0
|
||||||
@ -62,7 +62,7 @@ func IsActive(c *checker.CheckRequest) checker.CheckResult {
|
|||||||
totalCommits++
|
totalCommits++
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return checker.CreateProportionalScoreResult(CheckActive,
|
return checker.CreateProportionalScoreResult(CheckMaintained,
|
||||||
fmt.Sprintf("%d commit(s) found in the last %d days", totalCommits, lookBackDays),
|
fmt.Sprintf("%d commit(s) found in the last %d days", totalCommits, lookBackDays),
|
||||||
totalCommits, commitsPerWeek*lookBackDays/daysInOneWeek)
|
totalCommits, commitsPerWeek*lookBackDays/daysInOneWeek)
|
||||||
}
|
}
|
@ -1,3 +1,27 @@
|
|||||||
|
# Requirements for a check
|
||||||
|
|
||||||
|
If you'd like to add a check, make sure it is something that meets the following
|
||||||
|
criteria and then create a new GitHub Issue to discuss with the team:
|
||||||
|
|
||||||
|
- The scorecard must only be composed of automate-able, objective data. For
|
||||||
|
example, a project having 10 contributors doesn’t necessarily mean it’s more
|
||||||
|
secure than a project with say 50 contributors. But, having two maintainers
|
||||||
|
might be preferable to only having one - the larger bus factor and ability
|
||||||
|
to provide code reviews is objectively better.
|
||||||
|
- The scorecard criteria can be as specific as possible and not limited
|
||||||
|
general recommendations. For example, for Go, we can recommend/require
|
||||||
|
specific linters and analyzers to be run on the codebase.
|
||||||
|
- The scorecard can be populated for any open source project without any work
|
||||||
|
or interaction from maintainers.
|
||||||
|
- Maintainers must be provided with a mechanism to correct any automated
|
||||||
|
scorecard findings they feel were made in error, provide "hints" for
|
||||||
|
anything we can't detect automatically, and even dispute the applicability
|
||||||
|
of a given scorecard finding for that repository.
|
||||||
|
- Any criteria in the scorecard must be actionable. It should be possible,
|
||||||
|
with help, for any project to "check all the boxes".
|
||||||
|
- Any solution to compile a scorecard should be usable by the greater open
|
||||||
|
source community to monitor upstream security.
|
||||||
|
|
||||||
# How to write a check
|
# How to write a check
|
||||||
|
|
||||||
The steps to writting a check are as follow:
|
The steps to writting a check are as follow:
|
||||||
@ -25,6 +49,8 @@ The steps to writting a check are as follow:
|
|||||||
* Use `checker.DetailLogger.Debug()` to provide detail in verbose mode:
|
* Use `checker.DetailLogger.Debug()` to provide detail in verbose mode:
|
||||||
this is showed only when the user supplies the `--verbosity Debug`
|
this is showed only when the user supplies the `--verbosity Debug`
|
||||||
option.
|
option.
|
||||||
|
* If your message relates to a file, try to provide information such as
|
||||||
|
the `Path`, line number `Offset` and `Snippet`.
|
||||||
|
|
||||||
4. If the checks fails in a way that is irrecoverable, return a result with
|
4. If the checks fails in a way that is irrecoverable, return a result with
|
||||||
`checker.CreateRuntimeErrorResult()` function: For example, if an error is
|
`checker.CreateRuntimeErrorResult()` function: For example, if an error is
|
||||||
|
@ -13,7 +13,7 @@ please contribute!
|
|||||||
|
|
||||||
This check tries to determine if the project is "actively maintained".
|
This check tries to determine if the project is "actively maintained".
|
||||||
A project which is not active may not be patched, may not have its dependencies patched, or may not be actively tested and used. A low score is therefore considered `High` risk.
|
A project which is not active may not be patched, may not have its dependencies patched, or may not be actively tested and used. A low score is therefore considered `High` risk.
|
||||||
The check currently works by looking for commits within the last 90 days, and outputs the highest score if there are at least 1 commit/week during this period.
|
The check currently works by looking whether the repo is archived or not. If it is archived, it returns the minimum score. If it is not, the check looks for commits within the last 90 days, and outputs the highest score if there are at least 1 commit/week during this period.
|
||||||
|
|
||||||
**Remediation steps**
|
**Remediation steps**
|
||||||
- There is *NO* remediation work needed here. This is just to indicate your project activity and maintenance commitment.
|
- There is *NO* remediation work needed here. This is just to indicate your project activity and maintenance commitment.
