ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-05 05:17:00 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Export registered check names (#518)

Browse Source 
Co-authored-by: Azeem Shaikh <azeems@google.com>
This commit is contained in:
Azeem Shaikh 2021-05-27 14:54:34 -07:00 committed by GitHub
parent df44a898cf
commit be8aa3d713
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 141 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
checks/active.go
View File

@ -23,31 +23,32 @@ import (
) )
const ( const (
activeStr = "Active" // CheckActive is the registered name for IsActive.
CheckActive = "Active"
lookbackDays = 90 lookbackDays = 90
) )
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(activeStr, IsActive) registerCheck(CheckActive, IsActive)
} }
func IsActive(c *checker.CheckRequest) checker.CheckResult { func IsActive(c *checker.CheckRequest) checker.CheckResult {
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(activeStr, err) return checker.MakeRetryResult(CheckActive, err)
} }
tz, err := time.LoadLocation("UTC") tz, err := time.LoadLocation("UTC")
if err != nil { if err != nil {
return checker.MakeRetryResult(activeStr, err) return checker.MakeRetryResult(CheckActive, err)
} }
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays) threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays)
totalCommits := 0 totalCommits := 0
for _, commit := range commits { for _, commit := range commits {
commitFull, _, err := c.Client.Git.GetCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA()) commitFull, _, err := c.Client.Git.GetCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA())
if err != nil { if err != nil {
return checker.MakeRetryResult(activeStr, err) return checker.MakeRetryResult(CheckActive, err)
} }
if commitFull.GetAuthor().GetDate().After(threshold) { if commitFull.GetAuthor().GetDate().After(threshold) {
totalCommits++ totalCommits++
@ -57,7 +58,7 @@ func IsActive(c *checker.CheckRequest) checker.CheckResult {
const numCommits = 2 const numCommits = 2
const confidence = 10 const confidence = 10
return checker.CheckResult{ return checker.CheckResult{
Name: activeStr, Name: CheckActive,
Pass: totalCommits >= numCommits, Pass: totalCommits >= numCommits,
Confidence: confidence, Confidence: confidence,
} }

15
checks/branch_protected.go
View File

@ -21,33 +21,34 @@ import (
) )
const ( const (
branchProtectionStr = "Branch-Protection" // CheckBranchProtection is the registered name for BranchProtection.
minReviews = 1 CheckBranchProtection = "Branch-Protection"
minReviews = 1
) )
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(branchProtectionStr, BranchProtection) registerCheck(CheckBranchProtection, BranchProtection)
} }
func BranchProtection(c *checker.CheckRequest) checker.CheckResult { func BranchProtection(c *checker.CheckRequest) checker.CheckResult {
repo, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo) repo, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
if err != nil { if err != nil {
return checker.MakeRetryResult(branchProtectionStr, err) return checker.MakeRetryResult(CheckBranchProtection, err)
} }
protection, resp, err := c.Client.Repositories. protection, resp, err := c.Client.Repositories.
GetBranchProtection(c.Ctx, c.Owner, c.Repo, *repo.DefaultBranch) GetBranchProtection(c.Ctx, c.Owner, c.Repo, *repo.DefaultBranch)
const fileNotFound = 404 const fileNotFound = 404
if resp.StatusCode == fileNotFound { if resp.StatusCode == fileNotFound {
return checker.MakeRetryResult(branchProtectionStr, err) return checker.MakeRetryResult(CheckBranchProtection, err)
} }
if err != nil { if err != nil {
c.Logf("!! branch protection not enabled") c.Logf("!! branch protection not enabled")
const confidence = 10 const confidence = 10
return checker.CheckResult{ return checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Confidence: confidence, Confidence: confidence,
} }
@ -99,7 +100,7 @@ func IsBranchProtected(protection *github.Protection, c *checker.CheckRequest) c
totalSuccess++ totalSuccess++
} }
return checker.MakeProportionalResult(branchProtectionStr, totalSuccess, totalChecks, 1.0) return checker.MakeProportionalResult(CheckBranchProtection, totalSuccess, totalChecks, 1.0)
} }
// Returns true if several PR status checks requirements are enabled. Otherwise returns false and logs why it failed. // Returns true if several PR status checks requirements are enabled. Otherwise returns false and logs why it failed.

