ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-08-15 19:30:40 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

⚠️ Replace Positive and Negative outcomes with True and False (#4017)

Browse Source 
* rename positive to true

Signed-off-by: Spencer Schrock <sschrock@google.com>

* rename negative to false

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
This commit is contained in:
Spencer Schrock 2024-04-08 15:36:11 -07:00 committed by GitHub
parent ba4fb1b94b
commit b577d79c96
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
168 changed files with 1100 additions and 1098 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
checker/check_result.go
View File

@ -248,11 +248,11 @@ func LogFindings(findings []finding.Finding, dl DetailLogger) {
for i := range findings {
f := &findings[i]
switch f.Outcome {
case finding.OutcomeNegative:
case finding.OutcomeFalse:
dl.Warn(&LogMessage{
Finding: f,
})
case finding.OutcomePositive:
case finding.OutcomeTrue:
dl.Info(&LogMessage{
Finding: f,
})

6
checks/evaluation/binary_artifacts.go
View File

@ -35,13 +35,13 @@ func BinaryArtifacts(name string,
return checker.CreateRuntimeErrorResult(name, e)
}
if findings[0].Outcome == finding.OutcomePositive {
if findings[0].Outcome == finding.OutcomeTrue {
return checker.CreateMaxScoreResult(name, "no binaries found in the repo")
}
for i := range findings {
f := &findings[i]
if f.Outcome != finding.OutcomeNegative {
if f.Outcome != finding.OutcomeFalse {
continue
}
dl.Warn(&checker.LogMessage{
@ -52,7 +52,7 @@ func BinaryArtifacts(name string,
})
}
// There are only negative findings.
// There are only false findings.
// Deduct the number of findings from max score
numberOfBinaryFilesFound := len(findings)

46
checks/evaluation/binary_artifacts_test.go
View File

@ -27,9 +27,9 @@ import (
func TestBinaryArtifacts(t *testing.T) {
t.Parallel()
lineStart := uint(123)
negativeFinding := finding.Finding{
falseFinding := finding.Finding{
Probe: "freeOfUnverifiedBinaryArtifacts",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Path: "path",
@ -48,7 +48,7 @@ func TestBinaryArtifacts(t *testing.T) {
findings: []finding.Finding{
{
Probe: "freeOfUnverifiedBinaryArtifacts",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -58,7 +58,7 @@ func TestBinaryArtifacts(t *testing.T) {
{
name: "one binary artifact",
findings: []finding.Finding{
negativeFinding,
falseFinding,
},
result: scut.TestReturn{
Score: 9,
@ -70,7 +70,7 @@ func TestBinaryArtifacts(t *testing.T) {
findings: []finding.Finding{
{
Probe: "freeOfUnverifiedBinaryArtifacts",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Path: "path",
Type: finding.FileTypeBinary,
@ -79,7 +79,7 @@ func TestBinaryArtifacts(t *testing.T) {
},
{
Probe: "freeOfUnverifiedBinaryArtifacts",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Path: "path",
Type: finding.FileTypeBinary,
@ -95,11 +95,11 @@ func TestBinaryArtifacts(t *testing.T) {
{
name: "five binary artifact",
findings: []finding.Finding{
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
},
result: scut.TestReturn{
Score: 5,
@ -109,18 +109,18 @@ func TestBinaryArtifacts(t *testing.T) {
{
name: "twelve binary artifact - ensure score doesn't drop below min",
findings: []finding.Finding{
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
negativeFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
falseFinding,
},
result: scut.TestReturn{
Score: checker.MinResultScore,

30
checks/evaluation/branch_protection.go
View File

@ -119,12 +119,12 @@ func BranchProtection(name string,
e := sce.WithMessage(sce.ErrScorecardInternal, "probe is missing branch name")
return checker.CreateRuntimeErrorResult(name, e)
// Now we can check whether the branch is protected:
case f.Outcome == finding.OutcomeNegative:
case f.Outcome == finding.OutcomeFalse:
protectedBranches[branchName] = false
dl.Warn(&checker.LogMessage{
Text: fmt.Sprintf("branch protection not enabled for branch '%s'", branchName),
})
case f.Outcome == finding.OutcomePositive:
case f.Outcome == finding.OutcomeTrue:
protectedBranches[branchName] = true
default:
continue
@ -177,7 +177,7 @@ func BranchProtection(name string,
reviewerWeight := 2
max = reviewerWeight
noOfRequiredReviewers, _ := strconv.Atoi(f.Values["numberOfRequiredReviewers"]) //nolint:errcheck
if f.Outcome == finding.OutcomePositive && noOfRequiredReviewers > 0 {
if f.Outcome == finding.OutcomeTrue && noOfRequiredReviewers > 0 {
branchScores[branchName].scores.review += reviewerWeight
}
branchScores[branchName].maxes.review += max
@ -259,9 +259,9 @@ func logWithDebug(f *finding.Finding, doLogging bool, dl checker.DetailLogger) {
switch f.Outcome {
case finding.OutcomeNotAvailable:
debug(dl, doLogging, f.Message)
case finding.OutcomePositive:
case finding.OutcomeTrue:
info(dl, doLogging, f.Message)
case finding.OutcomeNegative:
case finding.OutcomeFalse:
warn(dl, doLogging, f.Message)
default:
// To satisfy linter
@ -270,9 +270,9 @@ func logWithDebug(f *finding.Finding, doLogging bool, dl checker.DetailLogger) {
func logWithoutDebug(f *finding.Finding, doLogging bool, dl checker.DetailLogger) {
switch f.Outcome {
case finding.OutcomePositive:
case finding.OutcomeTrue:
info(dl, doLogging, f.Message)
case finding.OutcomeNegative:
case finding.OutcomeFalse:
warn(dl, doLogging, f.Message)
default:
// To satisfy linter
@ -281,7 +281,7 @@ func logWithoutDebug(f *finding.Finding, doLogging bool, dl checker.DetailLogger
func logInfoOrWarn(f *finding.Finding, doLogging bool, dl checker.DetailLogger) {
switch f.Outcome {
case finding.OutcomePositive:
case finding.OutcomeTrue:
info(dl, doLogging, f.Message)
default:
warn(dl, doLogging, f.Message)
@ -384,7 +384,7 @@ func warn(dl checker.DetailLogger, doLogging bool, desc string, args ...interfac
func deleteAndForcePushProtection(f *finding.Finding, doLogging bool, dl checker.DetailLogger) (int, int) {
var score, max int
logWithoutDebug(f, doLogging, dl)
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
score++
}
max++
@ -395,7 +395,7 @@ func deleteAndForcePushProtection(f *finding.Finding, doLogging bool, dl checker
func nonAdminContextProtection(f *finding.Finding, doLogging bool, dl checker.DetailLogger) (int, int) {
var score, max int
logInfoOrWarn(f, doLogging, dl)
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
score++
}
max++
@ -404,7 +404,7 @@ func nonAdminContextProtection(f *finding.Finding, doLogging bool, dl checker.De
func adminReviewProtection(f *finding.Finding, doLogging bool, dl checker.DetailLogger) (int, int) {
var score, max int
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
score++
}
logWithDebug(f, doLogging, dl)
@ -418,7 +418,7 @@ func adminThoroughReviewProtection(f *finding.Finding, doLogging bool, dl checke
var score, max int
logWithDebug(f, doLogging, dl)
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
score++
}
if f.Outcome != finding.OutcomeNotAvailable {
@ -429,7 +429,7 @@ func adminThoroughReviewProtection(f *finding.Finding, doLogging bool, dl checke
func nonAdminThoroughReviewProtection(f *finding.Finding, doLogging bool, dl checker.DetailLogger) (int, int) {
var score, max int
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
noOfRequiredReviews, _ := strconv.Atoi(f.Values["numberOfRequiredReviewers"]) //nolint:errcheck
if noOfRequiredReviews >= minReviews {
info(dl, doLogging, f.Message)
@ -437,7 +437,7 @@ func nonAdminThoroughReviewProtection(f *finding.Finding, doLogging bool, dl che
} else {
warn(dl, doLogging, f.Message)
}
} else if f.Outcome == finding.OutcomeNegative {
} else if f.Outcome == finding.OutcomeFalse {
warn(dl, doLogging, f.Message)
}
max++
@ -446,7 +446,7 @@ func nonAdminThoroughReviewProtection(f *finding.Finding, doLogging bool, dl che
func codeownerBranchProtection(f *finding.Finding, doLogging bool, dl checker.DetailLogger) (int, int) {
var score, max int
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
info(dl, doLogging, f.Message)
score++
} else {

290
checks/evaluation/branch_protection_test.go
View File

@ -46,20 +46,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Branch name is an empty string which is not allowed and will error",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, emptyBranchName, finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, emptyBranchName, finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, emptyBranchName, finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, emptyBranchName, finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, emptyBranchName, finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, emptyBranchName, finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, emptyBranchName, finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, emptyBranchName, finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, emptyBranchName, finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, emptyBranchName, finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, emptyBranchName, finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, emptyBranchName, finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, emptyBranchName, finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, emptyBranchName, finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, emptyBranchName, finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, emptyBranchName, finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, emptyBranchName, finding.OutcomeTrue),
},
result: scut.TestReturn{
Error: sce.ErrScorecardInternal,
@ -69,20 +69,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Required status check enabled",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 4,
@ -93,20 +93,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Required status check enabled without checking for status string",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 4,
@ -117,20 +117,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Admin run only preventing force pushes and deletions",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNotAvailable),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 3,
@ -142,20 +142,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Admin run with all tier 2 requirements except require PRs and reviewers",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNotAvailable),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomePositive),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 4,
@ -167,20 +167,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Admin run on project requiring pull requests but without approver -- best a single maintainer can do",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeTrue),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomePositive),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomePositive),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 4,
@ -191,20 +191,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Admin run on project with all tier 2 requirements",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeTrue),
requiresApproversForPullRequests.RequiredReviewersKey, "1",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomePositive),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 6,
@ -215,9 +215,9 @@ func TestBranchProtection(t *testing.T) {
{
name: "Non-admin run on project that require zero reviewer (or don't require PRs at all, we can't differentiate it)",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
withValue(
@ -240,20 +240,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Non-admin run on project that require 1 reviewer",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeTrue),
requiresApproversForPullRequests.RequiredReviewersKey, "1",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 6,
@ -265,20 +265,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Required admin enforcement enabled",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 3,
@ -289,20 +289,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Required linear history enabled",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 3,
@ -313,20 +313,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Allow force push enabled",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 1,
@ -337,20 +337,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Allow deletions enabled",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeFalse),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeFalse),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeFalse),
requiresApproversForPullRequests.RequiredReviewersKey, "0",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeFalse),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeFalse),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 1,
@ -361,20 +361,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Branches are protected",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeTrue),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeTrue),
requiresApproversForPullRequests.RequiredReviewersKey, "1",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomePositive),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomePositive),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 8,
@ -385,20 +385,20 @@ func TestBranchProtection(t *testing.T) {
{
name: "Branches are protected and require codeowner review",
findings: []finding.Finding{
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomePositive),
branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(branchesAreProtected.Probe, "main", finding.OutcomeTrue),
branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeTrue),
branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeTrue),
withValue(
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeTrue),
requiresApproversForPullRequests.RequiredReviewersKey, "1",
),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomePositive),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomePositive),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeTrue),
branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeTrue),
branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 8,

4
checks/evaluation/ci_tests.go
View File

@ -40,7 +40,7 @@ func CITests(name string,
// Debug PRs that were merged without CI tests
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative || f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeFalse || f.Outcome == finding.OutcomeTrue {
dl.Debug(&checker.LogMessage{
Text: f.Message,
})
@ -70,7 +70,7 @@ func getMergedAndTested(findings []finding.Finding) (int, int) {
for i := range findings {
f := &findings[i]
totalMerged++
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
totalTested++
}
}

16
checks/evaluation/ci_tests_test.go
View File

@ -33,7 +33,7 @@ func TestCITests(t *testing.T) {
name: "Has CI tests. 1 tested out of 1 merged",
findings: []finding.Finding{
{
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Probe: "testsRunInCI",
Message: "CI test found: pr: 1, context: e2e",
Location: &finding.Location{Type: 4},
@ -48,25 +48,25 @@ func TestCITests(t *testing.T) {
name: "Has CI tests. 3 tested out of 4 merged",
findings: []finding.Finding{
{
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Probe: "testsRunInCI",
Message: "CI test found: pr: 1, context: e2e",
Location: &finding.Location{Type: 4},
},
{
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Probe: "testsRunInCI",
Message: "CI test found: pr: 1, context: e2e",
Location: &finding.Location{Type: 4},
},
{
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Probe: "testsRunInCI",
Message: "CI test found: pr: 1, context: e2e",
Location: &finding.Location{Type: 4},
},
{
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Probe: "testsRunInCI",
Message: "CI test found: pr: 1, context: e2e",
Location: &finding.Location{Type: 4},
@ -81,19 +81,19 @@ func TestCITests(t *testing.T) {
name: "Tests debugging",
findings: []finding.Finding{
{
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Probe: "testsRunInCI",
Message: "merged PR 1 without CI test at HEAD: 1",
Location: &finding.Location{Type: 4},
},
{
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Probe: "testsRunInCI",
Message: "merged PR 1 without CI test at HEAD: 1",
Location: &finding.Location{Type: 4},
},
{
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Probe: "testsRunInCI",
Message: "merged PR 1 without CI test at HEAD: 1",
Location: &finding.Location{Type: 4},

