mirror of
https://github.com/ossf/scorecard.git
synced 2024-11-04 20:30:19 +03:00
Export registered check names (#518)
Co-authored-by: Azeem Shaikh <azeems@google.com>
This commit is contained in:
Azeem Shaikh
GitHub
parent
df44a898cf
commit
be8aa3d713
@ -23,31 +23,32 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
activeStr = "Active"
|
||||
// CheckActive is the registered name for IsActive.
|
||||
CheckActive = "Active"
|
||||
lookbackDays = 90
|
||||
)
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(activeStr, IsActive)
|
||||
registerCheck(CheckActive, IsActive)
|
||||
}
|
||||
|
||||
func IsActive(c *checker.CheckRequest) checker.CheckResult {
|
||||
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(activeStr, err)
|
||||
return checker.MakeRetryResult(CheckActive, err)
|
||||
}
|
||||
|
||||
tz, err := time.LoadLocation("UTC")
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(activeStr, err)
|
||||
return checker.MakeRetryResult(CheckActive, err)
|
||||
}
|
||||
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays)
|
||||
totalCommits := 0
|
||||
for _, commit := range commits {
|
||||
commitFull, _, err := c.Client.Git.GetCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA())
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(activeStr, err)
|
||||
return checker.MakeRetryResult(CheckActive, err)
|
||||
}
|
||||
if commitFull.GetAuthor().GetDate().After(threshold) {
|
||||
totalCommits++
|
||||
@ -57,7 +58,7 @@ func IsActive(c *checker.CheckRequest) checker.CheckResult {
|
||||
const numCommits = 2
|
||||
const confidence = 10
|
||||
return checker.CheckResult{
|
||||
Name: activeStr,
|
||||
Name: CheckActive,
|
||||
Pass: totalCommits >= numCommits,
|
||||
Confidence: confidence,
|
||||
}
|
||||
|
||||
@ -21,33 +21,34 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
branchProtectionStr = "Branch-Protection"
|
||||
minReviews = 1
|
||||
// CheckBranchProtection is the registered name for BranchProtection.
|
||||
CheckBranchProtection = "Branch-Protection"
|
||||
minReviews = 1
|
||||
)
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(branchProtectionStr, BranchProtection)
|
||||
registerCheck(CheckBranchProtection, BranchProtection)
|
||||
}
|
||||
|
||||
func BranchProtection(c *checker.CheckRequest) checker.CheckResult {
|
||||
repo, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(branchProtectionStr, err)
|
||||
return checker.MakeRetryResult(CheckBranchProtection, err)
|
||||
}
|
||||
|
||||
protection, resp, err := c.Client.Repositories.
|
||||
GetBranchProtection(c.Ctx, c.Owner, c.Repo, *repo.DefaultBranch)
|
||||
const fileNotFound = 404
|
||||
if resp.StatusCode == fileNotFound {
|
||||
return checker.MakeRetryResult(branchProtectionStr, err)
|
||||
return checker.MakeRetryResult(CheckBranchProtection, err)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
c.Logf("!! branch protection not enabled")
|
||||
const confidence = 10
|
||||
return checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Confidence: confidence,
|
||||
}
|
||||
@ -99,7 +100,7 @@ func IsBranchProtected(protection *github.Protection, c *checker.CheckRequest) c
|
||||
totalSuccess++
|
||||
}
|
||||
|
||||
return checker.MakeProportionalResult(branchProtectionStr, totalSuccess, totalChecks, 1.0)
|
||||
return checker.MakeProportionalResult(CheckBranchProtection, totalSuccess, totalChecks, 1.0)
|
||||
}
|
||||
|
||||
// Returns true if several PR status checks requirements are enabled. Otherwise returns false and logs why it failed.