18
checks/branch_protected_test.go
View File

@ -85,7 +85,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 7, Confidence: 7,
@ -132,7 +132,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 5, Confidence: 5,
@ -179,7 +179,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 7, Confidence: 7,
@ -227,7 +227,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 5, Confidence: 5,
@ -274,7 +274,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 5, Confidence: 5,
@ -321,7 +321,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 5, Confidence: 5,
@ -368,7 +368,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 9, Confidence: 9,
@ -415,7 +415,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: false, Pass: false,
Details: nil, Details: nil,
Confidence: 9, Confidence: 9,
@ -462,7 +462,7 @@ func TestIsBranchProtected(t *testing.T) {
c: checker.CheckRequest{Logf: l.Logf}, c: checker.CheckRequest{Logf: l.Logf},
}, },
want: checker.CheckResult{ want: checker.CheckResult{
Name: branchProtectionStr, Name: CheckBranchProtection,
Pass: true, Pass: true,
Details: nil, Details: nil,
Confidence: 10, Confidence: 10,

20
checks/ci_tests.go
View File

@ -23,23 +23,21 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const (
ciTestsStr = "CI-Tests"
success = "success"
)
// States for which CI system is in use. // States for which CI system is in use.
type ciSystemState int type ciSystemState int
const ( const (
unknown ciSystemState = iota // CheckCITests is the registered name for CITests.
CheckCITests = "CI-Tests"
success = "success"
unknown ciSystemState = iota
githubStatuses githubStatuses
githubCheckRuns githubCheckRuns
) )
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(ciTestsStr, CITests) registerCheck(CheckCITests, CITests)
} }
func CITests(c *checker.CheckRequest) checker.CheckResult { func CITests(c *checker.CheckRequest) checker.CheckResult {
@ -47,7 +45,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
State: "closed", State: "closed",
}) })
if err != nil { if err != nil {
return checker.MakeRetryResult(ciTestsStr, err) return checker.MakeRetryResult(CheckCITests, err)
} }
usedSystem := unknown usedSystem := unknown
@ -65,7 +63,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
if usedSystem != githubCheckRuns { if usedSystem != githubCheckRuns {
prSuccessStatus, err := prHasSuccessStatus(pr, c) prSuccessStatus, err := prHasSuccessStatus(pr, c)
if err != nil { if err != nil {
return checker.MakeRetryResult(ciTestsStr, err) return checker.MakeRetryResult(CheckCITests, err)
} }
if prSuccessStatus { if prSuccessStatus {
totalTested++ totalTested++
@ -79,7 +77,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
if usedSystem != githubStatuses { if usedSystem != githubStatuses {
prCheckSuccessful, err := prHasSuccessfulCheck(pr, c) prCheckSuccessful, err := prHasSuccessfulCheck(pr, c)
if err != nil { if err != nil {
return checker.MakeRetryResult(ciTestsStr, err) return checker.MakeRetryResult(CheckCITests, err)
} }
if prCheckSuccessful { if prCheckSuccessful {
totalTested++ totalTested++
@ -94,7 +92,7 @@ func CITests(c *checker.CheckRequest) checker.CheckResult {
} }
c.Logf("found CI tests for %d of %d merged PRs", totalTested, totalMerged) c.Logf("found CI tests for %d of %d merged PRs", totalTested, totalMerged)
return checker.MakeProportionalResult(ciTestsStr, totalTested, totalMerged, .75) return checker.MakeProportionalResult(CheckCITests, totalTested, totalMerged, .75)
} }
// PR has a status marked 'success' and a CI-related context. // PR has a status marked 'success' and a CI-related context.