2
checks/evaluation/cii_best_practices.go
View File

@ -52,7 +52,7 @@ func CIIBestPractices(name string,
}
f := &findings[0]
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
text = "no effort to earn an OpenSSF best practices badge detected"
return checker.CreateMinScoreResult(name, text)
}

18
checks/evaluation/cii_best_practices_test.go
View File

@ -30,11 +30,11 @@ func TestCIIBestPractices(t *testing.T) {
result scut.TestReturn
}{
{
name: "Unsupported badge found with negative finding",
name: "Unsupported badge found with false finding",
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: "Unsupported",
},
@ -45,11 +45,11 @@ func TestCIIBestPractices(t *testing.T) {
},
},
{
name: "Unsupported badge found with positive finding",
name: "Unsupported badge found with true finding",
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: "Unsupported",
},
@ -65,7 +65,7 @@ func TestCIIBestPractices(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: hasOpenSSFBadge.InProgressLevel,
},
@ -80,7 +80,7 @@ func TestCIIBestPractices(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: hasOpenSSFBadge.PassingLevel,
},
@ -95,7 +95,7 @@ func TestCIIBestPractices(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: hasOpenSSFBadge.SilverLevel,
},
@ -110,7 +110,7 @@ func TestCIIBestPractices(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: hasOpenSSFBadge.GoldLevel,
},
@ -125,7 +125,7 @@ func TestCIIBestPractices(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOpenSSFBadge",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasOpenSSFBadge.LevelKey: hasOpenSSFBadge.UnknownLevel,
},

22
checks/evaluation/contributors.go
View File

@ -42,37 +42,37 @@ func Contributors(name string,
return checker.CreateRuntimeErrorResult(name, e)
}
numberOfPositives := getNumberOfPositives(findings)
reason := fmt.Sprintf("project has %d contributing companies or organizations", numberOfPositives)
numberOfTrue := getNumberOfTrue(findings)
reason := fmt.Sprintf("project has %d contributing companies or organizations", numberOfTrue)
if numberOfPositives > 0 {
if numberOfTrue > 0 {
logFindings(findings, dl)
}
if numberOfPositives > numberCompaniesForTopScore {
if numberOfTrue > numberCompaniesForTopScore {
return checker.CreateMaxScoreResult(name, reason)
}
return checker.CreateProportionalScoreResult(name, reason, numberOfPositives, numberCompaniesForTopScore)
return checker.CreateProportionalScoreResult(name, reason, numberOfTrue, numberCompaniesForTopScore)
}
func getNumberOfPositives(findings []finding.Finding) int {
var numberOfPositives int
func getNumberOfTrue(findings []finding.Finding) int {
var numberOfTrue int
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
if f.Probe == contributorsFromOrgOrCompany.Probe {
numberOfPositives++
numberOfTrue++
}
}
}
return numberOfPositives
return numberOfTrue
}
func logFindings(findings []finding.Finding, dl checker.DetailLogger) {
var sb strings.Builder
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
sb.WriteString(fmt.Sprintf("%s, ", f.Message))
}
}

16
checks/evaluation/contributors_test.go
View File

@ -29,15 +29,15 @@ func TestContributors(t *testing.T) {
result scut.TestReturn
}{
{
name: "Only has two positive outcomes",
name: "Only has two true outcomes",
findings: []finding.Finding{
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -49,26 +49,26 @@ func TestContributors(t *testing.T) {
findings: []finding.Finding{
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
Score: 0,
},
}, {
name: "Has three positive outcomes",
name: "Has three true outcomes",
findings: []finding.Finding{
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "contributorsFromOrgOrCompany",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{

6
checks/evaluation/dangerous_workflow.go
View File

@ -43,7 +43,7 @@ func DangerousWorkflow(name string,
// Log all detected dangerous workflows
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
if f.Location == nil {
e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
return checker.CreateRuntimeErrorResult(name, e)
@ -82,7 +82,7 @@ func hasDWWithUntrustedCheckout(findings []finding.Finding) bool {
for i := range findings {
f := &findings[i]
if f.Probe == hasDangerousWorkflowUntrustedCheckout.Probe {
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
return true
}
}
@ -94,7 +94,7 @@ func hasDWWithScriptInjection(findings []finding.Finding) bool {
for i := range findings {
f := &findings[i]
if f.Probe == hasDangerousWorkflowScriptInjection.Probe {
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
return true
}
}

40
checks/evaluation/dangerous_workflow_test.go
View File

@ -38,10 +38,10 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow.yml",
@ -75,10 +75,10 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -90,10 +90,10 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow.yml",
@ -112,7 +112,7 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow.yml",
@ -121,7 +121,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -134,7 +134,7 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow.yml",
@ -143,7 +143,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow2.yml",
@ -152,7 +152,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -165,7 +165,7 @@ func TestDangerousWorkflow(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow.yml",
@ -174,7 +174,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow2.yml",
@ -183,7 +183,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow3.yml",
@ -192,7 +192,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow4.yml",
@ -201,7 +201,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow5.yml",
@ -210,7 +210,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow6.yml",
@ -219,7 +219,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow7.yml",
@ -228,7 +228,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowScriptInjection",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "./github/workflows/dangerous-workflow8.yml",
@ -237,7 +237,7 @@ func TestDangerousWorkflow(t *testing.T) {
},
}, {
Probe: "hasDangerousWorkflowUntrustedCheckout",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{

6
checks/evaluation/dependency_update_tool.go
View File

@ -36,9 +36,9 @@ func DependencyUpdateTool(name string,
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
// Log all findings except the negative ones.
checker.LogFindings(nonNegativeFindings(findings), dl)
if f.Outcome == finding.OutcomeTrue {
// Log all findings except the false ones.
checker.LogFindings(nonFalseFindings(findings), dl)
return checker.CreateMaxScoreResult(name, "update tool detected")
}
}

6
checks/evaluation/dependency_update_tool_test.go
View File

@ -57,7 +57,7 @@ func TestDependencyUpdateTool(t *testing.T) {
findings: []finding.Finding{
{
Probe: dependencyUpdateToolConfigured.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -70,7 +70,7 @@ func TestDependencyUpdateTool(t *testing.T) {
findings: []finding.Finding{
{
Probe: "notARealProbe",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -93,7 +93,7 @@ func TestDependencyUpdateTool(t *testing.T) {
func depUpdateTool(name string) finding.Finding {
return finding.Finding{
Probe: dependencyUpdateToolConfigured.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
dependencyUpdateToolConfigured.ToolKey: name,
},

8
checks/evaluation/finding.go
View File

@ -18,11 +18,11 @@ import (
"github.com/ossf/scorecard/v4/finding"
)
func nonNegativeFindings(findings []finding.Finding) []finding.Finding {
func nonFalseFindings(findings []finding.Finding) []finding.Finding {
var ff []finding.Finding
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
continue
}
ff = append(ff, *f)
@ -30,11 +30,11 @@ func nonNegativeFindings(findings []finding.Finding) []finding.Finding {
return ff
}
func negativeFindings(findings []finding.Finding) []finding.Finding {
func falseFindings(findings []finding.Finding) []finding.Finding {
var ff []finding.Finding
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
ff = append(ff, *f)
}
}

6
checks/evaluation/fuzzing.go
View File

@ -39,9 +39,9 @@ func Fuzzing(name string,
// Compute the score.
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
// Log all findings except the negative ones.
checker.LogFindings(nonNegativeFindings(findings), dl)
if f.Outcome == finding.OutcomeTrue {
// Log all findings except the false ones.
checker.LogFindings(nonFalseFindings(findings), dl)
return checker.CreateMaxScoreResult(name, "project is fuzzed")
}
}

6
checks/evaluation/fuzzing_test.go
View File

@ -36,7 +36,7 @@ func TestFuzzing(t *testing.T) {
findings: []finding.Finding{
{
Probe: fuzzed.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -71,7 +71,7 @@ func TestFuzzing(t *testing.T) {
findings: []finding.Finding{
{
Probe: "someUnrelatedProbe",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
fuzzTool(fuzzers.RustCargoFuzz),
},
@ -95,7 +95,7 @@ func TestFuzzing(t *testing.T) {
func fuzzTool(name string) finding.Finding {
return finding.Finding{
Probe: fuzzed.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
fuzzed.ToolKey: name,
},

2
checks/evaluation/license.go
View File

@ -43,7 +43,7 @@ func License(name string,
m := make(map[string]bool)
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
switch f.Probe {
case hasFSFOrOSIApprovedLicense.Probe:
score += scoreProbeOnce(f.Probe, m, 1)

22
checks/evaluation/license_test.go
View File

@ -30,15 +30,15 @@ func TestLicense(t *testing.T) {
result scut.TestReturn
}{
{
name: "Positive outcome = Max Score",
name: "True outcome = Max Score",
findings: []finding.Finding{
{
Probe: "hasLicenseFile",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "hasFSFOrOSIApprovedLicense",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -46,15 +46,15 @@ func TestLicense(t *testing.T) {
NumberOfInfo: 2,
},
}, {
name: "Negative outcomes from all probes = Min score",
name: "false outcomes from all probes = Min score",
findings: []finding.Finding{
{
Probe: "hasLicenseFile",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasFSFOrOSIApprovedLicense",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -66,11 +66,11 @@ func TestLicense(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasLicenseFile",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "hasFSFOrOSIApprovedLicense",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -83,7 +83,7 @@ func TestLicense(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasLicenseFile",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -95,11 +95,11 @@ func TestLicense(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasLicenseFile",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "hasFSFOrOSIApprovedLicense",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{

10
checks/evaluation/maintained.go
View File

@ -51,12 +51,12 @@ func Maintained(name string,
}
if projectIsArchived(findings) {
checker.LogFindings(negativeFindings(findings), dl)
checker.LogFindings(falseFindings(findings), dl)
return checker.CreateMinScoreResult(name, "project is archived")
}
if projectWasCreatedInLast90Days(findings) {
checker.LogFindings(negativeFindings(findings), dl)
checker.LogFindings(falseFindings(findings), dl)
return checker.CreateMinScoreResult(name, "project was created in last 90 days. please review its contents carefully")
}
@ -64,7 +64,7 @@ func Maintained(name string,
var err error
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
switch f.Probe {
case issueActivityByProjectMember.Probe:
numberOfIssuesUpdatedWithinThreshold, err = strconv.Atoi(f.Values[issueActivityByProjectMember.NumIssuesKey])
@ -89,7 +89,7 @@ func Maintained(name string,
func projectIsArchived(findings []finding.Finding) bool {
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative && f.Probe == notArchived.Probe {
if f.Outcome == finding.OutcomeFalse && f.Probe == notArchived.Probe {
return true
}
}
@ -99,7 +99,7 @@ func projectIsArchived(findings []finding.Finding) bool {
func projectWasCreatedInLast90Days(findings []finding.Finding) bool {
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative && f.Probe == notCreatedRecently.Probe {
if f.Outcome == finding.OutcomeFalse && f.Probe == notCreatedRecently.Probe {
return true
}
}

32
checks/evaluation/maintained_test.go
View File

@ -37,22 +37,22 @@ func TestMaintained(t *testing.T) {
findings: []finding.Finding{
{
Probe: hasRecentCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
hasRecentCommits.NumCommitsKey: "2",
},
}, {
Probe: issueActivityByProjectMember.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
issueActivityByProjectMember.NumIssuesKey: "1",
},
}, {
Probe: notArchived.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: notCreatedRecently.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -64,16 +64,16 @@ func TestMaintained(t *testing.T) {
findings: []finding.Finding{
{
Probe: hasRecentCommits.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: issueActivityByProjectMember.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: notArchived.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: notCreatedRecently.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -85,16 +85,16 @@ func TestMaintained(t *testing.T) {
findings: []finding.Finding{
{
Probe: hasRecentCommits.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: issueActivityByProjectMember.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: "archvied", /*misspelling*/
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
}, {
Probe: notCreatedRecently.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -107,16 +107,16 @@ func TestMaintained(t *testing.T) {
findings: []finding.Finding{
{
Probe: hasRecentCommits.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: issueActivityByProjectMember.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: notArchived.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
}, {
Probe: notCreatedRecently.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{

