From be8aa3d713c36ca768d67aca0c93848e45410b2a Mon Sep 17 00:00:00 2001 From: Azeem Shaikh Date: Thu, 27 May 2021 14:54:34 -0700 Subject: [PATCH] Export registered check names (#518) Co-authored-by: Azeem Shaikh --- checks/active.go | 13 +++++++------ checks/branch_protected.go | 15 ++++++++------- checks/branch_protected_test.go | 18 +++++++++--------- checks/ci_tests.go | 20 +++++++++----------- checks/cii_best_practices.go | 19 ++++++++++--------- checks/code_review.go | 29 +++++++++++++++-------------- checks/contributors.go | 13 +++++++------ checks/frozen_deps.go | 11 ++++++----- checks/fuzzing.go | 11 ++++++----- checks/packaging.go | 17 +++++++++-------- checks/pull_requests.go | 11 ++++++----- checks/sast.go | 19 ++++++++++--------- checks/security_policy.go | 9 +++++---- checks/signed_releases.go | 13 +++++++------ checks/signed_tags.go | 13 +++++++------ cron/main.go | 17 +++++++++-------- cron/worker/main.go | 21 +++++++++++---------- 17 files changed, 141 insertions(+), 128 deletions(-) diff --git a/checks/active.go b/checks/active.go index 747e8b16..f5778169 100644 --- a/checks/active.go +++ b/checks/active.go @@ -23,31 +23,32 @@ import ( ) const ( - activeStr = "Active" + // CheckActive is the registered name for IsActive. + CheckActive = "Active" lookbackDays = 90 ) //nolint:gochecknoinits func init() { - registerCheck(activeStr, IsActive) + registerCheck(CheckActive, IsActive) } func IsActive(c *checker.CheckRequest) checker.CheckResult { commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) if err != nil { - return checker.MakeRetryResult(activeStr, err) + return checker.MakeRetryResult(CheckActive, err) } tz, err := time.LoadLocation("UTC") if err != nil { - return checker.MakeRetryResult(activeStr, err) + return checker.MakeRetryResult(CheckActive, err) } threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays) totalCommits := 0 for _, commit := range commits { commitFull, _, err := c.Client.Git.GetCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA()) if err != nil { - return checker.MakeRetryResult(activeStr, err) + return checker.MakeRetryResult(CheckActive, err) } if commitFull.GetAuthor().GetDate().After(threshold) { totalCommits++ @@ -57,7 +58,7 @@ func IsActive(c *checker.CheckRequest) checker.CheckResult { const numCommits = 2 const confidence = 10 return checker.CheckResult{ - Name: activeStr, + Name: CheckActive, Pass: totalCommits >= numCommits, Confidence: confidence, } diff --git a/checks/branch_protected.go b/checks/branch_protected.go index b3f5d57a..b6b19d0a 100644 --- a/checks/branch_protected.go +++ b/checks/branch_protected.go @@ -21,33 +21,34 @@ import ( ) const ( - branchProtectionStr = "Branch-Protection" - minReviews = 1 + // CheckBranchProtection is the registered name for BranchProtection. + CheckBranchProtection = "Branch-Protection" + minReviews = 1 ) //nolint:gochecknoinits func init() { - registerCheck(branchProtectionStr, BranchProtection) + registerCheck(CheckBranchProtection, BranchProtection) } func BranchProtection(c *checker.CheckRequest) checker.CheckResult { repo, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo) if err != nil { - return checker.MakeRetryResult(branchProtectionStr, err) + return checker.MakeRetryResult(CheckBranchProtection, err) } protection, resp, err := c.Client.Repositories. GetBranchProtection(c.Ctx, c.Owner, c.Repo, *repo.DefaultBranch) const fileNotFound = 404 if resp.StatusCode == fileNotFound { - return checker.MakeRetryResult(branchProtectionStr, err) + return checker.MakeRetryResult(CheckBranchProtection, err) } if err != nil { c.Logf("!! branch protection not enabled") const confidence = 10 return checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Confidence: confidence, } @@ -99,7 +100,7 @@ func IsBranchProtected(protection *github.Protection, c *checker.CheckRequest) c totalSuccess++ } - return checker.MakeProportionalResult(branchProtectionStr, totalSuccess, totalChecks, 