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
# This is the source of truth for all check descriptions and remediation steps.
|
# This is the source of truth for all check descriptions and remediation steps.
|
||||||
# Run `cd checks/main && go run /main` to generate `checks.json` and `checks.md`.
|
# Run `cd checks/main && go run /main` to generate `checks.json` and `checks.md`.
|
||||||
checks:
|
checks:
|
||||||
Active:
|
Maintained:
|
||||||
risk: High
|
risk: High
|
||||||
tags: supply-chain, security
|
tags: supply-chain, security
|
||||||
short: Determines if the project is "actively maintained".
|
short: Determines if the project is "actively maintained".
|
||||||
@ -26,7 +26,9 @@ checks:
|
|||||||
dependencies patched, or may not be actively tested and used.
|
dependencies patched, or may not be actively tested and used.
|
||||||
A low score is therefore considered `High` risk.
|
A low score is therefore considered `High` risk.
|
||||||
|
|
||||||
The check currently works by looking for commits within the last 90 days, and
|
The check currently works by looking whether the repo is archived or not.
|
||||||
|
If it is archived, it returns the minimum score. If it is not,
|
||||||
|
the check looks for commits within the last 90 days, and
|
||||||
outputs the highest score if there are at least 1 commit/week during this period.
|
outputs the highest score if there are at least 1 commit/week during this period.
|
||||||
remediation:
|
remediation:
|
||||||
- >-
|
- >-
|
||||||
|
@ -29,9 +29,9 @@ import (
|
|||||||
|
|
||||||
// TODO: use dedicated repo that don't change.
|
// TODO: use dedicated repo that don't change.
|
||||||
// TODO: need negative results.
|
// TODO: need negative results.
|
||||||
var _ = Describe("E2E TEST:Automatic-Dependency-Update", func() {
|
var _ = Describe("E2E TEST:"+checks.CheckDependencyUpdateTool, func() {
|
||||||
Context("E2E TEST:Validating dependencies are automatically updated", func() {
|
Context("E2E TEST:Validating dependencies are updated with a tool", func() {
|
||||||
It("Should return deps are automatically updated for dependabot", func() {
|
It("Should return repo uses dependabot", func() {
|
||||||
dl := scut.TestDetailLogger{}
|
dl := scut.TestDetailLogger{}
|
||||||
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
||||||
err := repoClient.InitRepo("ossf", "scorecard")
|
err := repoClient.InitRepo("ossf", "scorecard")
|
||||||
@ -54,7 +54,7 @@ var _ = Describe("E2E TEST:Automatic-Dependency-Update", func() {
|
|||||||
NumberOfDebug: 0,
|
NumberOfDebug: 0,
|
||||||
}
|
}
|
||||||
|
|
||||||
result := checks.AutomaticDependencyUpdate(&req)
|
result := checks.UsesDependencyUpdateTool(&req)
|
||||||
// UPGRADEv2: to remove.
|
// UPGRADEv2: to remove.
|
||||||
// Old version.
|
// Old version.
|
||||||
Expect(result.Error).Should(BeNil())
|
Expect(result.Error).Should(BeNil())
|
||||||
@ -62,7 +62,7 @@ var _ = Describe("E2E TEST:Automatic-Dependency-Update", func() {
|
|||||||
// New version.
|
// New version.
|
||||||
Expect(scut.ValidateTestReturn(nil, "dependabot", &expected, &result, &dl)).Should(BeTrue())
|
Expect(scut.ValidateTestReturn(nil, "dependabot", &expected, &result, &dl)).Should(BeTrue())
|
||||||
})
|
})
|
||||||
It("Should return deps are automatically updated for renovatebot", func() {
|
It("Should return repo uses renovatebot", func() {
|
||||||
dl := scut.TestDetailLogger{}
|
dl := scut.TestDetailLogger{}
|
||||||
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
||||||
err := repoClient.InitRepo("netlify", "netlify-cms")
|
err := repoClient.InitRepo("netlify", "netlify-cms")
|
||||||
@ -84,7 +84,7 @@ var _ = Describe("E2E TEST:Automatic-Dependency-Update", func() {
|
|||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 0,
|
NumberOfDebug: 0,
|
||||||
}
|
}
|
||||||
result := checks.AutomaticDependencyUpdate(&req)
|
result := checks.UsesDependencyUpdateTool(&req)
|
||||||
// UPGRADEv2: to remove.
|
// UPGRADEv2: to remove.
|
||||||
// Old version.
|
// Old version.