12
checks/evaluation/packaging.go
View File

@ -36,15 +36,15 @@ func Packaging(name string,
}
// Currently there is only a single packaging probe that returns
// a single positive or negative outcome. As such, in this evaluation,
// we return max score if the outcome is positive and lowest score if
// the outcome is negative.
// a single true or false outcome. As such, in this evaluation,
// we return max score if the outcome is true and lowest score if
// the outcome is false.
maxScore := false
for _, f := range findings {
f := f
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
maxScore = true
// Log all findings except the negative ones.
// Log all findings except the false ones.
dl.Info(&checker.LogMessage{
Finding: &f,
})
@ -54,7 +54,7 @@ func Packaging(name string,
return checker.CreateMaxScoreResult(name, "packaging workflow detected")
}
checker.LogFindings(negativeFindings(findings), dl)
checker.LogFindings(falseFindings(findings), dl)
return checker.CreateInconclusiveResult(name,
"packaging workflow not detected")
}

14
checks/evaluation/packaging_test.go
View File

@ -30,11 +30,11 @@ func TestPackaging(t *testing.T) {
result scut.TestReturn
}{
{
name: "test positive outcome",
name: "test true outcome",
findings: []finding.Finding{
{
Probe: "packagedWithAutomatedWorkflow",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -43,11 +43,11 @@ func TestPackaging(t *testing.T) {
},
},
{
name: "test positive outcome with wrong probes",
name: "test true outcome with wrong probes",
findings: []finding.Finding{
{
Probe: "wrongProbe",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -60,7 +60,7 @@ func TestPackaging(t *testing.T) {
findings: []finding.Finding{
{
Probe: "packagedWithAutomatedWorkflow",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -69,11 +69,11 @@ func TestPackaging(t *testing.T) {
},
},
{
name: "test negative outcome with wrong probes",
name: "test false outcome with wrong probes",
findings: []finding.Finding{
{
Probe: "wrongProbe",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{

2
checks/evaluation/permissions.go
View File

@ -98,7 +98,7 @@ func TokenPermissions(name string,
return checker.CreateInconclusiveResult(name, "No tokens found")
}
if f.Outcome != finding.OutcomeNegative {
if f.Outcome != finding.OutcomeFalse {
continue
}
if f.Location == nil {

4
checks/evaluation/pinned_dependencies.go
View File

@ -88,7 +88,7 @@ func PinningDependencies(name string,
Finding: &f,
})
continue
case finding.OutcomeNegative:
case finding.OutcomeFalse:
// we cant use the finding if we want the remediation to show
// finding.Remediation are currently suppressed (#3349)
lm := &checker.LogMessage{
@ -177,7 +177,7 @@ func generateOwnerToDisplay(gitHubOwned bool) string {
}
func addPinnedResult(outcome finding.Outcome, r *pinnedResult) {
if outcome == finding.OutcomePositive {
if outcome == finding.OutcomeTrue {
r.pinned += 1
}
r.total += 1

36
checks/evaluation/pinned_dependencies_test.go
View File

@ -243,7 +243,7 @@ func Test_PinningDependencies(t *testing.T) {
findings: []finding.Finding{
{
Probe: "pinsDependencies",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -265,7 +265,7 @@ func Test_PinningDependencies(t *testing.T) {
findings: []finding.Finding{
{
Probe: "pinsDependencies",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -312,7 +312,7 @@ func Test_PinningDependencies(t *testing.T) {
findings: []finding.Finding{
{
Probe: "pinsDependencies",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -326,7 +326,7 @@ func Test_PinningDependencies(t *testing.T) {
},
{
Probe: "pinsDependencies",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -350,7 +350,7 @@ func Test_PinningDependencies(t *testing.T) {
findings: []finding.Finding{
{
Probe: "pinsDependencies",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -364,7 +364,7 @@ func Test_PinningDependencies(t *testing.T) {
},
{
Probe: "pinsDependencies",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -388,7 +388,7 @@ func Test_PinningDependencies(t *testing.T) {
findings: []finding.Finding{
{
Probe: "pinsDependencies",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -440,7 +440,7 @@ func Test_PinningDependencies(t *testing.T) {
},
{
Probe: pinsDependencies.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Location: &finding.Location{
Type: finding.FileTypeText,
Path: "test-file",
@ -489,7 +489,7 @@ func Test_addWorkflowPinnedResult(t *testing.T) {
{
name: "add pinned GitHub-owned action dependency",
args: args{
outcome: finding.OutcomePositive,
outcome: finding.OutcomeTrue,
w: &workflowPinningResult{},
isGitHub: true,
},
@ -507,7 +507,7 @@ func Test_addWorkflowPinnedResult(t *testing.T) {
{
name: "add unpinned GitHub-owned action dependency",
args: args{
outcome: finding.OutcomeNegative,
outcome: finding.OutcomeFalse,
w: &workflowPinningResult{},
isGitHub: true,
},
@ -525,7 +525,7 @@ func Test_addWorkflowPinnedResult(t *testing.T) {
{
name: "add pinned Third-Party action dependency",
args: args{
outcome: finding.OutcomePositive,
outcome: finding.OutcomeTrue,
w: &workflowPinningResult{},
isGitHub: false,
},
@ -543,7 +543,7 @@ func Test_addWorkflowPinnedResult(t *testing.T) {
{
name: "add unpinned Third-Party action dependency",
args: args{
outcome: finding.OutcomeNegative,
outcome: finding.OutcomeFalse,
w: &workflowPinningResult{},
isGitHub: false,
},
@ -602,7 +602,7 @@ func TestUpdatePinningResults(t *testing.T) {
name: "add pinned GitHub-owned action",
args: args{
dependencyType: checker.DependencyUseTypeGHAction,
outcome: finding.OutcomePositive,
outcome: finding.OutcomeTrue,
snippet: stringAsPointer("actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675"),
w: &workflowPinningResult{},
pr: make(map[checker.DependencyUseType]pinnedResult),
@ -625,7 +625,7 @@ func TestUpdatePinningResults(t *testing.T) {
name: "add unpinned GitHub-owned action",
args: args{
dependencyType: checker.DependencyUseTypeGHAction,
outcome: finding.OutcomeNegative,
outcome: finding.OutcomeFalse,
snippet: stringAsPointer("actions/checkout@v2"),
w: &workflowPinningResult{},
pr: make(map[checker.DependencyUseType]pinnedResult),
@ -648,7 +648,7 @@ func TestUpdatePinningResults(t *testing.T) {
name: "add pinned Third-party action",
args: args{
dependencyType: checker.DependencyUseTypeGHAction,
outcome: finding.OutcomePositive,
outcome: finding.OutcomeTrue,
w: &workflowPinningResult{},
snippet: stringAsPointer("other/checkout@ffa6706ff2127a749973072756f83c532e43ed02"),
pr: make(map[checker.DependencyUseType]pinnedResult),
@ -672,7 +672,7 @@ func TestUpdatePinningResults(t *testing.T) {
args: args{
dependencyType: checker.DependencyUseTypeGHAction,
snippet: stringAsPointer("other/checkout@v2"),
outcome: finding.OutcomeNegative,
outcome: finding.OutcomeFalse,
w: &workflowPinningResult{},
pr: make(map[checker.DependencyUseType]pinnedResult),
},
@ -694,7 +694,7 @@ func TestUpdatePinningResults(t *testing.T) {
name: "add pinned pip install",
args: args{
dependencyType: checker.DependencyUseTypePipCommand,
outcome: finding.OutcomePositive,
outcome: finding.OutcomeTrue,
w: &workflowPinningResult{},
pr: make(map[checker.DependencyUseType]pinnedResult),
},
@ -712,7 +712,7 @@ func TestUpdatePinningResults(t *testing.T) {
name: "add unpinned pip install",
args: args{
dependencyType: checker.DependencyUseTypePipCommand,
outcome: finding.OutcomeNegative,
outcome: finding.OutcomeFalse,
w: &workflowPinningResult{},
pr: make(map[checker.DependencyUseType]pinnedResult),
},

14
checks/evaluation/sast.go
View File

@ -52,7 +52,7 @@ func SAST(name string,
}
case sastToolConfigured.Probe:
tool, ok := f.Values[sastToolConfigured.ToolKey]
if f.Outcome == finding.OutcomePositive && !ok {
if f.Outcome == finding.OutcomeTrue && !ok {
return checker.CreateRuntimeErrorResult(name, sce.WithMessage(sce.ErrScorecardInternal, "missing SAST tool"))
}
score := getSastToolScore(f, dl)
@ -133,11 +133,11 @@ func getSASTScore(f *finding.Finding, dl checker.DetailLogger) (int, error) {
Text: f.Message,
})
return checker.InconclusiveResultScore, nil
case finding.OutcomePositive:
case finding.OutcomeTrue:
dl.Info(&checker.LogMessage{
Text: f.Message,
})
case finding.OutcomeNegative:
case finding.OutcomeFalse:
dl.Warn(&checker.LogMessage{
Text: f.Message,
})
@ -154,16 +154,16 @@ func getSASTScore(f *finding.Finding, dl checker.DetailLogger) (int, error) {
return checker.CreateProportionalScore(analyzed, total), nil
}
// getSastToolScore returns positive if the project runs the Sast tool
// and negative if it doesn't.
// getSastToolScore returns true if the project runs the Sast tool
// and false if it doesn't.
func getSastToolScore(f *finding.Finding, dl checker.DetailLogger) int {
switch f.Outcome {
case finding.OutcomePositive:
case finding.OutcomeTrue:
dl.Info(&checker.LogMessage{
Text: f.Message,
})
return checker.MaxResultScore
case finding.OutcomeNegative:
case finding.OutcomeFalse:
return checker.MinResultScore
default:
return checker.InconclusiveResultScore

16
checks/evaluation/sast_test.go
View File

@ -36,7 +36,7 @@ func TestSAST(t *testing.T) {
findings: []finding.Finding{
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -51,7 +51,7 @@ func TestSAST(t *testing.T) {
tool(checker.CodeQLWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
sastToolRunsOnAllCommits.TotalPRsKey: "2",
@ -70,7 +70,7 @@ func TestSAST(t *testing.T) {
tool(checker.PysaWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
sastToolRunsOnAllCommits.TotalPRsKey: "2",
@ -105,11 +105,11 @@ func TestSAST(t *testing.T) {
findings: []finding.Finding{
{
Probe: sastToolConfigured.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Values: map[string]string{
sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
sastToolRunsOnAllCommits.TotalPRsKey: "3",
@ -128,7 +128,7 @@ func TestSAST(t *testing.T) {
tool(checker.SnykWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
sastToolRunsOnAllCommits.TotalPRsKey: "3",
@ -147,7 +147,7 @@ func TestSAST(t *testing.T) {
tool(checker.QodanaWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
sastToolRunsOnAllCommits.TotalPRsKey: "3",
@ -175,7 +175,7 @@ func TestSAST(t *testing.T) {
func tool(name checker.SASTWorkflowType) finding.Finding {
return finding.Finding{
Probe: sastToolConfigured.Probe,
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
sastToolConfigured.ToolKey: string(name),
},

8
checks/evaluation/security_policy.go
View File

@ -42,7 +42,7 @@ func SecurityPolicy(name string, findings []finding.Finding, dl checker.DetailLo
m := make(map[string]bool)
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomePositive {
if f.Outcome == finding.OutcomeTrue {
switch f.Probe {
case securityPolicyContainsVulnerabilityDisclosure.Probe:
score += scoreProbeOnce(f.Probe, m, 1)
@ -71,9 +71,9 @@ func SecurityPolicy(name string, findings []finding.Finding, dl checker.DetailLo
}
// Log all findings.
// NOTE: if the score is checker.MaxResultScore, then all findings are positive.
// If the score is less than checker.MaxResultScore, some findings are negative,
// so we log both positive and negative findings.
// NOTE: if the score is checker.MaxResultScore, then all findings are true.
// If the score is less than checker.MaxResultScore, some findings are false,
// so we log both true and false findings.
checker.LogFindings(findings, dl)
return checker.CreateResultWithScore(name, "security policy file detected", score)

52
checks/evaluation/security_policy_test.go
View File

@ -35,15 +35,15 @@ func TestSecurityPolicy(t *testing.T) {
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -56,23 +56,23 @@ func TestSecurityPolicy(t *testing.T) {
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsLinks",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyInvalidProbeName",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -85,19 +85,19 @@ func TestSecurityPolicy(t *testing.T) {
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsLinks",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -107,23 +107,23 @@ func TestSecurityPolicy(t *testing.T) {
},
},
{
name: "file not found with positive probes",
name: "file not found with true probes",
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyContainsLinks",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -136,19 +136,19 @@ func TestSecurityPolicy(t *testing.T) {
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyContainsLinks",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -158,23 +158,23 @@ func TestSecurityPolicy(t *testing.T) {
},
},
{
name: "file found all positive",
name: "file found all true",
findings: []finding.Finding{
{
Probe: "securityPolicyContainsVulnerabilityDisclosure",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyContainsLinks",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyContainsText",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "securityPolicyPresent",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{