1.0) + return checker.MakeProportionalResult(CheckBranchProtection, totalSuccess, totalChecks, 1.0) } // Returns true if several PR status checks requirements are enabled. Otherwise returns false and logs why it failed. diff --git a/checks/branch_protected_test.go b/checks/branch_protected_test.go index 19970321..e414cee9 100644 --- a/checks/branch_protected_test.go +++ b/checks/branch_protected_test.go @@ -85,7 +85,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 7, @@ -132,7 +132,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 5, @@ -179,7 +179,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 7, @@ -227,7 +227,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 5, @@ -274,7 +274,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 5, @@ -321,7 +321,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 5, @@ -368,7 +368,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 9, @@ -415,7 +415,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: false, Details: nil, Confidence: 9, @@ -462,7 +462,7 @@ func TestIsBranchProtected(t *testing.T) { c: checker.CheckRequest{Logf: l.Logf}, }, want: checker.CheckResult{ - Name: branchProtectionStr, + Name: CheckBranchProtection, Pass: true, Details: nil, Confidence: 10, diff --git a/checks/ci_tests.go b/checks/ci_tests.go index cf3879f2..e4b6f1c3 100644 --- a/checks/ci_tests.go +++ b/checks/ci_tests.go @@ -23,23 +23,21 @@ import ( "github.com/ossf/scorecard/checker" ) -const ( - ciTestsStr = "CI-Tests" - success = "success" -) - // States for which CI system is in use. type ciSystemState int const ( - unknown ciSystemState = iota + // CheckCITests is the registered name for CITests. + CheckCITests = "CI-Tests" + success = "success" + unknown ciSystemState = iota githubStatuses githubCheckRuns ) //nolint:gochecknoinits func init() { - registerCheck(ciTestsStr, CITests) + registerCheck(CheckCITests, CITests) } func CITests(c *checker.CheckRequest) checker.CheckResult { @@ -47,7 +45,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult { State: "closed", }) if err != nil { - return checker.MakeRetryResult(ciTestsStr, err) + return checker.MakeRetryResult(CheckCITests, err) } usedSystem := unknown @@ -65,7 +63,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult { if usedSystem != githubCheckRuns { prSuccessStatus, err := prHasSuccessStatus(pr, c) if err != nil { - return checker.MakeRetryResult(ciTestsStr, err) + return checker.MakeRetryResult(CheckCITests, err) } if prSuccessStatus { totalTested++ @@ -79,7 +77,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult { if usedSystem != githubStatuses { prCheckSuccessful, err := prHasSuccessfulCheck(pr, c) if err != nil { - return checker.MakeRetryResult(ciTestsStr, err) + return checker.MakeRetryResult(CheckCITests, err) } if prCheckSuccessful { totalTested++ @@ -94,7 +92,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult { } c.Logf("found CI tests for %d of %d merged PRs", totalTested, totalMerged) - return checker.MakeProportionalResult(ciTestsStr, totalTested, totalMerged, .75) + return checker.MakeProportionalResult(CheckCITests, totalTested, totalMerged, .75) } // PR has a status marked 'success' and a CI-related context. diff --git a/checks/cii_best_practices.go b/checks/cii_best_practices.go index ad94d8ef..09339f7c 100644 --- a/checks/cii_best_practices.go +++ b/checks/cii_best_practices.go @@ -23,11 +23,12 @@ import ( "github.com/ossf/scorecard/checker" ) -const ciiBestPracticesStr = "CII-Best-Practices" +// CheckCIIBestPractices is the registered name for CIIBestPractices. +const CheckCIIBestPractices = "CII-Best-Practices" //nolint:gochecknoinits func init() { - registerCheck(ciiBestPracticesStr, CIIBestPractices) + registerCheck(CheckCIIBestPractices, CIIBestPractices) } type response struct { @@ -39,28 +40,28 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult { url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURL) req, err := http.NewRequestWithContext(c.Ctx, "GET", url, nil) if err != nil { - return checker.MakeRetryResult(ciiBestPracticesStr, err) + return checker.MakeRetryResult(CheckCIIBestPractices, err) } resp, err := c.HTTPClient.Do(req) if err != nil { - return checker.MakeRetryResult(ciiBestPracticesStr, err) + return checker.MakeRetryResult(CheckCIIBestPractices, err) } defer resp.Body.Close() b, err := ioutil.ReadAll(resp.Body) if err != nil { - return checker.MakeRetryResult(ciiBestPracticesStr, err) + return checker.MakeRetryResult(CheckCIIBestPractices, err) } parsedResponse := []response{} if err := json.Unmarshal(b, &parsedResponse); err != nil { - return checker.MakeRetryResult(ciiBestPracticesStr, err) + return checker.MakeRetryResult(CheckCIIBestPractices, err) } if len(parsedResponse) < 1 { c.Logf("no badge found") return checker.CheckResult{ - Name: ciiBestPracticesStr, + Name: CheckCIIBestPractices, Pass: false, Confidence: checker.MaxResultConfidence, } @@ -71,14 +72,14 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult { if result.BadgeLevel != "" { return checker.CheckResult{ - Name: ciiBestPracticesStr, + Name: CheckCIIBestPractices, Pass: true, Confidence: checker.MaxResultConfidence, } } return checker.CheckResult{ - Name: ciiBestPracticesStr, + Name: CheckCIIBestPractices, Pass: false, Confidence: checker.MaxResultConfidence, } diff --git a/checks/code_review.go b/checks/code_review.go index 14825c61..aff5fdb1 100644 --- a/checks/code_review.go +++ b/checks/code_review.go @@ -23,14 +23,15 @@ import ( "github.com/ossf/scorecard/checker" ) -const codeReviewStr = "Code-Review" +// CheckCodeReview is the registered name for DoesCodeReview. +const CheckCodeReview = "Code-Review" // ErrorNoReviews indicates no reviews were found for this repo. var ErrorNoReviews = errors.New("no reviews found") //nolint:gochecknoinits func init() { - registerCheck(codeReviewStr, DoesCodeReview) + registerCheck(CheckCodeReview, DoesCodeReview) } // DoesCodeReview attempts to determine whether a project requires review before code gets merged. @@ -53,7 +54,7 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult { State: "closed", }) if err != nil { - return checker.MakeInconclusiveResult(codeReviewStr, err) + return checker.MakeInconclusiveResult(CheckCodeReview, err) } totalMerged := 0 @@ -98,32 +99,32 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult { if totalReviewed > 0 { c.Logf("github code reviews found") } - return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75) + return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75) } func IsPrReviewRequired(c *checker.CheckRequest) checker.CheckResult { // Look to see if review is enforced. r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo) if err != nil { - return checker.MakeRetryResult(codeReviewStr, err) + return checker.MakeRetryResult(CheckCodeReview, err) } // Check the branch protection rules, we may not be able to get these though. bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch()) if err != nil { - return checker.MakeInconclusiveResult(codeReviewStr, err) + return checker.MakeInconclusiveResult(CheckCodeReview, err) } if bp.GetRequiredPullRequestReviews() != nil && bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 { c.Logf("pr review policy enforced") const confidence = 5 return checker.CheckResult{ - Name: codeReviewStr, + Name: CheckCodeReview, Pass: true, Confidence: confidence, } } - return checker.MakeInconclusiveResult(codeReviewStr, nil) + return checker.MakeInconclusiveResult(CheckCodeReview, nil) } func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult { @@ -132,7 +133,7 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult { State: "closed", }) if err != nil { - return checker.MakeInconclusiveResult(codeReviewStr, err) + return checker.MakeInconclusiveResult(CheckCodeReview, err) } totalMerged := 0 @@ -151,16 +152,16 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult { } if totalReviewed == 0 { - return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews) + return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews) } c.Logf("prow code reviews found") - return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75) + return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75) } func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult { commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) if err != nil { - return checker.MakeRetryResult(codeReviewStr, err) + return checker.MakeRetryResult(CheckCodeReview, err) } total := 0 @@ -191,8 +192,8 @@ func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult { } if totalReviewed == 0 { - return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews) + return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews) } c.Logf("code reviews found") - return checker.MakeProportionalResult(codeReviewStr, totalReviewed, total, .75) + return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, total, .75) } diff --git a/checks/contributors.go b/checks/contributors.go index 92f5019f..7a4d1b32 100644 --- a/checks/contributors.go +++ b/checks/contributors.go @@ -25,18 +25,19 @@ import ( const ( minContributionsPerUser = 5 minOrganizationCount = 2 - contributorsStr = "Contributors" + // CheckContributors is the registered name for Contributors. + CheckContributors = "Contributors" ) //nolint:gochecknoinits func init() { - registerCheck(contributorsStr, Contributors) + registerCheck(CheckContributors, Contributors) } func Contributors(c *checker.CheckRequest) checker.CheckResult { contribs, _, err := c.Client.Repositories.ListContributors(c.Ctx, c.Owner, c.Repo, &github.ListContributorsOptions{}) if err != nil { - return checker.MakeRetryResult(contributorsStr, err) + return checker.MakeRetryResult(CheckContributors, err) } companies := map[string]struct{}{} @@ -46,7 +47,7 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult { } u, _, err := c.Client.Users.Get(c.Ctx, contrib.GetLogin()) if err != nil { - return checker.MakeRetryResult(contributorsStr, err) + return checker.MakeRetryResult(CheckContributors, err) } orgs, _, err := c.Client.Organizations.List(c.Ctx, contrib.GetLogin(), nil) if err != nil { @@ -74,13 +75,13 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult { c.Logf("companies found: %v", strings.Join(names, ",")) if len(companies) >= minOrganizationCount { return checker.CheckResult{ - Name: contributorsStr, + Name: CheckContributors, Pass: true, Confidence: checker.MaxResultConfidence, } } return checker.CheckResult{ - Name: contributorsStr, + Name: CheckContributors, Pass: false, Confidence: checker.MaxResultConfidence, } diff --git a/checks/frozen_deps.go b/checks/frozen_deps.go index 42ee3c20..b471f56d 100644 --- a/checks/frozen_deps.go +++ b/checks/frozen_deps.go @@ -26,7 +26,8 @@ import ( "github.com/ossf/scorecard/checker" ) -const frozenDepsStr = "Frozen-Deps" +// CheckFrozenDeps is the registered name for FrozenDeps. +const CheckFrozenDeps = "Frozen-Deps" // ErrInvalidDockerfile : Invalid docker file. var ErrInvalidDockerfile = errors.New("invalid docker file") @@ -36,7 +37,7 @@ var ErrEmptyFile = errors.New("file has no content") //nolint:gochecknoinits func init() { - registerCheck(frozenDepsStr, FrozenDeps) + registerCheck(CheckFrozenDeps, FrozenDeps) } // FrozenDeps will check the repository if it contains frozen dependecies. @@ -54,7 +55,7 @@ func FrozenDeps(c *checker.CheckRequest) checker.CheckResult { // ======================== Dockerfiles ======================= // ============================================================. func isDockerfilePinned(c *checker.CheckRequest) checker.CheckResult { - return CheckFilesContent(frozenDepsStr, "*Dockerfile*", false, c, validateDockerfile) + return