|
||||||
Expect(result.Error).Should(BeNil())
|
Expect(result.Error).Should(BeNil())
|
@ -52,7 +52,9 @@ var _ = Describe("E2E TEST:executable", func() {
|
|||||||
|
|
||||||
for _, c := range data.Checks {
|
for _, c := range data.Checks {
|
||||||
switch c.CheckName {
|
switch c.CheckName {
|
||||||
case checks.CheckActive:
|
case checks.CheckMaintained:
|
||||||
|
Expect(c.Pass).Should(BeTrue(), c.CheckName)
|
||||||
|
case checks.CheckDependencyUpdateTool:
|
||||||
Expect(c.Pass).Should(BeTrue(), c.CheckName)
|
Expect(c.Pass).Should(BeTrue(), c.CheckName)
|
||||||
case checks.CheckBranchProtection:
|
case checks.CheckBranchProtection:
|
||||||
Expect(c.Pass).Should(BeTrue(), c.CheckName)
|
Expect(c.Pass).Should(BeTrue(), c.CheckName)
|
||||||
|
@ -27,9 +27,9 @@ import (
|
|||||||
scut "github.com/ossf/scorecard/v2/utests"
|
scut "github.com/ossf/scorecard/v2/utests"
|
||||||
)
|
)
|
||||||
|
|
||||||
var _ = Describe("E2E TEST:Active", func() {
|
var _ = Describe("E2E TEST:"+checks.CheckMaintained, func() {
|
||||||
Context("E2E TEST:Validating active status", func() {
|
Context("E2E TEST:Validating maintained status", func() {
|
||||||
It("Should return valid active status", func() {
|
It("Should return valid maintained status", func() {
|
||||||
dl := scut.TestDetailLogger{}
|
dl := scut.TestDetailLogger{}
|
||||||
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), ghClient, graphClient)
|
||||||
err := repoClient.InitRepo("apache", "airflow")
|
err := repoClient.InitRepo("apache", "airflow")
|
||||||
@ -51,7 +51,7 @@ var _ = Describe("E2E TEST:Active", func() {
|
|||||||
NumberOfInfo: 0,
|
NumberOfInfo: 0,
|
||||||
NumberOfDebug: 0,
|
NumberOfDebug: 0,
|
||||||
}
|
}
|
||||||
result := checks.IsActive(&req)
|
result := checks.IsMaintained(&req)
|
||||||
// UPGRADEv2: to remove.
|
// UPGRADEv2: to remove.
|
||||||
// Old version.
|
// Old version.
|
||||||
Expect(result.Error).Should(BeNil())
|
Expect(result.Error).Should(BeNil())
|
@ -87,12 +87,12 @@ func (r *ScorecardResult) AsString(showDetails bool, logLevel zapcore.Level, wri
|
|||||||
if row.Score == checker.InconclusiveResultScore {
|
if row.Score == checker.InconclusiveResultScore {
|
||||||
x[0] = "?"
|
x[0] = "?"
|
||||||
} else {
|
} else {
|
||||||
x[0] = fmt.Sprintf("%d", row.Score)
|
x[0] = fmt.Sprintf("%d / %d", row.Score, checker.MaxResultScore)
|
||||||
}
|
}
|
||||||
|
|
||||||
doc := fmt.Sprintf("github.com/ossf/scorecard/blob/main/docs/checks.md#%s", strings.ToLower(row.Name))
|
doc := fmt.Sprintf("github.com/ossf/scorecard/blob/main/docs/checks.md#%s", strings.ToLower(row.Name))
|
||||||
x[1] = row.Reason
|
x[1] = row.Name
|
||||||
x[2] = row.Name
|
x[2] = row.Reason
|
||||||
if showDetails {
|
if showDetails {
|
||||||
details, show := detailsToString(row.Details2, logLevel)
|
details, show := detailsToString(row.Details2, logLevel)
|
||||||
if show {
|
if show {
|
||||||
@ -107,7 +107,7 @@ func (r *ScorecardResult) AsString(showDetails bool, logLevel zapcore.Level, wri
|
|||||||
}
|
}
|
||||||
|
|
||||||
table := tablewriter.NewWriter(os.Stdout)
|
table := tablewriter.NewWriter(os.Stdout)
|
||||||
header := []string{"Score", "Reason", "Name"}
|
header := []string{"Score", "Name", "Reason"}
|
||||||
if showDetails {
|
if showDetails {
|
||||||
header = append(header, "Details")
|
header = append(header, "Details")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user