10
checks/evaluation/signed_releases.go
View File

@ -70,7 +70,7 @@ func SignedReleases(name string,
// Check if outcome is NotApplicable
}
totalPositive := 0
totalTrue := 0
releaseMap := make(map[string]int)
uniqueReleaseTags := make([]string, 0)
checker.LogFindings(findings, dl)
@ -86,8 +86,8 @@ func SignedReleases(name string,
uniqueReleaseTags = append(uniqueReleaseTags, releaseName)
}
if f.Outcome == finding.OutcomePositive {
totalPositive++
if f.Outcome == finding.OutcomeTrue {
totalTrue++
switch f.Probe {
case releasesAreSigned.Probe:
@ -100,7 +100,7 @@ func SignedReleases(name string,
}
}
if totalPositive == 0 {
if totalTrue == 0 {
return checker.CreateMinScoreResult(name, "Project has not signed or included provenance with any releases.")
}
@ -125,7 +125,7 @@ func SignedReleases(name string,
score = int(math.Floor(float64(score) / float64(totalReleases)))
reason := fmt.Sprintf("%d out of the last %d releases have a total of %d signed artifacts.",
len(releaseMap), totalReleases, totalPositive)
len(releaseMap), totalReleases, totalTrue)
return checker.CreateResultWithScore(name, reason, score)
}

188
checks/evaluation/signed_releases_test.go
View File

@ -74,8 +74,8 @@ func TestSignedReleases(t *testing.T) {
{
name: "Has one release that is signed but no provenance",
findings: []finding.Finding{
signedProbe(0, 0, finding.OutcomePositive),
provenanceProbe(0, 0, finding.OutcomeNegative),
signedProbe(0, 0, finding.OutcomeTrue),
provenanceProbe(0, 0, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 8,
@ -87,8 +87,8 @@ func TestSignedReleases(t *testing.T) {
{
name: "Has one release that is signed and has provenance",
findings: []finding.Finding{
signedProbe(0, 0, finding.OutcomePositive),
provenanceProbe(0, 0, finding.OutcomePositive),
signedProbe(0, 0, finding.OutcomeTrue),
provenanceProbe(0, 0, finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: 10,
@ -99,8 +99,8 @@ func TestSignedReleases(t *testing.T) {
{
name: "Has one release that is not signed but has provenance",
findings: []finding.Finding{
signedProbe(0, 0, finding.OutcomeNegative),
provenanceProbe(0, 0, finding.OutcomePositive),
signedProbe(0, 0, finding.OutcomeFalse),
provenanceProbe(0, 0, finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: checker.MaxResultScore,
@ -115,33 +115,33 @@ func TestSignedReleases(t *testing.T) {
findings: []finding.Finding{
// Release 1:
// Asset 1:
signedProbe(release0, asset0, finding.OutcomeNegative),
provenanceProbe(release0, asset0, finding.OutcomeNegative),
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
// Asset 2:
signedProbe(release0, asset1, finding.OutcomePositive),
provenanceProbe(release0, asset1, finding.OutcomeNegative),
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
// Release 2
// Asset 1:
signedProbe(release1, asset0, finding.OutcomeNegative),
provenanceProbe(release1, asset0, finding.OutcomeNegative),
signedProbe(release1, asset0, finding.OutcomeFalse),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2
// Asset 2:
signedProbe(release1, asset1, finding.OutcomeNegative),
provenanceProbe(release1, asset1, finding.OutcomeNegative),
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2
// Asset 3:
signedProbe(release1, asset2, finding.OutcomeNegative),
provenanceProbe(release1, asset2, finding.OutcomeNegative),
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3
// Asset 1:
signedProbe(release2, asset0, finding.OutcomeNegative),
provenanceProbe(release2, asset0, finding.OutcomePositive),
signedProbe(release2, asset0, finding.OutcomeFalse),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Asset 2:
signedProbe(release2, asset1, finding.OutcomeNegative),
provenanceProbe(release2, asset1, finding.OutcomePositive),
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeTrue),
// Asset 3:
signedProbe(release2, asset2, finding.OutcomeNegative),
provenanceProbe(release2, asset2, finding.OutcomeNegative),
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 6,
@ -155,50 +155,50 @@ func TestSignedReleases(t *testing.T) {
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
signedProbe(release0, asset0, finding.OutcomeNegative),
provenanceProbe(release0, asset0, finding.OutcomeNegative),
signedProbe(release0, asset1, finding.OutcomePositive),
provenanceProbe(release0, asset1, finding.OutcomeNegative),
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
// Release 2:
// Release 2, Asset 1:
signedProbe(release1, asset1, finding.OutcomePositive),
provenanceProbe(release1, asset0, finding.OutcomeNegative),
signedProbe(release1, asset1, finding.OutcomeTrue),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2, Asset 2:
signedProbe(release1, asset1, finding.OutcomeNegative),
provenanceProbe(release1, asset1, finding.OutcomeNegative),
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2, Asset 3:
signedProbe(release1, asset2, finding.OutcomeNegative),
provenanceProbe(release1, asset2, finding.OutcomeNegative),
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3, Asset 1:
signedProbe(release2, asset0, finding.OutcomeNegative),
provenanceProbe(release2, asset0, finding.OutcomePositive),
signedProbe(release2, asset0, finding.OutcomeFalse),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Release 3, Asset 2:
signedProbe(release2, asset1, finding.OutcomeNegative),
provenanceProbe(release2, asset1, finding.OutcomeNegative),
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeFalse),
// Release 3, Asset 3:
signedProbe(release2, asset2, finding.OutcomeNegative),
provenanceProbe(release2, asset2, finding.OutcomeNegative),
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
// Release 4, Asset 1:
signedProbe(release3, asset0, finding.OutcomeNegative),
provenanceProbe(release3, asset0, finding.OutcomePositive),
signedProbe(release3, asset0, finding.OutcomeFalse),
provenanceProbe(release3, asset0, finding.OutcomeTrue),
// Release 4, Asset 2:
signedProbe(release3, asset1, finding.OutcomeNegative),
provenanceProbe(release3, asset1, finding.OutcomeNegative),
signedProbe(release3, asset1, finding.OutcomeFalse),
provenanceProbe(release3, asset1, finding.OutcomeFalse),
// Release 4, Asset 3:
signedProbe(release3, asset2, finding.OutcomeNegative),
provenanceProbe(release3, asset2, finding.OutcomeNegative),
signedProbe(release3, asset2, finding.OutcomeFalse),
provenanceProbe(release3, asset2, finding.OutcomeFalse),
// Release 5, Asset 1:
signedProbe(release4, asset0, finding.OutcomeNegative),
provenanceProbe(release4, asset0, finding.OutcomeNegative),
signedProbe(release4, asset0, finding.OutcomeFalse),
provenanceProbe(release4, asset0, finding.OutcomeFalse),
// Release 5, Asset 2:
signedProbe(release4, asset1, finding.OutcomeNegative),
provenanceProbe(release4, asset1, finding.OutcomeNegative),
signedProbe(release4, asset1, finding.OutcomeFalse),
provenanceProbe(release4, asset1, finding.OutcomeFalse),
// Release 5, Asset 3:
signedProbe(release4, asset2, finding.OutcomeNegative),
provenanceProbe(release4, asset2, finding.OutcomeNegative),
signedProbe(release4, asset2, finding.OutcomeFalse),
provenanceProbe(release4, asset2, finding.OutcomeFalse),
// Release 5, Asset 4:
signedProbe(release4, asset3, finding.OutcomeNegative),
provenanceProbe(release4, asset3, finding.OutcomeNegative),
signedProbe(release4, asset3, finding.OutcomeFalse),
provenanceProbe(release4, asset3, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 7,
@ -212,50 +212,50 @@ func TestSignedReleases(t *testing.T) {
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
signedProbe(release0, asset0, finding.OutcomeNegative),
provenanceProbe(release0, asset0, finding.OutcomeNegative),
signedProbe(release0, asset1, finding.OutcomePositive),
provenanceProbe(release0, asset1, finding.OutcomeNegative),
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
// Release 2:
// Release 2, Asset 1:
signedProbe(release1, asset0, finding.OutcomePositive),
provenanceProbe(release1, asset0, finding.OutcomeNegative),
signedProbe(release1, asset0, finding.OutcomeTrue),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2, Asset 2:
signedProbe(release1, asset1, finding.OutcomeNegative),
provenanceProbe(release1, asset1, finding.OutcomeNegative),
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2, Asset 3:
signedProbe(release1, asset2, finding.OutcomeNegative),
provenanceProbe(release1, asset2, finding.OutcomeNegative),
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3, Asset 1:
signedProbe(release2, asset0, finding.OutcomePositive),
provenanceProbe(release2, asset0, finding.OutcomePositive),
signedProbe(release2, asset0, finding.OutcomeTrue),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Release 3, Asset 2:
signedProbe(release2, asset1, finding.OutcomeNegative),
provenanceProbe(release2, asset1, finding.OutcomeNegative),
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeFalse),
// Release 3, Asset 3:
signedProbe(release2, asset2, finding.OutcomeNegative),
provenanceProbe(release2, asset2, finding.OutcomeNegative),
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
// Release 4, Asset 1:
signedProbe(release3, asset0, finding.OutcomePositive),
provenanceProbe(release3, asset0, finding.OutcomePositive),
signedProbe(release3, asset0, finding.OutcomeTrue),
provenanceProbe(release3, asset0, finding.OutcomeTrue),
// Release 4, Asset 2:
signedProbe(release3, asset1, finding.OutcomeNegative),
provenanceProbe(release3, asset1, finding.OutcomeNegative),
signedProbe(release3, asset1, finding.OutcomeFalse),
provenanceProbe(release3, asset1, finding.OutcomeFalse),
// Release 4, Asset 3:
signedProbe(release3, asset2, finding.OutcomeNegative),
provenanceProbe(release3, asset2, finding.OutcomeNegative),
signedProbe(release3, asset2, finding.OutcomeFalse),
provenanceProbe(release3, asset2, finding.OutcomeFalse),
// Release 5, Asset 1:
signedProbe(release4, asset0, finding.OutcomePositive),
provenanceProbe(release4, asset0, finding.OutcomeNegative),
signedProbe(release4, asset0, finding.OutcomeTrue),
provenanceProbe(release4, asset0, finding.OutcomeFalse),
// Release 5, Asset 2:
signedProbe(release4, asset1, finding.OutcomeNegative),
provenanceProbe(release4, asset1, finding.OutcomeNegative),
signedProbe(release4, asset1, finding.OutcomeFalse),
provenanceProbe(release4, asset1, finding.OutcomeFalse),
// Release 5, Asset 3:
signedProbe(release4, asset2, finding.OutcomeNegative),
provenanceProbe(release4, asset2, finding.OutcomeNegative),
signedProbe(release4, asset2, finding.OutcomeFalse),
provenanceProbe(release4, asset2, finding.OutcomeFalse),
// Release 5, Asset 4:
signedProbe(release4, asset3, finding.OutcomeNegative),
provenanceProbe(release4, asset3, finding.OutcomeNegative),
signedProbe(release4, asset3, finding.OutcomeFalse),
provenanceProbe(release4, asset3, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 8,
@ -269,24 +269,24 @@ func TestSignedReleases(t *testing.T) {
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
signedProbe(release0, asset0, finding.OutcomePositive),
provenanceProbe(release0, asset0, finding.OutcomePositive),
signedProbe(release0, asset0, finding.OutcomeTrue),
provenanceProbe(release0, asset0, finding.OutcomeTrue),
// Release 2:
// Release 2, Asset 1:
signedProbe(release1, asset0, finding.OutcomePositive),
provenanceProbe(release1, asset0, finding.OutcomePositive),
signedProbe(release1, asset0, finding.OutcomeTrue),
provenanceProbe(release1, asset0, finding.OutcomeTrue),
// Release 3, Asset 1:
signedProbe(release2, asset0, finding.OutcomePositive),
provenanceProbe(release2, asset0, finding.OutcomePositive),
signedProbe(release2, asset0, finding.OutcomeTrue),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Release 4, Asset 1:
signedProbe(release3, asset0, finding.OutcomePositive),
provenanceProbe(release3, asset0, finding.OutcomePositive),
signedProbe(release3, asset0, finding.OutcomeTrue),
provenanceProbe(release3, asset0, finding.OutcomeTrue),
// Release 5, Asset 1:
signedProbe(release4, asset0, finding.OutcomePositive),
provenanceProbe(release4, asset0, finding.OutcomePositive),
signedProbe(release4, asset0, finding.OutcomeTrue),
provenanceProbe(release4, asset0, finding.OutcomeTrue),
// Release 6, Asset 1:
signedProbe(release5, asset0, finding.OutcomePositive),
provenanceProbe(release5, asset0, finding.OutcomePositive),
signedProbe(release5, asset0, finding.OutcomeTrue),
provenanceProbe(release5, asset0, finding.OutcomeTrue),
},
result: scut.TestReturn{
Score: checker.InconclusiveResultScore,