|
||||
|
||||
@ -85,7 +85,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 7,
|
||||
@ -132,7 +132,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 5,
|
||||
@ -179,7 +179,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 7,
|
||||
@ -227,7 +227,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 5,
|
||||
@ -274,7 +274,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 5,
|
||||
@ -321,7 +321,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 5,
|
||||
@ -368,7 +368,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 9,
|
||||
@ -415,7 +415,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: false,
|
||||
Details: nil,
|
||||
Confidence: 9,
|
||||
@ -462,7 +462,7 @@ func TestIsBranchProtected(t *testing.T) {
|
||||
c: checker.CheckRequest{Logf: l.Logf},
|
||||
},
|
||||
want: checker.CheckResult{
|
||||
Name: branchProtectionStr,
|
||||
Name: CheckBranchProtection,
|
||||
Pass: true,
|
||||
Details: nil,
|
||||
Confidence: 10,
|
||||
|
||||
@ -23,23 +23,21 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const (
|
||||
ciTestsStr = "CI-Tests"
|
||||
success = "success"
|
||||
)
|
||||
|
||||
// States for which CI system is in use.
|
||||
type ciSystemState int
|
||||
|
||||
const (
|
||||
unknown ciSystemState = iota
|
||||
// CheckCITests is the registered name for CITests.
|
||||
CheckCITests = "CI-Tests"
|
||||
success = "success"
|
||||
unknown ciSystemState = iota
|
||||
githubStatuses
|
||||
githubCheckRuns
|
||||
)
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(ciTestsStr, CITests)
|
||||
registerCheck(CheckCITests, CITests)
|
||||
}
|
||||
|
||||
func CITests(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -47,7 +45,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
|
||||
State: "closed",
|
||||
})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciTestsStr, err)
|
||||
return checker.MakeRetryResult(CheckCITests, err)
|
||||
}
|
||||
|
||||
usedSystem := unknown
|
||||
@ -65,7 +63,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
|
||||
if usedSystem != githubCheckRuns {
|
||||
prSuccessStatus, err := prHasSuccessStatus(pr, c)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciTestsStr, err)
|
||||
return checker.MakeRetryResult(CheckCITests, err)
|
||||
}
|
||||
if prSuccessStatus {
|
||||
totalTested++
|
||||
@ -79,7 +77,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
|
||||
if usedSystem != githubStatuses {
|
||||
prCheckSuccessful, err := prHasSuccessfulCheck(pr, c)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciTestsStr, err)
|
||||
return checker.MakeRetryResult(CheckCITests, err)
|
||||
}
|
||||
if prCheckSuccessful {
|
||||
totalTested++
|
||||
@ -94,7 +92,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
c.Logf("found CI tests for %d of %d merged PRs", totalTested, totalMerged)
|
||||
return checker.MakeProportionalResult(ciTestsStr, totalTested, totalMerged, .75)
|
||||
return checker.MakeProportionalResult(CheckCITests, totalTested, totalMerged, .75)
|
||||
}
|
||||
|
||||
// PR has a status marked 'success' and a CI-related context.
|
||||
|
||||
@ -23,11 +23,12 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const ciiBestPracticesStr = "CII-Best-Practices"
|
||||
// CheckCIIBestPractices is the registered name for CIIBestPractices.
|
||||
const CheckCIIBestPractices = "CII-Best-Practices"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(ciiBestPracticesStr, CIIBestPractices)
|
||||
registerCheck(CheckCIIBestPractices, CIIBestPractices)
|
||||
}
|
||||
|
||||
type response struct {
|
||||
@ -39,28 +40,28 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult {
|
||||
url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURL)
|
||||
req, err := http.NewRequestWithContext(c.Ctx, "GET", url, nil)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciiBestPracticesStr, err)
|
||||
return checker.MakeRetryResult(CheckCIIBestPractices, err)
|
||||
}
|
||||
resp, err := c.HTTPClient.Do(req)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciiBestPracticesStr, err)
|
||||
return checker.MakeRetryResult(CheckCIIBestPractices, err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
b, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(ciiBestPracticesStr, err)
|
||||
return checker.MakeRetryResult(CheckCIIBestPractices, err)
|
||||
}
|
||||
|
||||
parsedResponse := []response{}
|
||||
if err := json.Unmarshal(b, &parsedResponse); err != nil {
|
||||
return checker.MakeRetryResult(ciiBestPracticesStr, err)
|
||||
return checker.MakeRetryResult(CheckCIIBestPractices, err)
|
||||
}
|
||||
|
||||
if len(parsedResponse) < 1 {
|
||||
c.Logf("no badge found")
|
||||
return checker.CheckResult{
|
||||
Name: ciiBestPracticesStr,
|
||||
Name: CheckCIIBestPractices,
|
||||
Pass: false,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
@ -71,14 +72,14 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult {
|
||||
|
||||
if result.BadgeLevel != "" {
|
||||
return checker.CheckResult{
|
||||
Name: ciiBestPracticesStr,
|
||||
Name: CheckCIIBestPractices,
|
||||
Pass: true,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
}
|
||||
|
||||
return checker.CheckResult{
|
||||
Name: ciiBestPracticesStr,
|
||||
Name: CheckCIIBestPractices,
|
||||
Pass: false,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
|
||||
@ -23,14 +23,15 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const codeReviewStr = "Code-Review"
|
||||
// CheckCodeReview is the registered name for DoesCodeReview.