19
checks/cii_best_practices.go
View File

@ -23,11 +23,12 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const ciiBestPracticesStr = "CII-Best-Practices" // CheckCIIBestPractices is the registered name for CIIBestPractices.
const CheckCIIBestPractices = "CII-Best-Practices"
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(ciiBestPracticesStr, CIIBestPractices) registerCheck(CheckCIIBestPractices, CIIBestPractices)
} }
type response struct { type response struct {
@ -39,28 +40,28 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult {
url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURL) url := fmt.Sprintf("https://bestpractices.coreinfrastructure.org/projects.json?url=%s", repoURL)
req, err := http.NewRequestWithContext(c.Ctx, "GET", url, nil) req, err := http.NewRequestWithContext(c.Ctx, "GET", url, nil)
if err != nil { if err != nil {
return checker.MakeRetryResult(ciiBestPracticesStr, err) return checker.MakeRetryResult(CheckCIIBestPractices, err)
} }
resp, err := c.HTTPClient.Do(req) resp, err := c.HTTPClient.Do(req)
if err != nil { if err != nil {
return checker.MakeRetryResult(ciiBestPracticesStr, err) return checker.MakeRetryResult(CheckCIIBestPractices, err)
} }
defer resp.Body.Close() defer resp.Body.Close()
b, err := ioutil.ReadAll(resp.Body) b, err := ioutil.ReadAll(resp.Body)
if err != nil { if err != nil {
return checker.MakeRetryResult(ciiBestPracticesStr, err) return checker.MakeRetryResult(CheckCIIBestPractices, err)
} }
parsedResponse := []response{} parsedResponse := []response{}
if err := json.Unmarshal(b, &parsedResponse); err != nil { if err := json.Unmarshal(b, &parsedResponse); err != nil {
return checker.MakeRetryResult(ciiBestPracticesStr, err) return checker.MakeRetryResult(CheckCIIBestPractices, err)
} }
if len(parsedResponse) < 1 { if len(parsedResponse) < 1 {
c.Logf("no badge found") c.Logf("no badge found")
return checker.CheckResult{ return checker.CheckResult{
Name: ciiBestPracticesStr, Name: CheckCIIBestPractices,
Pass: false, Pass: false,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }
@ -71,14 +72,14 @@ func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult {
if result.BadgeLevel != "" { if result.BadgeLevel != "" {
return checker.CheckResult{ return checker.CheckResult{
Name: ciiBestPracticesStr, Name: CheckCIIBestPractices,
Pass: true, Pass: true,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }
} }
return checker.CheckResult{ return checker.CheckResult{
Name: ciiBestPracticesStr, Name: CheckCIIBestPractices,
Pass: false, Pass: false,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }

29
checks/code_review.go
View File

@ -23,14 +23,15 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const codeReviewStr = "Code-Review" // CheckCodeReview is the registered name for DoesCodeReview.
const CheckCodeReview = "Code-Review"
// ErrorNoReviews indicates no reviews were found for this repo. // ErrorNoReviews indicates no reviews were found for this repo.
var ErrorNoReviews = errors.New("no reviews found") var ErrorNoReviews = errors.New("no reviews found")
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(codeReviewStr, DoesCodeReview) registerCheck(CheckCodeReview, DoesCodeReview)
} }
// DoesCodeReview attempts to determine whether a project requires review before code gets merged. // DoesCodeReview attempts to determine whether a project requires review before code gets merged.
@ -53,7 +54,7 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult {
State: "closed", State: "closed",
}) })
if err != nil { if err != nil {
return checker.MakeInconclusiveResult(codeReviewStr, err) return checker.MakeInconclusiveResult(CheckCodeReview, err)
} }
totalMerged := 0 totalMerged := 0
@ -98,32 +99,32 @@ func GithubCodeReview(c *checker.CheckRequest) checker.CheckResult {
if totalReviewed > 0 { if totalReviewed > 0 {
c.Logf("github code reviews found") c.Logf("github code reviews found")
} }
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75) return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75)
} }
func IsPrReviewRequired(c *checker.CheckRequest) checker.CheckResult { func IsPrReviewRequired(c *checker.CheckRequest) checker.CheckResult {
// Look to see if review is enforced. // Look to see if review is enforced.
r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo) r, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
if err != nil { if err != nil {
return checker.MakeRetryResult(codeReviewStr, err) return checker.MakeRetryResult(CheckCodeReview, err)
} }
// Check the branch protection rules, we may not be able to get these though. // Check the branch protection rules, we may not be able to get these though.
bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch()) bp, _, err := c.Client.Repositories.GetBranchProtection(c.Ctx, c.Owner, c.Repo, r.GetDefaultBranch())
if err != nil { if err != nil {
return checker.MakeInconclusiveResult(codeReviewStr, err) return checker.MakeInconclusiveResult(CheckCodeReview, err)
} }
if bp.GetRequiredPullRequestReviews() != nil && if bp.GetRequiredPullRequestReviews() != nil &&
bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 { bp.GetRequiredPullRequestReviews().RequiredApprovingReviewCount >= 1 {
c.Logf("pr review policy enforced") c.Logf("pr review policy enforced")
const confidence = 5 const confidence = 5
return checker.CheckResult{ return checker.CheckResult{
Name: codeReviewStr, Name: CheckCodeReview,
Pass: true, Pass: true,
Confidence: confidence, Confidence: confidence,
} }
} }
return checker.MakeInconclusiveResult(codeReviewStr, nil) return checker.MakeInconclusiveResult(CheckCodeReview, nil)
} }
func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult { func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
@ -132,7 +133,7 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
State: "closed", State: "closed",
}) })
if err != nil { if err != nil {
return checker.MakeInconclusiveResult(codeReviewStr, err) return checker.MakeInconclusiveResult(CheckCodeReview, err)
} }
totalMerged := 0 totalMerged := 0
@ -151,16 +152,16 @@ func ProwCodeReview(c *checker.CheckRequest) checker.CheckResult {
} }
if totalReviewed == 0 { if totalReviewed == 0 {
return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews) return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews)
} }
c.Logf("prow code reviews found") c.Logf("prow code reviews found")
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, totalMerged, .75) return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, totalMerged, .75)
} }
func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult { func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult {
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(codeReviewStr, err) return checker.MakeRetryResult(CheckCodeReview, err)
} }
total := 0 total := 0
@ -191,8 +192,8 @@ func CommitMessageHints(c *checker.CheckRequest) checker.CheckResult {
} }
if totalReviewed == 0 { if totalReviewed == 0 {
return checker.MakeInconclusiveResult(codeReviewStr, ErrorNoReviews) return checker.MakeInconclusiveResult(CheckCodeReview, ErrorNoReviews)
} }
c.Logf("code reviews found") c.Logf("code reviews found")
return checker.MakeProportionalResult(codeReviewStr, totalReviewed, total, .75) return checker.MakeProportionalResult(CheckCodeReview, totalReviewed, total, .75)
} }

13
checks/contributors.go
View File

@ -25,18 +25,19 @@ import (
const ( const (
minContributionsPerUser = 5 minContributionsPerUser = 5
minOrganizationCount = 2 minOrganizationCount = 2
contributorsStr = "Contributors" // CheckContributors is the registered name for Contributors.
CheckContributors = "Contributors"
) )
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(contributorsStr, Contributors) registerCheck(CheckContributors, Contributors)
} }
func Contributors(c *checker.CheckRequest) checker.CheckResult { func Contributors(c *checker.CheckRequest) checker.CheckResult {
contribs, _, err := c.Client.Repositories.ListContributors(c.Ctx, c.Owner, c.Repo, &github.ListContributorsOptions{}) contribs, _, err := c.Client.Repositories.ListContributors(c.Ctx, c.Owner, c.Repo, &github.ListContributorsOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(contributorsStr, err) return checker.MakeRetryResult(CheckContributors, err)
} }
companies := map[string]struct{}{} companies := map[string]struct{}{}
@ -46,7 +47,7 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult {
} }
u, _, err := c.Client.Users.Get(c.Ctx, contrib.GetLogin()) u, _, err := c.Client.Users.Get(c.Ctx, contrib.GetLogin())
if err != nil { if err != nil {
return checker.MakeRetryResult(contributorsStr, err) return checker.MakeRetryResult(CheckContributors, err)
} }
orgs, _, err := c.Client.Organizations.List(c.Ctx, contrib.GetLogin(), nil) orgs, _, err := c.Client.Organizations.List(c.Ctx, contrib.GetLogin(), nil)
if err != nil { if err != nil {
@ -74,13 +75,13 @@ func Contributors(c *checker.CheckRequest) checker.CheckResult {
c.Logf("companies found: %v", strings.Join(names, ",")) c.Logf("companies found: %v", strings.Join(names, ","))
if len(companies) >= minOrganizationCount { if len(companies) >= minOrganizationCount {
return checker.CheckResult{ return checker.CheckResult{
Name: contributorsStr, Name: CheckContributors,
Pass: true, Pass: true,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }
} }
return checker.CheckResult{ return checker.CheckResult{
Name: contributorsStr, Name: CheckContributors,
Pass: false, Pass: false,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }

11
checks/frozen_deps.go
View File

@ -26,7 +26,8 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const frozenDepsStr = "Frozen-Deps" // CheckFrozenDeps is the registered name for FrozenDeps.
const CheckFrozenDeps = "Frozen-Deps"
// ErrInvalidDockerfile : Invalid docker file. // ErrInvalidDockerfile : Invalid docker file.
var ErrInvalidDockerfile = errors.New("invalid docker file") var ErrInvalidDockerfile = errors.New("invalid docker file")
@ -36,7 +37,7 @@ var ErrEmptyFile = errors.New("file has no content")
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(frozenDepsStr, FrozenDeps) registerCheck(CheckFrozenDeps, FrozenDeps)
} }
// FrozenDeps will check the repository if it contains frozen dependecies. // FrozenDeps will check the repository if it contains frozen dependecies.
@ -54,7 +55,7 @@ func FrozenDeps(c *checker.CheckRequest) checker.CheckResult {
// ======================== Dockerfiles ======================= // ======================== Dockerfiles =======================
// ============================================================. // ============================================================.
func isDockerfilePinned(c *checker.CheckRequest) checker.CheckResult { func isDockerfilePinned(c *checker.CheckRequest) checker.CheckResult {
return CheckFilesContent(frozenDepsStr, "*Dockerfile*", false, c, validateDockerfile) return CheckFilesContent(CheckFrozenDeps, "*Dockerfile*", false, c, validateDockerfile)
} }
func validateDockerfile(path string, content []byte, func validateDockerfile(path string, content []byte,
@ -141,7 +142,7 @@ func validateDockerfile(path string, content []byte,
// Check pinning of github actions in workflows. // Check pinning of github actions in workflows.
func isGitHubActionsWorkflowPinned(c *checker.CheckRequest) checker.CheckResult { func isGitHubActionsWorkflowPinned(c *checker.CheckRequest) checker.CheckResult {
return CheckFilesContent(frozenDepsStr, ".github/workflows/*", true, c, validateGitHubActionWorkflow) return CheckFilesContent(CheckFrozenDeps, ".github/workflows/*", true, c, validateGitHubActionWorkflow)
} }
// Check file content. // Check file content.
@ -199,7 +200,7 @@ func validateGitHubActionWorkflow(path string, content []byte, logf func(s strin
// Check presence of lock files thru validatePackageManagerFile(). // Check presence of lock files thru validatePackageManagerFile().
func isPackageManagerLockFilePresent(c *checker.CheckRequest) checker.CheckResult { func isPackageManagerLockFilePresent(c *checker.CheckRequest) checker.CheckResult {
return CheckIfFileExists(frozenDepsStr, c, validatePackageManagerFile) return CheckIfFileExists(CheckFrozenDeps, c, validatePackageManagerFile)
} }
// validatePackageManagerFile will validate the if frozen dependecies file name exists. // validatePackageManagerFile will validate the if frozen dependecies file name exists.