2
checks/evaluation/vulnerabilities.go
View File

@ -37,7 +37,7 @@ func Vulnerabilities(name string,
return checker.CreateRuntimeErrorResult(name, e)
}
vulnsFound := negativeFindings(findings)
vulnsFound := falseFindings(findings)
numVulnsFound := len(vulnsFound)
checker.LogFindings(vulnsFound, dl)

32
checks/evaluation/vulnerabilities_test.go
View File

@ -39,7 +39,7 @@ func TestVulnerabilities(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -51,15 +51,15 @@ func TestVulnerabilities(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -72,51 +72,51 @@ func TestVulnerabilities(t *testing.T) {
findings: []finding.Finding{
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "hasOSVVulnerabilities",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{

2
checks/evaluation/webhooks.go
View File

@ -46,7 +46,7 @@ func Webhooks(name string,
for i := range findings {
f := &findings[i]
if f.Outcome == finding.OutcomeNegative {
if f.Outcome == finding.OutcomeFalse {
webhooksWithNoSecret++
}
}

66
checks/evaluation/webhooks_test.go
View File

@ -47,7 +47,7 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -59,7 +59,7 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -71,11 +71,11 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -87,23 +87,23 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{
@ -115,51 +115,51 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
result: scut.TestReturn{
@ -171,51 +171,51 @@ func TestWebhooks(t *testing.T) {
findings: []finding.Finding{
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
{
Probe: "webhooksUseSecrets",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
result: scut.TestReturn{

37
finding/finding.go
View File

@ -58,16 +58,16 @@ type Outcome string
// TODO(#2928): re-visit the finding definitions.
const (
// OutcomeNegative indicates a negative outcome.
OutcomeNegative Outcome = "Negative"
// OutcomeFalse indicates the answer to the probe's question is "false" or "no".
OutcomeFalse Outcome = "False"
// OutcomeNotAvailable indicates an unavailable outcome,
// typically because an API call did not return an answer.
OutcomeNotAvailable Outcome = "NotAvailable"
// OutcomeError indicates an errors while running.
// The results could not be determined.
OutcomeError Outcome = "Error"
// OutcomePositive indicates a positive outcome.
OutcomePositive Outcome = "Positive"
// OutcomeTrue indicates the answer to the probe's question is "true" or "yes".
OutcomeTrue Outcome = "True"
// OutcomeNotSupported indicates a non-supported outcome.
OutcomeNotSupported Outcome = "NotSupported"
// OutcomeNotApplicable indicates if a finding should not
@ -102,7 +102,7 @@ func FromBytes(content []byte, probeID string) (*Finding, error) {
}
f := &Finding{
Probe: p.ID,
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: p.Remediation,
}
return f, nil
@ -117,7 +117,7 @@ func New(loc embed.FS, probeID string) (*Finding, error) {
f := &Finding{
Probe: p.ID,
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: p.Remediation,
}
return f, nil
@ -136,10 +136,10 @@ func NewWith(efs embed.FS, probeID, text string, loc *Location,
return f, nil
}
// NewWith create a negative finding with the desired location.
func NewNegative(efs embed.FS, probeID, text string, loc *Location,
// NewFalse create a false finding with the desired location.
func NewFalse(efs embed.FS, probeID, text string, loc *Location,
) (*Finding, error) {
return NewWith(efs, probeID, text, loc, OutcomeNegative)
return NewWith(efs, probeID, text, loc, OutcomeFalse)
}
// NewNotAvailable create a finding with a NotAvailable outcome and the desired location.
@ -148,10 +148,10 @@ func NewNotAvailable(efs embed.FS, probeID, text string, loc *Location,
return NewWith(efs, probeID, text, loc, OutcomeNotAvailable)
}
// NewPositive create a positive finding with the desired location.
func NewPositive(efs embed.FS, probeID, text string, loc *Location,
// NewTrue create a true finding with the desired location.
func NewTrue(efs embed.FS, probeID, text string, loc *Location,
) (*Finding, error) {
return NewWith(efs, probeID, text, loc, OutcomePositive)
return NewWith(efs, probeID, text, loc, OutcomeTrue)
}
// Anonymize removes the probe ID and outcome
@ -222,8 +222,9 @@ func (f *Finding) WithPatch(patch *string) *Finding {
// WARNING: this function should be called at most once for a finding.
func (f *Finding) WithOutcome(o Outcome) *Finding {
f.Outcome = o
// Positive is not negative, remove the remediation.
if o != OutcomeNegative {
// Currently only false probes have remediations.
// TODO(#3654) this is a temporary mechanical conversion.
if o != OutcomeFalse {
f.Remediation = nil
}
@ -265,10 +266,10 @@ func (o *Outcome) UnmarshalYAML(n *yaml.Node) error {
}
switch n.Value {
case "Negative":
*o = OutcomeNegative
case "Positive":
*o = OutcomePositive
case "False":
*o = OutcomeFalse
case "True":
*o = OutcomeTrue
case "NotAvailable":
*o = OutcomeNotAvailable
case "NotSupported":

46
finding/finding_test.go
View File

@ -35,8 +35,8 @@ func Test_FromBytes(t *testing.T) {
patch := "some patch values"
sline := uint(10)
eline := uint(46)
positiveOutcome := OutcomePositive
negativeOutcome := OutcomeNegative
trueOutcome := OutcomeTrue
falseOutcome := OutcomeFalse
t.Parallel()
tests := []struct {
err error
@ -51,10 +51,10 @@ func Test_FromBytes(t *testing.T) {
name: "effort low",
id: "effort-low",
path: "testdata/effort-low.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
finding: &Finding{
Probe: "effort-low",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 https://www.google.com/something",
Markdown: "step1\nstep2 [google.com](https://www.google.com/something)",
@ -66,10 +66,10 @@ func Test_FromBytes(t *testing.T) {
name: "effort high",
id: "effort-high",
path: "testdata/effort-high.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
finding: &Finding{
Probe: "effort-high",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 https://www.google.com/something",
Markdown: "step1\nstep2 [google.com](https://www.google.com/something)",
@ -81,11 +81,11 @@ func Test_FromBytes(t *testing.T) {
name: "env variables",
id: "metadata-variables",
path: "testdata/metadata-variables.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
metadata: map[string]string{"branch": "master", "repo": "ossf/scorecard"},
finding: &Finding{
Probe: "metadata-variables",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 google.com/ossf/scorecard@master",
Markdown: "step1\nstep2 [google.com/ossf/scorecard@master](google.com/ossf/scorecard@master)",
@ -97,11 +97,11 @@ func Test_FromBytes(t *testing.T) {
name: "patch",
id: "metadata-variables",
path: "testdata/metadata-variables.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
metadata: map[string]string{"branch": "master", "repo": "ossf/scorecard"},
finding: &Finding{
Probe: "metadata-variables",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 google.com/ossf/scorecard@master",
Markdown: "step1\nstep2 [google.com/ossf/scorecard@master](google.com/ossf/scorecard@master)",
@ -114,11 +114,11 @@ func Test_FromBytes(t *testing.T) {
name: "location",
id: "metadata-variables",
path: "testdata/metadata-variables.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
metadata: map[string]string{"branch": "master", "repo": "ossf/scorecard"},
finding: &Finding{
Probe: "metadata-variables",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 google.com/ossf/scorecard@master",
Markdown: "step1\nstep2 [google.com/ossf/scorecard@master](google.com/ossf/scorecard@master)",
@ -137,11 +137,11 @@ func Test_FromBytes(t *testing.T) {
name: "text",
id: "metadata-variables",
path: "testdata/metadata-variables.yml",
outcome: &negativeOutcome,
outcome: &falseOutcome,
metadata: map[string]string{"branch": "master", "repo": "ossf/scorecard"},
finding: &Finding{
Probe: "metadata-variables",
Outcome: OutcomeNegative,
Outcome: OutcomeFalse,
Remediation: &probe.Remediation{
Text: "step1\nstep2 google.com/ossf/scorecard@master",
Markdown: "step1\nstep2 [google.com/ossf/scorecard@master](google.com/ossf/scorecard@master)",
@ -151,13 +151,13 @@ func Test_FromBytes(t *testing.T) {
},
},
{
name: "positive outcome",
name: "true outcome",
id: "metadata-variables",
path: "testdata/metadata-variables.yml",
outcome: &positiveOutcome,
outcome: &trueOutcome,
finding: &Finding{
Probe: "metadata-variables",
Outcome: OutcomePositive,
Outcome: OutcomeTrue,
Message: "some text",
},
},
@ -211,23 +211,23 @@ func TestOutcome_UnmarshalYAML(t *testing.T) {
wantErr bool
}{
{
name: "positive outcome",
wantOutcome: OutcomePositive,
name: "true outcome",
wantOutcome: OutcomeTrue,
args: args{
n: &yaml.Node{
Kind: yaml.ScalarNode,
Value: "Positive",
Value: "True",
},
},
wantErr: false,
},
{
name: "negative outcome",
wantOutcome: OutcomeNegative,
name: "false outcome",
wantOutcome: OutcomeFalse,
args: args{
n: &yaml.Node{
Kind: yaml.ScalarNode,
Value: "Negative",
Value: "False",
},
},
wantErr: false,

4
pkg/probe_test.go
View File

@ -48,7 +48,7 @@ func Test_AsPJSON(t *testing.T) {
Findings: []finding.Finding{
{
Probe: "check for X",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Message: "found X",
Location: &finding.Location{
Path: "some/path/to/file",
@ -57,7 +57,7 @@ func Test_AsPJSON(t *testing.T) {
},
{
Probe: "check for Y",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Message: "did not find Y",
},
},

2
pkg/scorecard_test.go
View File

@ -235,7 +235,7 @@ func TestExperimentalRunProbes(t *testing.T) {
Findings: []finding.Finding{
{
Probe: fuzzed.Probe,
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
Message: "no fuzzer integrations found",
Remediation: &probe.Remediation{
Effort: probe.RemediationEffortHigh,

4
pkg/testdata/probe1.json vendored
View File

@ -16,12 +16,12 @@
},
"probe": "check for X",
"message": "found X",
"outcome": "Positive"
"outcome": "True"
},
{
"probe": "check for Y",
"message": "did not find Y",
"outcome": "Negative"
"outcome": "False"
}
]
}

4
probes/blocksDeleteOnBranches/def.yml
View File

@ -19,11 +19,11 @@ motivation: >
implementation: >
Checks the protection rules of default and release branches.
outcome:
- The probe returns one OutcomePositive for each branch that is disallowed from users deleting it, and one OutcomeNegative for branches where users are able to delete it. Scorecard only considers default and releases branches.
- The probe returns one OutcomeTrue for each branch that is disallowed from users deleting it, and one OutcomeFalse for branches where users are able to delete it. Scorecard only considers default and releases branches.
remediation:
effort: Low
text:
- Disallow deletion of branches in your project to remove negative outcomes.
- Disallow deletion of branches in your project to remove false outcomes.
- GitHub and GitLab by default disable deleting a protected branch.
ecosystem:
languages:

4
probes/blocksDeleteOnBranches/impl.go
View File

@ -65,10 +65,10 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
outcome = finding.OutcomeNotAvailable
case *branch.BranchProtectionRule.AllowDeletions:
text = fmt.Sprintf("'allow deletion' enabled on branch '%s'", *branch.Name)
outcome = finding.OutcomeNegative
outcome = finding.OutcomeFalse
case !*branch.BranchProtectionRule.AllowDeletions:
text = fmt.Sprintf("'allow deletion' disabled on branch '%s'", *branch.Name)
outcome = finding.OutcomePositive
outcome = finding.OutcomeTrue
default:
}
f, err := finding.NewWith(fs, Probe, text, nil, outcome)