|
||||
const CheckCodeReview = "Code-Review"
|
||||
|
||||
// ErrorNoReviews indicates no reviews were found for this repo.
|
||||
var ErrorNoReviews = errors.New("no reviews found")
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(codeReviewStr, DoesCodeReview)
|
||||
registerCheck(CheckCodeReview, DoesCodeReview)
|
||||
}
|
||||
|
||||
// DoesCodeReview attempts to determine whether a project requires review before code gets merged.
|
||||
@ -53,7 +54,7 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult {
|
||||
State: "closed",
|
||||
})
|
||||
if err != nil {
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, err)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, err)
|
||||
}
|
||||
|
||||
totalMerged := 0
|
||||
@ -98,32 +99,32 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult {
|
||||
if totalReviewed > 0 {
|
||||
c.Logf("github code reviews found")
|
||||
}
|
||||
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75)
|
||||
return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75)
|
||||
}
|
||||
|
||||
func IsPrReviewRequired(c *checker.CheckRequest) checker.CheckResult {
|
||||
// Look to see if review is enforced.
|
||||
r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(codeReviewStr, err)
|
||||
return checker.MakeRetryResult(CheckCodeReview, err)
|
||||
}
|
||||
|
||||
// Check the branch protection rules, we may not be able to get these though.
|
||||
bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch())
|
||||
if err != nil {
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, err)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, err)
|
||||
}
|
||||
if bp.GetRequiredPullRequestReviews() != nil &&
|
||||
bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 {
|
||||
c.Logf("pr review policy enforced")
|
||||
const confidence = 5
|
||||
return checker.CheckResult{
|
||||
Name: codeReviewStr,
|
||||
Name: CheckCodeReview,
|
||||
Pass: true,
|
||||
Confidence: confidence,
|
||||
}
|
||||
}
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, nil)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, nil)
|
||||
}
|
||||
|
||||
func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -132,7 +133,7 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
|
||||
State: "closed",
|
||||
})
|
||||
if err != nil {
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, err)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, err)
|
||||
}
|
||||
|
||||
totalMerged := 0
|
||||
@ -151,16 +152,16 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
if totalReviewed == 0 {
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews)
|
||||
}
|
||||
c.Logf("prow code reviews found")
|
||||
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75)
|
||||
return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75)
|
||||
}
|
||||
|
||||
func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult {
|
||||
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(codeReviewStr, err)
|
||||
return checker.MakeRetryResult(CheckCodeReview, err)
|
||||
}
|
||||
|
||||
total := 0
|
||||
@ -191,8 +192,8 @@ func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
if totalReviewed == 0 {
|
||||
return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews)
|
||||
return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews)
|
||||
}
|
||||
c.Logf("code reviews found")
|
||||
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, total, .75)
|
||||
return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, total, .75)
|
||||
}
|
||||
|
||||
@ -25,18 +25,19 @@ import (
|
||||
const (
|
||||
minContributionsPerUser = 5
|
||||
minOrganizationCount = 2
|
||||
contributorsStr = "Contributors"
|
||||
// CheckContributors is the registered name for Contributors.