CheckFilesContent(CheckFrozenDeps, "*Dockerfile*", false, c, validateDockerfile) } func validateDockerfile(path string, content []byte, @@ -141,7 +142,7 @@ func validateDockerfile(path string, content []byte, // Check pinning of github actions in workflows. func isGitHubActionsWorkflowPinned(c *checker.CheckRequest) checker.CheckResult { - return CheckFilesContent(frozenDepsStr, ".github/workflows/*", true, c, validateGitHubActionWorkflow) + return CheckFilesContent(CheckFrozenDeps, ".github/workflows/*", true, c, validateGitHubActionWorkflow) } // Check file content. @@ -199,7 +200,7 @@ func validateGitHubActionWorkflow(path string, content []byte, logf func(s strin // Check presence of lock files thru validatePackageManagerFile(). func isPackageManagerLockFilePresent(c *checker.CheckRequest) checker.CheckResult { - return CheckIfFileExists(frozenDepsStr, c, validatePackageManagerFile) + return CheckIfFileExists(CheckFrozenDeps, c, validatePackageManagerFile) } // validatePackageManagerFile will validate the if frozen dependecies file name exists. diff --git a/checks/fuzzing.go b/checks/fuzzing.go index 2421393f..84ac24e6 100644 --- a/checks/fuzzing.go +++ b/checks/fuzzing.go @@ -22,11 +22,12 @@ import ( "github.com/ossf/scorecard/checker" ) -const fuzzingStr = "Fuzzing" +// CheckFuzzing is the registered name for Fuzzing. +const CheckFuzzing = "Fuzzing" //nolint:gochecknoinits func init() { - registerCheck(fuzzingStr, Fuzzing) + registerCheck(CheckFuzzing, Fuzzing) } func Fuzzing(c *checker.CheckRequest) checker.CheckResult { @@ -34,20 +35,20 @@ func Fuzzing(c *checker.CheckRequest) checker.CheckResult { searchString := url + " repo:google/oss-fuzz in:file filename:project.yaml" results, _, err := c.Client.Search.Code(c.Ctx, searchString, &github.SearchOptions{}) if err != nil { - return checker.MakeRetryResult(fuzzingStr, err) + return checker.MakeRetryResult(CheckFuzzing, err) } if *results.Total > 0 { c.Logf("found project in OSS-Fuzz") return checker.CheckResult{ - Name: fuzzingStr, + Name: CheckFuzzing, Pass: true, Confidence: checker.MaxResultConfidence, } } return checker.CheckResult{ - Name: fuzzingStr, + Name: CheckFuzzing, Pass: false, Confidence: checker.MaxResultConfidence, } diff --git a/checks/packaging.go b/checks/packaging.go index bf4a3e2f..4bbcad70 100644 --- a/checks/packaging.go +++ b/checks/packaging.go @@ -24,25 +24,26 @@ import ( "github.com/ossf/scorecard/checker" ) -const packagingStr = "Packaging" +// CheckPackaging is the registered name for Packaging. +const CheckPackaging = "Packaging" //nolint:gochecknoinits func init() { - registerCheck(packagingStr, Packaging) + registerCheck(CheckPackaging, Packaging) } func Packaging(c *checker.CheckRequest) checker.CheckResult { _, dc, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, ".github/workflows", &github.RepositoryContentGetOptions{}) if err != nil { - return checker.MakeRetryResult(packagingStr, err) + return checker.MakeRetryResult(CheckPackaging, err) } for _, f := range dc { fp := f.GetPath() fo, _, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{}) if err != nil { - return checker.MakeRetryResult(packagingStr, err) + return checker.MakeRetryResult(CheckPackaging, err) } if fo == nil { // path is a directory, not a file. skip. @@ -50,7 +51,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult { } fc, err := fo.GetContent() if err != nil { - return checker.MakeRetryResult(packagingStr, err) + return checker.MakeRetryResult(CheckPackaging, err) } if !isPackagingWorkflow(fc, fp, c) { @@ -62,12 +63,12 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult { Status: "success", }) if err != nil { - return checker.MakeRetryResult(packagingStr, err) + return checker.MakeRetryResult(CheckPackaging, err) } if *runs.TotalCount > 0 { c.Logf("found a completed run: %s", runs.WorkflowRuns[0].GetHTMLURL()) return checker.CheckResult{ - Name: packagingStr, + Name: CheckPackaging, Pass: true, Confidence: checker.MaxResultConfidence, } @@ -76,7 +77,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult { } return checker.CheckResult{ - Name: packagingStr, + Name: CheckPackaging, Pass: false, Confidence: checker.MaxResultConfidence, } diff --git a/checks/pull_requests.go b/checks/pull_requests.go index 0a503fcf..70eb8e01 100644 --- a/checks/pull_requests.go +++ b/checks/pull_requests.go @@ -22,17 +22,18 @@ import ( "github.com/ossf/scorecard/checker" ) -const pullRequestsStr = "Pull-Requests" +// CheckPullRequests is the registered name for PullRequests. +const CheckPullRequests = "Pull-Requests" //nolint:gochecknoinits func init() { - registerCheck(pullRequestsStr, PullRequests) + registerCheck(CheckPullRequests, PullRequests) } func PullRequests(c *checker.CheckRequest) checker.CheckResult { commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) if err != nil { - return checker.MakeRetryResult(pullRequestsStr, err) + return checker.MakeRetryResult(CheckPullRequests, err) } total := 0 @@ -64,7 +65,7 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult { prs, _, err := c.Client.PullRequests.ListPullRequestsWithCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA(), &github.PullRequestListOptions{}) if err != nil { - return checker.MakeRetryResult(pullRequestsStr, err) + return checker.MakeRetryResult(CheckPullRequests, err) } if len(prs) > 0 { totalWithPrs++ @@ -74,5 +75,5 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult { } } c.Logf("found PRs for %d out of %d commits", totalWithPrs, total) - return checker.MakeProportionalResult(pullRequestsStr, totalWithPrs, total, .75) + return checker.MakeProportionalResult(CheckPullRequests, totalWithPrs, total, .75) } diff --git a/checks/sast.go b/checks/sast.go index 691ef642..32931291 100644 --- a/checks/sast.go +++ b/checks/sast.go @@ -22,7 +22,8 @@ import ( "github.com/ossf/scorecard/checker" ) -const sastStr = "SAST" +// CheckSAST is the registered name for SAST. +const CheckSAST = "SAST" var ( sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true} @@ -34,7 +35,7 @@ var ( //nolint:gochecknoinits func init() { - registerCheck(sastStr, SAST) + registerCheck(CheckSAST, SAST) } func SAST(c *checker.CheckRequest) checker.CheckResult { @@ -49,7 +50,7 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult { State: "closed", }) if err != nil { - return checker.MakeRetryResult(sastStr, err) + return checker.MakeRetryResult(CheckSAST, err) } totalMerged := 0 @@ -62,10 +63,10 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult { crs, _, err := c.Client.Checks.ListCheckRunsForRef(c.Ctx, c.Owner, c.Repo, pr.GetHead().GetSHA(), &github.ListCheckRunsOptions{}) if err != nil { - return checker.MakeRetryResult(sastStr, err) + return checker.MakeRetryResult(CheckSAST, err) } if crs == nil { - return checker.MakeInconclusiveResult(sastStr, ErrorNoChecks) + return checker.MakeInconclusiveResult(CheckSAST, ErrorNoChecks) } for _, cr := range crs.CheckRuns { if cr.GetStatus() != "completed" { @@ -82,16 +83,16 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult { } } if totalTested == 0 { - return checker.MakeInconclusiveResult(sastStr, ErrorNoMerges) + return checker.MakeInconclusiveResult(CheckSAST, ErrorNoMerges) } - return checker.MakeProportionalResult(sastStr, totalTested, totalMerged, .75) + return checker.MakeProportionalResult(CheckSAST, totalTested, totalMerged, .75) } func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult { searchQuery := ("github/codeql-action path:/.github/workflows repo:" + c.Owner + "/" + c.Repo) results, _, err := c.Client.Search.Code(c.Ctx, searchQuery, &github.SearchOptions{}) if err != nil { - return checker.MakeRetryResult(sastStr, err) + return checker.MakeRetryResult(CheckSAST, err) } for _, result := range results.CodeResults { @@ -99,7 +100,7 @@ func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult { } return checker.CheckResult{ - Name: sastStr, + Name: CheckSAST, Pass: *results.Total > 0, Confidence: checker.MaxResultConfidence, } diff --git a/checks/security_policy.go b/checks/security_policy.go index 75131d5d..81f26ef0 100644 --- a/checks/security_policy.go +++ b/checks/security_policy.go @@ -20,11 +20,12 @@ import ( "github.com/ossf/scorecard/checker" ) -const securityPolicyStr = "Security-Policy" +// CheckSecurityPolicy is the registred name for SecurityPolicy. +const CheckSecurityPolicy = "Security-Policy" //nolint:gochecknoinits func init() { - registerCheck(securityPolicyStr, SecurityPolicy) + registerCheck(CheckSecurityPolicy, SecurityPolicy) } func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult { @@ -36,7 +37,7 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult { } return false, nil } - result := CheckIfFileExists(securityPolicyStr, c, onFile) + result := CheckIfFileExists(CheckSecurityPolicy, c, onFile) if result.Pass { return result @@ -54,5 +55,5 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult { } return false, nil } - return CheckIfFileExists(securityPolicyStr, dotGitHub, onFile) + return CheckIfFileExists(CheckSecurityPolicy, dotGitHub, onFile) } diff --git a/checks/signed_releases.go b/checks/signed_releases.go index d9de9826..8970368e 100644 --- a/checks/signed_releases.go +++ b/checks/signed_releases.go @@ -24,7 +24,8 @@ import ( ) const ( - signedReleasesStr = "Signed-Releases" + // CheckSignedReleases is the registered name for SignedReleases. + CheckSignedReleases = "Signed-Releases" releaseLookBackDays = 5 ) @@ -33,13 +34,13 @@ var ErrorNoReleases = errors.New("no releases found") //nolint:gochecknoinits func init() { - registerCheck(signedReleasesStr, SignedReleases) + registerCheck(CheckSignedReleases, SignedReleases) } func SignedReleases(c *checker.CheckRequest) checker.CheckResult { releases, _, err := c.Client.Repositories.ListReleases(c.Ctx, c.Owner, c.Repo, &github.ListOptions{}) if err != nil { - return checker.MakeRetryResult(signedReleasesStr, err) + return checker.MakeRetryResult(CheckSignedReleases, err) } artifactExtensions := []string{".asc", ".minisig", ".sig"} @@ -49,7 +50,7 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult { for _, r := range releases { assets, _, err := c.Client.Repositories.ListReleaseAssets(c.Ctx, c.Owner, c.Repo, r.GetID(), &github.ListOptions{}) if err != nil { - return checker.MakeRetryResult(signedReleasesStr, err) + return checker.MakeRetryResult(CheckSignedReleases, err) } if len(assets) == 0 { continue @@ -80,9 +81,9 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult { if totalReleases == 0 { c.Logf("no releases found") - return checker.MakeInconclusiveResult(signedReleasesStr, ErrorNoReleases) + return checker.MakeInconclusiveResult(CheckSignedReleases, ErrorNoReleases) } c.Logf("found signed artifacts for %d out of %d releases", totalSigned, totalReleases) - return checker.MakeProportionalResult(signedReleasesStr, totalSigned, totalReleases, 0.8) + return checker.MakeProportionalResult(CheckSignedReleases, totalSigned, totalReleases, 0.8) } diff --git a/checks/signed_tags.go b/checks/signed_tags.go index e2084ba8..d5082f47 100644 --- a/checks/signed_tags.go +++ b/checks/signed_tags.go @@ -23,8 +23,9 @@ import ( ) const ( - signedTagsStr = "Signed-Tags" - tagLookBack = 5 + // CheckSignedTags is the registered name for SignedTags. + CheckSignedTags = "Signed-Tags" + tagLookBack = 5 ) // ErrorNoTags indicates no tags were found for this repo. @@ -32,7 +33,7 @@ var ErrorNoTags = errors.New("no tags found") //nolint:gochecknoinits func init() { - registerCheck(signedTagsStr, SignedTags) + registerCheck(CheckSignedTags, SignedTags) } func SignedTags(c *checker.CheckRequest) checker.CheckResult { @@ -57,7 +58,7 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult { } if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil { - return checker.MakeRetryResult(signedTagsStr, err) + return