20
probes/blocksDeleteOnBranches/impl_test.go
View File

@ -42,7 +42,7 @@ func Test_Run(t *testing.T) {
err error
}{
{
name: "One branch blocks branch deletion should result in one positive outcome",
name: "One branch blocks branch deletion should result in one true outcome",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -56,11 +56,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "Two branches that block branch deletions should result in two positive outcomes",
name: "Two branches that block branch deletions should result in two true outcomes",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -80,11 +80,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomePositive,
finding.OutcomeTrue, finding.OutcomeTrue,
},
},
{
name: "Two branches in total: One blocks branch deletion and one doesn't = 1 positive & 1 negative",
name: "Two branches in total: One blocks branch deletion and one doesn't = 1 true & 1 false",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -104,11 +104,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomeNegative,
finding.OutcomeTrue, finding.OutcomeFalse,
},
},
{
name: "Two branches in total: One blocks branch deletion and one doesn't = 1 negative & 1 positive",
name: "Two branches in total: One blocks branch deletion and one doesn't = 1 false & 1 true",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -128,11 +128,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomePositive,
finding.OutcomeFalse, finding.OutcomeTrue,
},
},
{
name: "Two branches in total: One blocks branch deletion and one lacks data = 1 negative & 1 unavailable",
name: "Two branches in total: One blocks branch deletion and one lacks data = 1 false & 1 unavailable",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -152,7 +152,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomeNotAvailable,
finding.OutcomeFalse, finding.OutcomeNotAvailable,
},
},
}

6
probes/blocksForcePushOnBranches/def.yml
View File

@ -19,16 +19,16 @@ motivation: >
implementation: >
Checks the protection rules of default and release branches.
outcome:
- The probe returns one OutcomePositive for each branch that is blocked from force pushes, and one OutcomeNegative for branches that allows force push.
- The probe returns one OutcomeTrue for each branch that is blocked from force pushes, and one OutcomeFalse for branches that allows force push.
- Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the repository.
remediation:
effort: Low
text:
- Disallow force pushes branches in your project to remove negative outcomes.
- Disallow force pushes branches in your project to remove false outcomes.
- For GitHub-hosted projects, force pushes are disabled by default. To make sure it has not been enabled, see ["Allow force pushes"](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes).
- For GitLab-hosted projects, follow the ["Protected branches"](https://docs.gitlab.com/ee/user/project/protected_branches.html) documentation to see who can force push to the project.
markdown:
- Disallow force pushes branches in your project to remove negative outcomes.
- Disallow force pushes branches in your project to remove false outcomes.
- For GitHub-hosted projects, force pushes are disabled by default. To make sure it has not been enabled, see ["Allow force pushes"](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes).
- For GitLab-hosted projects, follow the ["Protected branches"](https://docs.gitlab.com/ee/user/project/protected_branches.html) documentation to see who can force push to the project.
ecosystem:

4
probes/blocksForcePushOnBranches/impl.go
View File

@ -65,10 +65,10 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
outcome = finding.OutcomeNotAvailable
case *branch.BranchProtectionRule.AllowForcePushes:
text = fmt.Sprintf("'force pushes' enabled on branch '%s'", *branch.Name)
outcome = finding.OutcomeNegative
outcome = finding.OutcomeFalse
case !*branch.BranchProtectionRule.AllowForcePushes:
text = fmt.Sprintf("'force pushes' disabled on branch '%s'", *branch.Name)
outcome = finding.OutcomePositive
outcome = finding.OutcomeTrue
default:
}
f, err := finding.NewWith(fs, Probe, text, nil, outcome)

20
probes/blocksForcePushOnBranches/impl_test.go
View File

@ -42,7 +42,7 @@ func Test_Run(t *testing.T) {
err error
}{
{
name: "Blocks Force Push on 1/1 branches = 1 positive outcome",
name: "Blocks Force Push on 1/1 branches = 1 true outcome",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -56,11 +56,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "Blocks Force Push on 2/2 branches = 2 positive outcomes",
name: "Blocks Force Push on 2/2 branches = 2 true outcomes",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -80,11 +80,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomePositive,
finding.OutcomeTrue, finding.OutcomeTrue,
},
},
{
name: "Blocks Force Push on 1/2 branches = 1 positive and 1 negative outcome",
name: "Blocks Force Push on 1/2 branches = 1 true and 1 false outcome",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -104,11 +104,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomeNegative,
finding.OutcomeTrue, finding.OutcomeFalse,
},
},
{
name: "Blocks Force Push on 1/2 branches = 1 negative and 1 positive outcome",
name: "Blocks Force Push on 1/2 branches = 1 false and 1 true outcome",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -128,11 +128,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomePositive,
finding.OutcomeFalse, finding.OutcomeTrue,
},
},
{
name: "Blocks Force Push on 0/2 branches, 1 branch lacks data = 1 negative and 1 unavailable",
name: "Blocks Force Push on 0/2 branches, 1 branch lacks data = 1 false and 1 unavailable",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -152,7 +152,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomeNotAvailable,
finding.OutcomeFalse, finding.OutcomeNotAvailable,
},
},
}

2
probes/branchProtectionAppliesToAdmins/def.yml
View File

@ -19,7 +19,7 @@ motivation: >
implementation: >
Checks the protection rules of default and release branches.
outcome:
- The probe returns one OutcomePositive for each branch that enforces branch protection rules on admins, and one OutcomeNegative for branches that don't.
- The probe returns one OutcomeTrue for each branch that enforces branch protection rules on admins, and one OutcomeFalse for branches that don't.
remediation:
effort: Medium
text:

20
probes/branchProtectionAppliesToAdmins/impl_test.go
View File

@ -42,7 +42,7 @@ func Test_Run(t *testing.T) {
err error
}{
{
name: "1 branch enforces protection rules on admins = 1 positive outcome",
name: "1 branch enforces protection rules on admins = 1 true outcome",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -56,11 +56,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "1 branch enforces protection rules on admins = 2 positive outcomes",
name: "1 branch enforces protection rules on admins = 2 true outcomes",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -80,11 +80,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomePositive,
finding.OutcomeTrue, finding.OutcomeTrue,
},
},
{
name: "1 branch enforces protection rules on admins and 1 doesn't = 1 positive & 1 negative",
name: "1 branch enforces protection rules on admins and 1 doesn't = 1 true & 1 false",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -104,11 +104,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomeNegative,
finding.OutcomeTrue, finding.OutcomeFalse,
},
},
{
name: "1 branch does not enforce protection rules on admins and 1 does = 1 negative & 1 positive",
name: "1 branch does not enforce protection rules on admins and 1 does = 1 false & 1 true",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -128,11 +128,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomePositive,
finding.OutcomeFalse, finding.OutcomeTrue,
},
},
{
name: "1 branch does not enforce protection rules on admins and 1 doesn't have data = 1 negative & 1 unavailable",
name: "1 branch does not enforce protection rules on admins and 1 doesn't have data = 1 false & 1 unavailable",
raw: &checker.RawResults{
BranchProtectionResults: checker.BranchProtectionsData{
Branches: []clients.BranchRef{
@ -152,7 +152,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomeNotAvailable,
finding.OutcomeFalse, finding.OutcomeNotAvailable,
},
},
}

2
probes/branchesAreProtected/def.yml
View File

@ -19,7 +19,7 @@ motivation: >
implementation: >
Checks the protection rules of default and release branches.
outcome:
- The probe returns one OutcomePositive for each branch that is protected, and one OutcomeNegative for branches that are not protected. Scorecard only considers default and releases branches.
- The probe returns one OutcomeTrue for each branch that is protected, and one OutcomeFalse for branches that are not protected. Scorecard only considers default and releases branches.
remediation:
effort: Low
text:

4
probes/branchesAreProtected/impl.go
View File

@ -62,10 +62,10 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
var outcome finding.Outcome
if protected {
text = fmt.Sprintf("branch '%s' is protected", *branch.Name)
outcome = finding.OutcomePositive
outcome = finding.OutcomeTrue
} else {
text = fmt.Sprintf("branch '%s' is not protected", *branch.Name)
outcome = finding.OutcomeNegative
outcome = finding.OutcomeFalse
}
f, err := finding.NewWith(fs, Probe, text, nil, outcome)
if err != nil {

10
probes/branchesAreProtected/impl_test.go
View File

@ -53,7 +53,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -73,7 +73,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomePositive,
finding.OutcomeTrue, finding.OutcomeTrue,
},
},
{
@ -93,7 +93,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomeNegative,
finding.OutcomeTrue, finding.OutcomeFalse,
},
},
{
@ -113,7 +113,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomePositive,
finding.OutcomeFalse, finding.OutcomeTrue,
},
},
{
@ -135,7 +135,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomeNegative,
finding.OutcomeFalse, finding.OutcomeFalse,
},
},
}

4
probes/codeApproved/def.yml
View File

@ -23,8 +23,8 @@ implementation: >
Commits are grouped by the changeset they were introduced in, and each changesets must have at least one approval.
Reviewed, bot authored changesets (e.g. dependabot) are not counted.
outcome:
- If all commits were approved, the probe returns OutcomePositive
- If any commits were not approved, the probe returns OutcomeNegative
- If all commits were approved, the probe returns OutcomeTrue
- If any commits were not approved, the probe returns OutcomeFalse
- If there are no changes, the probe returns OutcomeNotApplicable
remediation:
effort: Low

4
probes/codeApproved/impl.go
View File

@ -100,13 +100,13 @@ func approvedRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID string
var reason string
switch {
case nApproved != nChanges:
outcome = finding.OutcomeNegative
outcome = finding.OutcomeFalse
reason = fmt.Sprintf("Found %d/%d approved changesets", nApproved, nChanges)
case !foundHumanActivity:
outcome = finding.OutcomeNotApplicable
reason = fmt.Sprintf("Found no human activity in the last %d changesets", nChangesets)
default:
outcome = finding.OutcomePositive
outcome = finding.OutcomeTrue
reason = "All changesets approved"
}
f, err := finding.NewWith(fs, probeID, reason, nil, outcome)

12
probes/codeApproved/impl_test.go
View File

@ -140,7 +140,7 @@ func TestProbeCodeApproved(t *testing.T) {
},
},
expectedOutcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -225,7 +225,7 @@ func TestProbeCodeApproved(t *testing.T) {
},
},
expectedOutcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -266,7 +266,7 @@ func TestProbeCodeApproved(t *testing.T) {
},
},
expectedOutcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -299,11 +299,11 @@ func TestProbeCodeApproved(t *testing.T) {
},
},
expectedOutcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "only unreviewed bot changesets gives negative outcome",
name: "only unreviewed bot changesets gives false outcome",
rawResults: &checker.RawResults{
CodeReviewResults: checker.CodeReviewData{
DefaultBranchChangesets: []checker.Changeset{
@ -326,7 +326,7 @@ func TestProbeCodeApproved(t *testing.T) {
},
},
expectedOutcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
}

4
probes/codeReviewOneReviewers/def.yml
View File

@ -22,8 +22,8 @@ implementation: >
Commits are grouped by the Pull Request they were introduced in.
Only unique reviewer logins that aren't the same as the changeset author are counted.
outcome:
- If all the changes had at least one reviewers, the probe returns OutcomePositive (1)
- If the changes had fewer than one reviewers, the prove returns OutcomeNegative (0)
- If all the changes had at least one reviewers, the probe returns OutcomeTrue (1)
- If the changes had fewer than one reviewers, the prove returns OutcomeFalse (0)
remediation:
effort: Low
text:

15
probes/codeReviewOneReviewers/impl.go
View File

@ -43,16 +43,15 @@ const (
func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
rawReviewData := &raw.CodeReviewResults
return codeReviewRun(rawReviewData, fs, Probe, finding.OutcomePositive, finding.OutcomeNegative)
return codeReviewRun(rawReviewData, fs, Probe, finding.OutcomeTrue, finding.OutcomeFalse)
}
// Looks through the data and validates author and reviewers of a changeset
// Scorecard currently only supports GitHub revisions and generates a positive
// Scorecard currently only supports GitHub revisions and generates a true
// score in the case of other platforms. This probe is created to ensure that
// there are a number of unique reviewers for each changeset.
func codeReviewRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID string,
positiveOutcome, negativeOutcome finding.Outcome,
trueOutcome, falseOutcome finding.Outcome,
) ([]finding.Finding, string, error) {
changesets := reviewData.DefaultBranchChangesets
var findings []finding.Finding
@ -99,17 +98,17 @@ func codeReviewRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID stri
findings = append(findings, *f)
return findings, probeID, nil
case leastFoundReviewers < minimumReviewers:
// returns NegativeOutcome if even a single changeset was reviewed by fewer than minimumReviewers (1).
// returns FalseOutcome if even a single changeset was reviewed by fewer than minimumReviewers (1).
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("some changesets had <%d reviewers",
minimumReviewers), nil, negativeOutcome)
minimumReviewers), nil, falseOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
default:
// returns PositiveOutcome if the lowest number of unique reviewers is at least as high as minimumReviewers (1).
// returns TrueOutcome if the lowest number of unique reviewers is at least as high as minimumReviewers (1).
f, err := finding.NewWith(fs, probeID, fmt.Sprintf(">%d reviewers found for all changesets",
minimumReviewers), nil, positiveOutcome)
minimumReviewers), nil, trueOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}