|
||||
CheckContributors = "Contributors"
|
||||
)
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(contributorsStr, Contributors)
|
||||
registerCheck(CheckContributors, Contributors)
|
||||
}
|
||||
|
||||
func Contributors(c *checker.CheckRequest) checker.CheckResult {
|
||||
contribs, _, err := c.Client.Repositories.ListContributors(c.Ctx, c.Owner, c.Repo, &github.ListContributorsOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(contributorsStr, err)
|
||||
return checker.MakeRetryResult(CheckContributors, err)
|
||||
}
|
||||
|
||||
companies := map[string]struct{}{}
|
||||
@ -46,7 +47,7 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
u, _, err := c.Client.Users.Get(c.Ctx, contrib.GetLogin())
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(contributorsStr, err)
|
||||
return checker.MakeRetryResult(CheckContributors, err)
|
||||
}
|
||||
orgs, _, err := c.Client.Organizations.List(c.Ctx, contrib.GetLogin(), nil)
|
||||
if err != nil {
|
||||
@ -74,13 +75,13 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult {
|
||||
c.Logf("companies found: %v", strings.Join(names, ","))
|
||||
if len(companies) >= minOrganizationCount {
|
||||
return checker.CheckResult{
|
||||
Name: contributorsStr,
|
||||
Name: CheckContributors,
|
||||
Pass: true,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
}
|
||||
return checker.CheckResult{
|
||||
Name: contributorsStr,
|
||||
Name: CheckContributors,
|
||||
Pass: false,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
|
||||
@ -26,7 +26,8 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const frozenDepsStr = "Frozen-Deps"
|
||||
// CheckFrozenDeps is the registered name for FrozenDeps.
|
||||
const CheckFrozenDeps = "Frozen-Deps"
|
||||
|
||||
// ErrInvalidDockerfile : Invalid docker file.
|
||||
var ErrInvalidDockerfile = errors.New("invalid docker file")
|
||||
@ -36,7 +37,7 @@ var ErrEmptyFile = errors.New("file has no content")
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(frozenDepsStr, FrozenDeps)
|
||||
registerCheck(CheckFrozenDeps, FrozenDeps)
|
||||
}
|
||||
|
||||
// FrozenDeps will check the repository if it contains frozen dependecies.
|
||||
@ -54,7 +55,7 @@ func FrozenDeps(c *checker.CheckRequest) checker.CheckResult {
|
||||
// ======================== Dockerfiles =======================
|
||||
// ============================================================.
|
||||
func isDockerfilePinned(c *checker.CheckRequest) checker.CheckResult {
|
||||
return CheckFilesContent(frozenDepsStr, "*Dockerfile*", false, c, validateDockerfile)
|
||||
return CheckFilesContent(CheckFrozenDeps, "*Dockerfile*", false, c, validateDockerfile)
|
||||
}
|
||||
|
||||
func validateDockerfile(path string, content []byte,
|
||||
@ -141,7 +142,7 @@ func validateDockerfile(path string, content []byte,
|
||||
|
||||
// Check pinning of github actions in workflows.
|
||||
func isGitHubActionsWorkflowPinned(c *checker.CheckRequest) checker.CheckResult {
|
||||
return CheckFilesContent(frozenDepsStr, ".github/workflows/*", true, c, validateGitHubActionWorkflow)
|
||||
return CheckFilesContent(CheckFrozenDeps, ".github/workflows/*", true, c, validateGitHubActionWorkflow)
|
||||
}
|
||||
|
||||
// Check file content.
|
||||
@ -199,7 +200,7 @@ func validateGitHubActionWorkflow(path string, content []byte, logf func(s strin
|
||||
|
||||
// Check presence of lock files thru validatePackageManagerFile().
|
||||
func isPackageManagerLockFilePresent(c *checker.CheckRequest) checker.CheckResult {
|
||||
return CheckIfFileExists(frozenDepsStr, c, validatePackageManagerFile)
|
||||
return CheckIfFileExists(CheckFrozenDeps, c, validatePackageManagerFile)
|
||||
}
|
||||
|
||||
// validatePackageManagerFile will validate the if frozen dependecies file name exists.