checker.MakeRetryResult(CheckSignedTags, err) } totalTags := 0 totalSigned := 0 @@ -79,9 +80,9 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult { if totalTags == 0 { c.Logf("no tags found") - return checker.MakeInconclusiveResult(signedTagsStr, ErrorNoTags) + return checker.MakeInconclusiveResult(CheckSignedTags, ErrorNoTags) } c.Logf("found %d out of %d verified tags", totalSigned, totalTags) - return checker.MakeProportionalResult(signedTagsStr, totalSigned, totalTags, 0.8) + return checker.MakeProportionalResult(CheckSignedTags, totalSigned, totalTags, 0.8) } diff --git a/cron/main.go b/cron/main.go index 5f5220f0..d4a17adc 100644 --- a/cron/main.go +++ b/cron/main.go @@ -106,6 +106,14 @@ func main() { githubClient := github.NewClient(httpClient) graphClient := githubv4.NewClient(httpClient) + checksToRun := checks.AllChecks + //nolint + // FIXME :- deleting branch-protection + // The branch protection check needs an admin access to the repository. + // All of the checks from cron would fail and uses another call to the API. + // This will reduce usage of the API. + delete(checksToRun, checks.CheckBranchProtection) + exporter, err := startMetricsExporter() if err != nil { panic(err) @@ -124,14 +132,7 @@ func main() { panic(err) } - //nolint - // FIXME :- deleting branch-protection - // The branch protection check needs an admin access to the repository. - // All of the checks from cron would fail and uses another call to the API. - // This will reduce usage of the API. - delete(checks.AllChecks, "Branch-Protection") - - repoResult := pkg.RunScorecards(ctx, repoURL, checks.AllChecks, httpClient, githubClient, graphClient) + repoResult := pkg.RunScorecards(ctx, repoURL, checksToRun, httpClient, githubClient, graphClient) repoResult.Date = currTime.Format("2006-01-02") if err := repoResult.AsJSON( /*showDetails=*/ true, result); err != nil { panic(err) diff --git a/cron/worker/main.go b/cron/worker/main.go index 6e9530a2..9381fea9 100644 --- a/cron/worker/main.go +++ b/cron/worker/main.go @@ -26,6 +26,7 @@ import ( "github.com/shurcooL/githubv4" "go.uber.org/zap" + "github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checks" "github.com/ossf/scorecard/cron/config" "github.com/ossf/scorecard/cron/data" @@ -36,16 +37,8 @@ import ( ) func processRequest(ctx context.Context, - batchRequest *data.ScorecardBatchRequest, bucketURL string, + batchRequest *data.ScorecardBatchRequest, checksToRun checker.CheckNameToFnMap, bucketURL string, httpClient *http.Client, githubClient *github.Client, graphClient *githubv4.Client) error { - checksToRun := checks.AllChecks - // nolint - // FIXME :- deleting branch-protection - // The branch protection check needs an admin access to the repository. - // All of the checks from cron would fail and uses another call to the API. - // This will reduce usage of the API. - delete(checksToRun, "Branch-Protection") - repoURLs := make([]repos.RepoURL, 0, len(batchRequest.GetRepos())) for _, repo := range batchRequest.GetRepos() { repoURL := repos.RepoURL{} @@ -129,6 +122,14 @@ func main() { httpClient, githubClient, graphClient, logger := createNetClients(ctx) + checksToRun := checks.AllChecks + // nolint + // FIXME :- deleting branch-protection + // The branch protection check needs an admin access to the repository. + // All of the checks from cron would fail and uses another call to the API. + // This will reduce usage of the API. + delete(checksToRun, checks.CheckBranchProtection) + for { req, err := subscriber.SynchronousPull() if err != nil { @@ -139,7 +140,7 @@ func main() { log.Print("subscription returned nil message during Receive, exiting") break } - if err := processRequest(ctx, req, bucketURL, httpClient, githubClient, graphClient); err != nil { + if err := processRequest(ctx, req, checksToRun, bucketURL, httpClient, githubClient, graphClient); err != nil { panic(err) } // nolint: errcheck // flushes buffer