10
probes/codeReviewOneReviewers/impl_test.go
View File

@ -113,7 +113,7 @@ func TestProbeCodeReviewOneReviewers(t *testing.T) {
expectedFindings: []finding.Finding{
{
Probe: "codeReviewOneReviewers",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
},
@ -194,7 +194,7 @@ func TestProbeCodeReviewOneReviewers(t *testing.T) {
expectedFindings: []finding.Finding{
{
Probe: "codeReviewOneReviewers",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
},
@ -238,7 +238,7 @@ func TestProbeCodeReviewOneReviewers(t *testing.T) {
expectedFindings: []finding.Finding{
{
Probe: "codeReviewOneReviewers",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
},
@ -270,7 +270,7 @@ func TestProbeCodeReviewOneReviewers(t *testing.T) {
expectedFindings: []finding.Finding{
{
Probe: "codeReviewOneReviewers",
Outcome: finding.OutcomeNegative,
Outcome: finding.OutcomeFalse,
},
},
},
@ -306,7 +306,7 @@ func TestProbeCodeReviewOneReviewers(t *testing.T) {
expectedFindings: []finding.Finding{
{
Probe: "codeReviewOneReviewers",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
},
},
},

2
probes/contributorsFromOrgOrCompany/def.yml
View File

@ -22,7 +22,7 @@ motivation: >
implementation: >
The probe looks at the Company field on the user profile for authors of recent commits. To receive the highest score, the project must have had contributors from at least 3 different companies in the last 30 commits.
outcome:
- If the project has no contributing organizations or companies, the probe returns 1 OutcomeNegative
- If the project has no contributing organizations or companies, the probe returns 1 OutcomeFalse
- If the project has contributing organizations or companies, the probe returns 1 Outcome per org or company.
- If the probe fails to process the raw results, it returns nil instead of the findings slice as well as an error.
remediation:

6
probes/contributorsFromOrgOrCompany/impl.go
View File

@ -49,7 +49,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(users) == 0 {
f, err := finding.NewWith(fs, Probe,
"Project does not have contributors.", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -77,7 +77,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(entities) == 0 {
f, err := finding.NewWith(fs, Probe,
"No companies/organizations have contributed to the project.", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -90,7 +90,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
for e := range entities {
f, err := finding.NewWith(fs, Probe,
fmt.Sprintf("%s contributor org/company found", e), nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

24
probes/contributorsFromOrgOrCompany/impl_test.go
View File

@ -65,9 +65,9 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
},
}, {
name: "Test multiple users",
@ -98,12 +98,12 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
},
}, {
name: "Test multiple users where one user has insufficient contributions.",
@ -134,9 +134,9 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomeTrue,
finding.OutcomeTrue,
finding.OutcomeTrue,
},
},
}

4
probes/dependencyUpdateToolConfigured/def.yml
View File

@ -20,8 +20,8 @@ motivation: >
implementation: >
The implementation looks for the presence of various config files for different dependency update tools.
outcome:
- If a dependency update tool is configured, the probe returns OutcomePositive for each configuration.
- If no tool is detected, the probe returns OutcomeNegative.
- If a dependency update tool is configured, the probe returns OutcomeTrue for each configuration.
- If no tool is detected, the probe returns OutcomeFalse.
remediation:
effort: Low
text:

4
probes/dependencyUpdateToolConfigured/impl.go
View File

@ -44,7 +44,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
tools := raw.DependencyUpdateToolResults.Tools
if len(tools) == 0 {
f, err := finding.NewNegative(fs, Probe, "no dependency update tool configurations found", nil)
f, err := finding.NewFalse(fs, Probe, "no dependency update tool configurations found", nil)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -60,7 +60,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
loc = tool.Files[0].Location()
}
f, err := finding.NewPositive(fs, Probe, "detected update tool: "+tool.Name, loc)
f, err := finding.NewTrue(fs, Probe, "detected update tool: "+tool.Name, loc)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

12
probes/dependencyUpdateToolConfigured/impl_test.go
View File

@ -41,18 +41,18 @@ func TestRun(t *testing.T) {
err: uerror.ErrNil,
},
{
name: "negative outcome from no update tools",
name: "false outcome from no update tools",
raw: &checker.RawResults{
DependencyUpdateToolResults: checker.DependencyUpdateToolData{
Tools: []checker.Tool{},
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "one update tool is a positive outcomes",
name: "one update tool is a true outcomes",
raw: &checker.RawResults{
DependencyUpdateToolResults: checker.DependencyUpdateToolData{
Tools: []checker.Tool{
@ -63,7 +63,7 @@ func TestRun(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}
@ -112,7 +112,7 @@ func TestRun_Detailed(t *testing.T) {
{
Probe: Probe,
Message: "detected update tool: Dependabot",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
ToolKey: "Dependabot",
},
@ -138,7 +138,7 @@ func TestRun_Detailed(t *testing.T) {
{
Probe: Probe,
Message: "detected update tool: some update tool",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
ToolKey: "some update tool",
},

2
probes/dismissesStaleReviews/def.yml
View File

@ -19,7 +19,7 @@ motivation: >
implementation: >
Checks the protection rules of default and release branches.
outcome:
- The probe returns one OutcomePositive for each branch that dismisses the stale status of PRs, and one OutcomeNegative for branches that don't.
- The probe returns one OutcomeTrue for each branch that dismisses the stale status of PRs, and one OutcomeFalse for branches that don't.
remediation:
effort: High
text:

10
probes/dismissesStaleReviews/impl_test.go
View File

@ -58,7 +58,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -86,7 +86,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomePositive,
finding.OutcomeTrue, finding.OutcomeTrue,
},
},
{
@ -114,7 +114,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive, finding.OutcomeNegative,
finding.OutcomeTrue, finding.OutcomeFalse,
},
},
{
@ -142,7 +142,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomePositive,
finding.OutcomeFalse, finding.OutcomeTrue,
},
},
{
@ -170,7 +170,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative, finding.OutcomeNotAvailable,
finding.OutcomeFalse, finding.OutcomeNotAvailable,
},
},
}

4
probes/freeOfAnyBinaryArtifacts/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The implementation looks for the presence of binary files. This is a more restrictive probe than "freeOfUnverifiedBinaryArtifacts" which excludes verified binary files.
outcome:
- If the probe finds binary files, it returns a number of negative outcomes equal to the number of binary files found. Each outcome includes a location of the file.
- If the probe finds no verified binary files, it returns a single positive outcome.
- If the probe finds binary files, it returns a number of false outcomes equal to the number of binary files found. Each outcome includes a location of the file.
- If the probe finds no verified binary files, it returns a single true outcome.
remediation:
effort: Medium
text:

4
probes/freeOfAnyBinaryArtifacts/impl.go
View File

@ -46,7 +46,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(r.Files) == 0 {
f, err := finding.NewWith(fs, Probe,
"Repository does not have any binary artifacts.", nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -55,7 +55,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
for i := range r.Files {
file := &r.Files[i]
f, err := finding.NewWith(fs, Probe, "binary artifact detected",
nil, finding.OutcomeNegative)
nil, finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

20
probes/freeOfAnyBinaryArtifacts/impl_test.go
View File

@ -48,7 +48,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -57,7 +57,7 @@ func Test_Run(t *testing.T) {
BinaryArtifactResults: checker.BinaryArtifactData{},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -81,9 +81,9 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeFalse,
finding.OutcomeFalse,
finding.OutcomeFalse,
},
},
{
@ -111,10 +111,10 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeFalse,
finding.OutcomeFalse,
finding.OutcomeFalse,
finding.OutcomeFalse,
},
},
{
@ -125,7 +125,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/freeOfUnverifiedBinaryArtifacts/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The implementation looks for the presence of binary files that are not "verified". A verified binary is one that Scorecard considers valid for building and/or releasing the project. This is a more permissive probe than "freeOfAnyBinaryArtifacts" which does not skip verified binary files.
outcome:
- If the probe finds unverified binary files, it returns a number of negative outcomes equal to the number of unverified binary files found. Each outcome includes a location of the file.
- If the probe finds no unverified binary files, it returns a single positive outcome.
- If the probe finds unverified binary files, it returns a number of false outcomes equal to the number of unverified binary files found. Each outcome includes a location of the file.
- If the probe finds no unverified binary files, it returns a single true outcome.
remediation:
effort: Medium
text:

4
probes/freeOfUnverifiedBinaryArtifacts/impl.go
View File

@ -49,7 +49,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
continue
}
f, err := finding.NewWith(fs, Probe, "binary artifact detected",
nil, finding.OutcomeNegative)
nil, finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -64,7 +64,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(findings) == 0 {
f, err := finding.NewWith(fs, Probe,
"Repository does not have binary artifacts.", nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

8
probes/freeOfUnverifiedBinaryArtifacts/impl_test.go
View File

@ -49,7 +49,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -73,8 +73,8 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeNegative,
finding.OutcomeFalse,
finding.OutcomeFalse,
},
},
{
@ -90,7 +90,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/fuzzed/def.yml
View File

@ -20,8 +20,8 @@ motivation: >
implementation: >
The implementation looks for various fuzzing function signatures, imports, configuration files, and external integration data.
outcome:
- If a fuzzing tool is found, one finding per tool with OutcomePositive is returned.
- If no fuzzing tool is found, or the project uses a tool we don't detect, one finding with OutcomeNegative is returned.
- If a fuzzing tool is found, one finding per tool with OutcomeTrue is returned.
- If no fuzzing tool is found, or the project uses a tool we don't detect, one finding with OutcomeFalse is returned.
remediation:
effort: High
text:

6
probes/fuzzed/impl.go
View File

@ -44,7 +44,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
fuzzers := raw.FuzzingResults.Fuzzers
if len(fuzzers) == 0 {
f, err := finding.NewNegative(fs, Probe, "no fuzzer integrations found", nil)
f, err := finding.NewFalse(fs, Probe, "no fuzzer integrations found", nil)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -57,7 +57,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
// The current implementation does not provide file location
// for all fuzzers. Check this first.
if len(fuzzer.Files) == 0 {
f, err := finding.NewPositive(fs, Probe, fuzzer.Name+" integration found", nil)
f, err := finding.NewTrue(fs, Probe, fuzzer.Name+" integration found", nil)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -67,7 +67,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
// Files are present. Create one results for each file location.
for _, file := range fuzzer.Files {
f, err := finding.NewPositive(fs, Probe, fuzzer.Name+" integration found", file.Location())
f, err := finding.NewTrue(fs, Probe, fuzzer.Name+" integration found", file.Location())
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

16
probes/fuzzed/impl_test.go
View File

@ -41,18 +41,18 @@ func Test_Run(t *testing.T) {
err: uerror.ErrNil,
},
{
name: "negative outcome from no fuzzers",
name: "false outcome from no fuzzers",
raw: &checker.RawResults{
FuzzingResults: checker.FuzzingData{
Fuzzers: []checker.Tool{},
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "one fuzzer is a positive outcomes",
name: "one fuzzer is a true outcomes",
raw: &checker.RawResults{
FuzzingResults: checker.FuzzingData{
Fuzzers: []checker.Tool{
@ -63,7 +63,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -81,8 +81,8 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomePositive,
finding.OutcomeTrue,
finding.OutcomeTrue,
},
},
}
@ -131,7 +131,7 @@ func TestRun_Detailed(t *testing.T) {
{
Probe: Probe,
Message: "GoBuiltInFuzzer integration found",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
ToolKey: fuzzers.BuiltInGo,
},
@ -157,7 +157,7 @@ func TestRun_Detailed(t *testing.T) {
{
Probe: Probe,
Message: "some fuzzer integration found",
Outcome: finding.OutcomePositive,
Outcome: finding.OutcomeTrue,
Values: map[string]string{
ToolKey: "some fuzzer",
},

4
probes/hasDangerousWorkflowScriptInjection/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The probe iterates through the workflows from the raw results and checks the workflow type. If it finds a workflow of the type `DangerousWorkflowScriptInjection`, it returns.
outcome:
- If the project has at least one workflow with possibility of script injection, the probe returns one finding with OutcomeNegative (0).
- If the project does not have a single workflow with possibility of script injection, the probe returns one finding with OutcomePositive (1).
- If the project has at least one workflow with possibility of script injection, the probe returns one finding with OutcomeFalse (0).
- If the project does not have a single workflow with possibility of script injection, the probe returns one finding with OutcomeTrue (1).
remediation:
effort: Low
text:

8
probes/hasDangerousWorkflowScriptInjection/impl.go
View File

@ -57,7 +57,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if e.Type == checker.DangerousWorkflowScriptInjection {
f, err := finding.NewWith(fs, Probe,
fmt.Sprintf("script injection with untrusted input '%v'", e.File.Snippet),
nil, finding.OutcomeNegative)
nil, finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -72,16 +72,16 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
}
if len(findings) == 0 {
return positiveOutcome()
return trueOutcome()
}
return findings, Probe, nil
}
func positiveOutcome() ([]finding.Finding, string, error) {
func trueOutcome() ([]finding.Finding, string, error) {
f, err := finding.NewWith(fs, Probe,
"Project does not have dangerous workflow(s) with possibility of script injection.", nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