|
||||
|
||||
@ -22,11 +22,12 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const fuzzingStr = "Fuzzing"
|
||||
// CheckFuzzing is the registered name for Fuzzing.
|
||||
const CheckFuzzing = "Fuzzing"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(fuzzingStr, Fuzzing)
|
||||
registerCheck(CheckFuzzing, Fuzzing)
|
||||
}
|
||||
|
||||
func Fuzzing(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -34,20 +35,20 @@ func Fuzzing(c *checker.CheckRequest) checker.CheckResult {
|
||||
searchString := url + " repo:google/oss-fuzz in:file filename:project.yaml"
|
||||
results, _, err := c.Client.Search.Code(c.Ctx, searchString, &github.SearchOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(fuzzingStr, err)
|
||||
return checker.MakeRetryResult(CheckFuzzing, err)
|
||||
}
|
||||
|
||||
if *results.Total > 0 {
|
||||
c.Logf("found project in OSS-Fuzz")
|
||||
return checker.CheckResult{
|
||||
Name: fuzzingStr,
|
||||
Name: CheckFuzzing,
|
||||
Pass: true,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
}
|
||||
|
||||
return checker.CheckResult{
|
||||
Name: fuzzingStr,
|
||||
Name: CheckFuzzing,
|
||||
Pass: false,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
|
||||
@ -24,25 +24,26 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const packagingStr = "Packaging"
|
||||
// CheckPackaging is the registered name for Packaging.
|
||||
const CheckPackaging = "Packaging"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(packagingStr, Packaging)
|
||||
registerCheck(CheckPackaging, Packaging)
|
||||
}
|
||||
|
||||
func Packaging(c *checker.CheckRequest) checker.CheckResult {
|
||||
_, dc, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, ".github/workflows",
|
||||
&github.RepositoryContentGetOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(packagingStr, err)
|
||||
return checker.MakeRetryResult(CheckPackaging, err)
|
||||
}
|
||||
|
||||
for _, f := range dc {
|
||||
fp := f.GetPath()
|
||||
fo, _, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(packagingStr, err)
|
||||
return checker.MakeRetryResult(CheckPackaging, err)
|
||||
}
|
||||
if fo == nil {
|
||||
// path is a directory, not a file. skip.
|
||||
@ -50,7 +51,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
fc, err := fo.GetContent()
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(packagingStr, err)
|
||||
return checker.MakeRetryResult(CheckPackaging, err)
|
||||
}
|
||||
|
||||
if !isPackagingWorkflow(fc, fp, c) {
|
||||
@ -62,12 +63,12 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
|
||||
Status: "success",
|
||||
})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(packagingStr, err)
|
||||
return checker.MakeRetryResult(CheckPackaging, err)
|
||||
}
|
||||
if *runs.TotalCount > 0 {
|
||||
c.Logf("found a completed run: %s", runs.WorkflowRuns[0].GetHTMLURL())
|
||||
return checker.CheckResult{
|
||||
Name: packagingStr,
|
||||
Name: CheckPackaging,
|
||||
Pass: true,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
@ -76,7 +77,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
return checker.CheckResult{
|
||||
Name: packagingStr,
|
||||
Name: CheckPackaging,
|
||||
Pass: false,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
|
||||
@ -22,17 +22,18 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const pullRequestsStr = "Pull-Requests"
|
||||
// CheckPullRequests is the registered name for PullRequests.
|
||||
const CheckPullRequests = "Pull-Requests"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(pullRequestsStr, PullRequests)
|
||||
registerCheck(CheckPullRequests, PullRequests)
|
||||
}
|
||||
|
||||
func PullRequests(c *checker.CheckRequest) checker.CheckResult {
|
||||
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(pullRequestsStr, err)
|
||||
return checker.MakeRetryResult(CheckPullRequests, err)
|
||||
}
|
||||
|
||||
total := 0
|
||||
@ -64,7 +65,7 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult {
|
||||
prs, _, err := c.Client.PullRequests.ListPullRequestsWithCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA(),
|
||||
&github.PullRequestListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(pullRequestsStr, err)
|
||||
return checker.MakeRetryResult(CheckPullRequests, err)
|
||||
}
|
||||
if len(prs) > 0 {
|
||||
totalWithPrs++
|
||||
@ -74,5 +75,5 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
}
|
||||
c.Logf("found PRs for %d out of %d commits", totalWithPrs, total)
|
||||
return checker.MakeProportionalResult(pullRequestsStr, totalWithPrs, total, .75)
|
||||
return checker.MakeProportionalResult(CheckPullRequests, totalWithPrs, total, .75)
|
||||
}
|
||||
|
||||
@ -22,7 +22,8 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const sastStr = "SAST"
|
||||
// CheckSAST is the registered name for SAST.
|
||||
const CheckSAST = "SAST"
|
||||
|
||||
var (
|
||||
sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true}
|
||||
@ -34,7 +35,7 @@ var (
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(sastStr, SAST)
|
||||
registerCheck(CheckSAST, SAST)
|
||||
}
|
||||
|
||||
func SAST(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -49,7 +50,7 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
|
||||
State: "closed",
|
||||
})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(sastStr, err)
|
||||
return checker.MakeRetryResult(CheckSAST, err)
|
||||
}
|
||||
|
||||
totalMerged := 0
|
||||
@ -62,10 +63,10 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
|
||||
crs, _, err := c.Client.Checks.ListCheckRunsForRef(c.Ctx, c.Owner, c.Repo, pr.GetHead().GetSHA(),
|
||||
&github.ListCheckRunsOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(sastStr, err)
|
||||
return checker.MakeRetryResult(CheckSAST, err)
|
||||
}
|
||||
if crs == nil {
|
||||
return checker.MakeInconclusiveResult(sastStr, ErrorNoChecks)
|
||||
return checker.MakeInconclusiveResult(CheckSAST, ErrorNoChecks)
|
||||
}
|
||||
for _, cr := range crs.CheckRuns {
|
||||
if cr.GetStatus() != "completed" {
|
||||
@ -82,16 +83,16 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
}
|
||||
if totalTested == 0 {
|
||||
return checker.MakeInconclusiveResult(sastStr, ErrorNoMerges)
|
||||
return checker.MakeInconclusiveResult(CheckSAST, ErrorNoMerges)
|
||||
}
|
||||
return checker.MakeProportionalResult(sastStr, totalTested, totalMerged, .75)
|
||||
return checker.MakeProportionalResult(CheckSAST, totalTested, totalMerged, .75)
|
||||
}
|
||||
|
||||
func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult {
|
||||
searchQuery := ("github/codeql-action path:/.github/workflows repo:" + c.Owner + "/" + c.Repo)
|
||||
results, _, err := c.Client.Search.Code(c.Ctx, searchQuery, &github.SearchOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(sastStr, err)
|
||||
return checker.MakeRetryResult(CheckSAST, err)
|
||||
}
|
||||
|
||||
for _, result := range results.CodeResults {
|
||||
@ -99,7 +100,7 @@ func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
return checker.CheckResult{
|
||||
Name: sastStr,
|
||||
Name: CheckSAST,
|
||||
Pass: *results.Total > 0,
|
||||
Confidence: checker.MaxResultConfidence,
|
||||
}
|
||||
|
||||
@ -20,11 +20,12 @@ import (
|
||||
"github.com/ossf/scorecard/checker"
|
||||
)
|
||||
|
||||
const securityPolicyStr = "Security-Policy"
|
||||
// CheckSecurityPolicy is the registred name for SecurityPolicy.
|
||||
const CheckSecurityPolicy = "Security-Policy"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(securityPolicyStr, SecurityPolicy)
|
||||
registerCheck(CheckSecurityPolicy, SecurityPolicy)
|
||||
}
|
||||
|
||||
func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -36,7 +37,7 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
result := CheckIfFileExists(securityPolicyStr, c, onFile)
|
||||
result := CheckIfFileExists(CheckSecurityPolicy, c, onFile)
|
||||
|
||||
if result.Pass {
|
||||
return result
|
||||
@ -54,5 +55,5 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
return CheckIfFileExists(securityPolicyStr, dotGitHub, onFile)
|
||||
return CheckIfFileExists(CheckSecurityPolicy, dotGitHub, onFile)
|
||||
}
|
||||
|
||||
@ -24,7 +24,8 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
signedReleasesStr = "Signed-Releases"
|
||||
// CheckSignedReleases is the registered name for SignedReleases.