4
probes/hasDangerousWorkflowScriptInjection/impl_test.go
View File

@ -48,7 +48,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -64,7 +64,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/hasDangerousWorkflowUntrustedCheckout/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The probe iterates through the workflows from the raw results and checks the workflow type. If it finds a workflow of the type `DangerousWorkflowUntrustedCheckout`, it returns.
outcome:
- If the project has at least one workflow with possibility of untrusted code checkout, the probe returns one finding with OutcomeNegative (0).
- If the project does not have a single workflow with possibility of untrusted code checkout, the probe returns one finding with OutcomePositive (1).
- If the project has at least one workflow with possibility of untrusted code checkout, the probe returns one finding with OutcomeFalse (0).
- If the project does not have a single workflow with possibility of untrusted code checkout, the probe returns one finding with OutcomeTrue (1).
remediation:
effort: Low
text:

14
probes/hasDangerousWorkflowUntrustedCheckout/impl.go
View File

@ -32,6 +32,8 @@ func init() {
//go:embed *.yml
var fs embed.FS
// TODO(#3654) fix this probe. true/false positive/negative swap made this confusing.
const Probe = "hasDangerousWorkflowUntrustedCheckout"
func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
@ -57,7 +59,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if e.Type == checker.DangerousWorkflowUntrustedCheckout {
f, err := finding.NewWith(fs, Probe,
fmt.Sprintf("untrusted code checkout '%v'", e.File.Snippet),
nil, finding.OutcomeNegative)
nil, finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -71,25 +73,25 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
}
}
if len(findings) == 0 {
return positiveOutcome()
return trueOutcome()
}
return findings, Probe, nil
}
func positiveOutcome() ([]finding.Finding, string, error) {
func trueOutcome() ([]finding.Finding, string, error) {
f, err := finding.NewWith(fs, Probe,
"Project does not have workflow(s) with untrusted checkout.", nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
return []finding.Finding{*f}, Probe, nil
}
/*func negativeOutcome() ([]finding.Finding, string, error) {
/*func falseOutcome() ([]finding.Finding, string, error) {
f, err := finding.NewWith(fs, Probe,
"Project has workflow(s) with untrusted checkout.", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

4
probes/hasDangerousWorkflowUntrustedCheckout/impl_test.go
View File

@ -48,7 +48,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -64,7 +64,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
}

4
probes/hasFSFOrOSIApprovedLicense/def.yml
View File

@ -19,9 +19,9 @@ motivation: >
implementation: >
The implementation checks whether a license file is present and is of an approved format
outcome:
- If a license file is found and is of an approved format, the probe returns a single OutcomePositive.
- If a license file is found and is of an approved format, the probe returns a single OutcomeTrue.
- If a license file is missing the probe returns a single OutcomeNotApplicable.
- If the license is not of an approved format, the probe returns a single OutcomeNegative.
- If the license is not of an approved format, the probe returns a single OutcomeFalse.
remediation:
effort: Low
text:

4
probes/hasFSFOrOSIApprovedLicense/impl.go
View File

@ -55,7 +55,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
}
licenseFile := licenseFile
loc := licenseFile.File.Location()
f, err := finding.NewPositive(fs, Probe, "FSF or OSI recognized license: "+licenseFile.LicenseInformation.Name, loc)
f, err := finding.NewTrue(fs, Probe, "FSF or OSI recognized license: "+licenseFile.LicenseInformation.Name, loc)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -64,7 +64,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
f, err := finding.NewWith(fs, Probe,
"project license file does not contain an FSF or OSI license.", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

18
probes/hasFSFOrOSIApprovedLicense/impl_test.go
View File

@ -36,7 +36,7 @@ func Test_Run(t *testing.T) {
err error
}{
{
name: "License file found and is approved: outcome should be positive",
name: "License file found and is approved: outcome should be true",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{
@ -52,11 +52,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "License file found and is not approved: outcome should be negative",
name: "License file found and is not approved: outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{
@ -72,11 +72,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "License file not found and outcome should be negative",
name: "License file not found and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{},
@ -87,7 +87,7 @@ func Test_Run(t *testing.T) {
},
},
{
name: "License file found but is not approved. Outcome should be Negative",
name: "License file found but is not approved. Outcome should be False",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{
@ -111,11 +111,11 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "nil license files and outcome should be negative",
name: "nil license files and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: nil,
@ -126,7 +126,7 @@ func Test_Run(t *testing.T) {
},
},
{
name: "0 license files and outcome should be negative",
name: "0 license files and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{},

4
probes/hasLicenseFile/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The implementation checks whether a license file is present.
outcome:
- If license files are found, the probe returns OutcomePositive for each license file.
- If a license file is not found, the probe returns a single OutcomeNegative.
- If license files are found, the probe returns OutcomeTrue for each license file.
- If a license file is not found, the probe returns a single OutcomeFalse.
remediation:
effort: Low
text:

4
probes/hasLicenseFile/impl.go
View File

@ -44,7 +44,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
licenseFiles := raw.LicenseResults.LicenseFiles
if len(licenseFiles) == 0 {
f, err := finding.NewNegative(fs, Probe, "project does not have a license file", nil)
f, err := finding.NewFalse(fs, Probe, "project does not have a license file", nil)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -54,7 +54,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
for _, licenseFile := range licenseFiles {
licenseFile := licenseFile
loc := licenseFile.File.Location()
f, err := finding.NewPositive(fs, Probe, "project has a license file", loc)
f, err := finding.NewTrue(fs, Probe, "project has a license file", loc)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

18
probes/hasLicenseFile/impl_test.go
View File

@ -36,7 +36,7 @@ func Test_Run(t *testing.T) {
err error
}{
{
name: "License file found and outcome should be positive",
name: "License file found and outcome should be true",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{
@ -49,40 +49,40 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
name: "License file not found and outcome should be negative",
name: "License file not found and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{},
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "nil license files and outcome should be negative",
name: "nil license files and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: nil,
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
name: "0 license files and outcome should be negative",
name: "0 license files and outcome should be false",
raw: &checker.RawResults{
LicenseResults: checker.LicenseData{
LicenseFiles: []checker.LicenseFile{},
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -93,7 +93,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
}

4
probes/hasNoGitHubWorkflowPermissionUnknown/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The probe checks the permission levels of a projects workflows and collects the workflows that have unknown permissions.
outcome:
- The probe returns 1 negative outcome per workflow without unknown permission level(s).
- The probe returns 1 positive outcome if the project has no workflows with unknown permission levels.
- The probe returns 1 false outcome per workflow without unknown permission level(s).
- The probe returns 1 true outcome if the project has no workflows with unknown permission levels.
remediation:
effort: Low
text:

4
probes/hasNoGitHubWorkflowPermissionUnknown/impl.go
View File

@ -55,7 +55,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
}
// Create finding
f, err := permissions.CreateNegativeFinding(r, Probe, fs, raw.Metadata.Metadata)
f, err := permissions.CreateFalseFinding(r, Probe, fs, raw.Metadata.Metadata)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -65,7 +65,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(findings) == 0 {
f, err := finding.NewWith(fs, Probe,
"no workflows with unknown permissions",
nil, finding.OutcomePositive)
nil, finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

4
probes/hasNoGitHubWorkflowPermissionUnknown/impl_test.go
View File

@ -57,7 +57,7 @@ func Test_Run(t *testing.T) {
},
},
Outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -73,7 +73,7 @@ func Test_Run(t *testing.T) {
},
},
Outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/hasOSVVulnerabilities/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The implementation fetches data from OSV.dev about the project which shows whether a given project has known, unfixed vulnerabilities. The implementation uses the number of known, unfixed vulnerabilities to score.
outcome:
- The probe returns one negative outcome for each vulnerability found in OSV.
- If there are no known vulnerabilities from the raw results, the probe returns one positive outcome.
- The probe returns one false outcome for each vulnerability found in OSV.
- If there are no known vulnerabilities from the raw results, the probe returns one true outcome.
remediation:
effort: High
text:

4
probes/hasOSVVulnerabilities/impl.go
View File

@ -51,7 +51,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
if len(raw.VulnerabilitiesResults.Vulnerabilities) == 0 {
f, err := finding.NewWith(fs, Probe,
"Project does not contain OSV vulnerabilities", nil,
finding.OutcomePositive)
finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -72,7 +72,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
}
f, err := finding.NewWith(fs, Probe,
"Project contains OSV vulnerabilities", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

4
probes/hasOSVVulnerabilities/impl_test.go
View File

@ -47,7 +47,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomeNegative,
finding.OutcomeFalse,
},
},
{
@ -58,7 +58,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/hasOpenSSFBadge/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The probe checks the type of the badge from the raw results.
outcome:
- If the project has a badge, the probe returns one OutcomePositive (1). The finding includes an entry in the `Values` map with the key describing the badge level.
- If the project does not have a badge, the probe returns one OutcomeNegative (0).
- If the project has a badge, the probe returns one OutcomeTrue (1). The finding includes an entry in the `Values` map with the key describing the badge level.
- If the project does not have a badge, the probe returns one OutcomeFalse (0).
remediation:
effort: High
text:

4
probes/hasOpenSSFBadge/impl.go
View File

@ -65,7 +65,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
default:
f, err := finding.NewWith(fs, Probe,
"Project does not have an OpenSSF badge", nil,
finding.OutcomeNegative)
finding.OutcomeFalse)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}
@ -74,7 +74,7 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
f, err := finding.NewWith(fs, Probe,
fmt.Sprintf("OpenSSF best practice badge found at %s level.", badgeLevel),
nil, finding.OutcomePositive)
nil, finding.OutcomeTrue)
if err != nil {
return nil, Probe, fmt.Errorf("create finding: %w", err)
}

10
probes/hasOpenSSFBadge/impl_test.go
View File

@ -44,7 +44,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -55,7 +55,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -66,7 +66,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -77,7 +77,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
{
@ -88,7 +88,7 @@ func Test_Run(t *testing.T) {
},
},
outcomes: []finding.Outcome{
finding.OutcomePositive,
finding.OutcomeTrue,
},
},
}

4
probes/hasRecentCommits/def.yml
View File

@ -19,8 +19,8 @@ motivation: >
implementation: >
The implementation checks the number of commits made in the last 90 days by any user type.
outcome:
- If the project has commits from the last 90 days, the probe returns one OutcomePositive with a "commitsWithinThreshold" value which contains the number of commits that the probe found within the threshold. The probe will also return a "lookBackDays" value which is the number of days that the probe includes in its threshold - which is 90.
- If the project does not have commits in the last 90 days, the probe returns a single OutcomeNegative.
- If the project has commits from the last 90 days, the probe returns one OutcomeTrue with a "commitsWithinThreshold" value which contains the number of commits that the probe found within the threshold. The probe will also return a "lookBackDays" value which is the number of days that the probe includes in its threshold - which is 90.
- If the project does not have commits in the last 90 days, the probe returns a single OutcomeFalse.
remediation:
effort: Low
text:

4
probes/hasRecentCommits/impl.go
View File

@ -63,10 +63,10 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
var outcome finding.Outcome
if commitsWithinThreshold > 0 {
text = "Found a contribution within the threshold."
outcome = finding.OutcomePositive
outcome = finding.OutcomeTrue
} else {
text = "Did not find contribution within the threshold."
outcome = finding.OutcomeNegative
outcome = finding.OutcomeFalse
}
f, err := finding.NewWith(fs, Probe, text, nil, outcome)
if err != nil {

6
probes/hasRecentCommits/impl_test.go
View File

@ -67,7 +67,7 @@ func Test_Run(t *testing.T) {
Issues: []clients.Issue{},
},
},
outcomes: []finding.Outcome{finding.OutcomeNegative},
outcomes: []finding.Outcome{finding.OutcomeFalse},
},
{
name: "Has five commits in threshold",
@ -80,7 +80,7 @@ func Test_Run(t *testing.T) {
NumCommitsKey: "5",
LookbackDayKey: strconv.Itoa(lookBackDays),
},
outcomes: []finding.Outcome{finding.OutcomePositive},
outcomes: []finding.Outcome{finding.OutcomeTrue},
},
{
name: "Has twenty in threshold",
@ -93,7 +93,7 @@ func Test_Run(t *testing.T) {
NumCommitsKey: "20",
LookbackDayKey: strconv.Itoa(lookBackDays),
},
outcomes: []finding.Outcome{finding.OutcomePositive},
outcomes: []finding.Outcome{finding.OutcomeTrue},
},
}
for _, tt := range tests {

Some files were not shown because too many files have changed in this diff Show More