|
||||
CheckSignedReleases = "Signed-Releases"
|
||||
releaseLookBackDays = 5
|
||||
)
|
||||
|
||||
@ -33,13 +34,13 @@ var ErrorNoReleases = errors.New("no releases found")
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(signedReleasesStr, SignedReleases)
|
||||
registerCheck(CheckSignedReleases, SignedReleases)
|
||||
}
|
||||
|
||||
func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
|
||||
releases, _, err := c.Client.Repositories.ListReleases(c.Ctx, c.Owner, c.Repo, &github.ListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(signedReleasesStr, err)
|
||||
return checker.MakeRetryResult(CheckSignedReleases, err)
|
||||
}
|
||||
|
||||
artifactExtensions := []string{".asc", ".minisig", ".sig"}
|
||||
@ -49,7 +50,7 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
|
||||
for _, r := range releases {
|
||||
assets, _, err := c.Client.Repositories.ListReleaseAssets(c.Ctx, c.Owner, c.Repo, r.GetID(), &github.ListOptions{})
|
||||
if err != nil {
|
||||
return checker.MakeRetryResult(signedReleasesStr, err)
|
||||
return checker.MakeRetryResult(CheckSignedReleases, err)
|
||||
}
|
||||
if len(assets) == 0 {
|
||||
continue
|
||||
@ -80,9 +81,9 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
|
||||
|
||||
if totalReleases == 0 {
|
||||
c.Logf("no releases found")
|
||||
return checker.MakeInconclusiveResult(signedReleasesStr, ErrorNoReleases)
|
||||
return checker.MakeInconclusiveResult(CheckSignedReleases, ErrorNoReleases)
|
||||
}
|
||||
|
||||
c.Logf("found signed artifacts for %d out of %d releases", totalSigned, totalReleases)
|
||||
return checker.MakeProportionalResult(signedReleasesStr, totalSigned, totalReleases, 0.8)
|
||||
return checker.MakeProportionalResult(CheckSignedReleases, totalSigned, totalReleases, 0.8)
|
||||
}
|
||||
|
||||
@ -23,8 +23,9 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
signedTagsStr = "Signed-Tags"
|
||||
tagLookBack = 5
|
||||
// CheckSignedTags is the registered name for SignedTags.
|
||||
CheckSignedTags = "Signed-Tags"
|
||||
tagLookBack = 5
|
||||
)
|
||||
|
||||
// ErrorNoTags indicates no tags were found for this repo.
|
||||
@ -32,7 +33,7 @@ var ErrorNoTags = errors.New("no tags found")
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(signedTagsStr, SignedTags)
|
||||
registerCheck(CheckSignedTags, SignedTags)
|
||||
}
|
||||
|
||||
func SignedTags(c *checker.CheckRequest) checker.CheckResult {
|
||||
@ -57,7 +58,7 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult {
|
||||
}
|
||||
|
||||
if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil {
|
||||
return checker.MakeRetryResult(signedTagsStr, err)
|
||||
return checker.MakeRetryResult(CheckSignedTags, err)
|
||||
}
|
||||
totalTags := 0
|
||||
totalSigned := 0
|
||||
@ -79,9 +80,9 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult {
|
||||
|
||||
if totalTags == 0 {
|
||||
c.Logf("no tags found")
|
||||
return checker.MakeInconclusiveResult(signedTagsStr, ErrorNoTags)
|
||||
return checker.MakeInconclusiveResult(CheckSignedTags, ErrorNoTags)
|
||||
}
|
||||
|
||||
c.Logf("found %d out of %d verified tags", totalSigned, totalTags)
|
||||
return checker.MakeProportionalResult(signedTagsStr, totalSigned, totalTags, 0.8)
|
||||
return checker.MakeProportionalResult(CheckSignedTags, totalSigned, totalTags, 0.8)
|
||||
}
|
||||
|
||||
17
cron/main.go
17
cron/main.go
@ -106,6 +106,14 @@ func main() {
|
||||
githubClient := github.NewClient(httpClient)
|
||||
graphClient := githubv4.NewClient(httpClient)
|
||||
|
||||
checksToRun := checks.AllChecks
|
||||
//nolint
|
||||
// FIXME :- deleting branch-protection
|
||||
// The branch protection check needs an admin access to the repository.
|
||||
// All of the checks from cron would fail and uses another call to the API.
|
||||
// This will reduce usage of the API.
|
||||
delete(checksToRun, checks.CheckBranchProtection)
|
||||
|
||||
exporter, err := startMetricsExporter()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
@ -124,14 +132,7 @@ func main() {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
//nolint
|
||||
// FIXME :- deleting branch-protection
|
||||
// The branch protection check needs an admin access to the repository.
|
||||
// All of the checks from cron would fail and uses another call to the API.
|
||||
// This will reduce usage of the API.
|
||||
delete(checks.AllChecks, "Branch-Protection")
|
||||
|
||||
repoResult := pkg.RunScorecards(ctx, repoURL, checks.AllChecks, httpClient, githubClient, graphClient)
|
||||
repoResult := pkg.RunScorecards(ctx, repoURL, checksToRun, httpClient, githubClient, graphClient)
|
||||
repoResult.Date = currTime.Format("2006-01-02")
|
||||
if err := repoResult.AsJSON( /*showDetails=*/ true, result); err != nil {
|
||||
panic(err)
|
||||
|
||||
@ -26,6 +26,7 @@ import (
|
||||
"github.com/shurcooL/githubv4"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/ossf/scorecard/checker"
|
||||
"github.com/ossf/scorecard/checks"
|
||||
"github.com/ossf/scorecard/cron/config"
|
||||
"github.com/ossf/scorecard/cron/data"
|
||||
@ -36,16 +37,8 @@ import (
|
||||
)
|
||||
|
||||
func processRequest(ctx context.Context,
|
||||
batchRequest *data.ScorecardBatchRequest, bucketURL string,
|
||||
batchRequest *data.ScorecardBatchRequest, checksToRun checker.CheckNameToFnMap, bucketURL string,
|
||||
httpClient *http.Client, githubClient *github.Client, graphClient *githubv4.Client) error {
|
||||
checksToRun := checks.AllChecks
|
||||
// nolint
|
||||
// FIXME :- deleting branch-protection
|
||||
// The branch protection check needs an admin access to the repository.
|
||||
// All of the checks from cron would fail and uses another call to the API.
|
||||
// This will reduce usage of the API.
|
||||
delete(checksToRun, "Branch-Protection")
|
||||
|
||||
repoURLs := make([]repos.RepoURL, 0, len(batchRequest.GetRepos()))
|
||||
for _, repo := range batchRequest.GetRepos() {
|
||||
repoURL := repos.RepoURL{}
|
||||
@ -129,6 +122,14 @@ func main() {
|
||||
|
||||
httpClient, githubClient, graphClient, logger := createNetClients(ctx)
|
||||
|
||||
checksToRun := checks.AllChecks
|
||||
// nolint
|
||||
// FIXME :- deleting branch-protection
|
||||
// The branch protection check needs an admin access to the repository.
|
||||
// All of the checks from cron would fail and uses another call to the API.
|
||||
// This will reduce usage of the API.
|
||||
delete(checksToRun, checks.CheckBranchProtection)
|
||||
|
||||
for {
|
||||
req, err := subscriber.SynchronousPull()
|
||||
if err != nil {
|
||||
@ -139,7 +140,7 @@ func main() {
|
||||
log.Print("subscription returned nil message during Receive, exiting")
|
||||
break
|
||||
}
|
||||
if err := processRequest(ctx, req, bucketURL, httpClient, githubClient, graphClient); err != nil {
|
||||
if err := processRequest(ctx, req, checksToRun, bucketURL, httpClient, githubClient, graphClient); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
// nolint: errcheck // flushes buffer
|
||||
|
||||
Loading…
Reference in New Issue
Block a user