11
checks/fuzzing.go
View File

@ -22,11 +22,12 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const fuzzingStr = "Fuzzing" // CheckFuzzing is the registered name for Fuzzing.
const CheckFuzzing = "Fuzzing"
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(fuzzingStr, Fuzzing) registerCheck(CheckFuzzing, Fuzzing)
} }
func Fuzzing(c *checker.CheckRequest) checker.CheckResult { func Fuzzing(c *checker.CheckRequest) checker.CheckResult {
@ -34,20 +35,20 @@ func Fuzzing(c *checker.CheckRequest) checker.CheckResult {
searchString := url + " repo:google/oss-fuzz in:file filename:project.yaml" searchString := url + " repo:google/oss-fuzz in:file filename:project.yaml"
results, _, err := c.Client.Search.Code(c.Ctx, searchString, &github.SearchOptions{}) results, _, err := c.Client.Search.Code(c.Ctx, searchString, &github.SearchOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(fuzzingStr, err) return checker.MakeRetryResult(CheckFuzzing, err)
} }
if *results.Total > 0 { if *results.Total > 0 {
c.Logf("found project in OSS-Fuzz") c.Logf("found project in OSS-Fuzz")
return checker.CheckResult{ return checker.CheckResult{
Name: fuzzingStr, Name: CheckFuzzing,
Pass: true, Pass: true,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }
} }
return checker.CheckResult{ return checker.CheckResult{
Name: fuzzingStr, Name: CheckFuzzing,
Pass: false, Pass: false,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }

17
checks/packaging.go
View File

@ -24,25 +24,26 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const packagingStr = "Packaging" // CheckPackaging is the registered name for Packaging.
const CheckPackaging = "Packaging"
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(packagingStr, Packaging) registerCheck(CheckPackaging, Packaging)
} }
func Packaging(c *checker.CheckRequest) checker.CheckResult { func Packaging(c *checker.CheckRequest) checker.CheckResult {
_, dc, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, ".github/workflows", _, dc, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, ".github/workflows",
&github.RepositoryContentGetOptions{}) &github.RepositoryContentGetOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(packagingStr, err) return checker.MakeRetryResult(CheckPackaging, err)
} }
for _, f := range dc { for _, f := range dc {
fp := f.GetPath() fp := f.GetPath()
fo, _, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{}) fo, _, _, err := c.Client.Repositories.GetContents(c.Ctx, c.Owner, c.Repo, fp, &github.RepositoryContentGetOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(packagingStr, err) return checker.MakeRetryResult(CheckPackaging, err)
} }
if fo == nil { if fo == nil {
// path is a directory, not a file. skip. // path is a directory, not a file. skip.
@ -50,7 +51,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
} }
fc, err := fo.GetContent() fc, err := fo.GetContent()
if err != nil { if err != nil {
return checker.MakeRetryResult(packagingStr, err) return checker.MakeRetryResult(CheckPackaging, err)
} }
if !isPackagingWorkflow(fc, fp, c) { if !isPackagingWorkflow(fc, fp, c) {
@ -62,12 +63,12 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
Status: "success", Status: "success",
}) })
if err != nil { if err != nil {
return checker.MakeRetryResult(packagingStr, err) return checker.MakeRetryResult(CheckPackaging, err)
} }
if *runs.TotalCount > 0 { if *runs.TotalCount > 0 {
c.Logf("found a completed run: %s", runs.WorkflowRuns[0].GetHTMLURL()) c.Logf("found a completed run: %s", runs.WorkflowRuns[0].GetHTMLURL())
return checker.CheckResult{ return checker.CheckResult{
Name: packagingStr, Name: CheckPackaging,
Pass: true, Pass: true,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }
@ -76,7 +77,7 @@ func Packaging(c *checker.CheckRequest) checker.CheckResult {
} }
return checker.CheckResult{ return checker.CheckResult{
Name: packagingStr, Name: CheckPackaging,
Pass: false, Pass: false,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }

11
checks/pull_requests.go
View File

@ -22,17 +22,18 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const pullRequestsStr = "Pull-Requests" // CheckPullRequests is the registered name for PullRequests.
const CheckPullRequests = "Pull-Requests"
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(pullRequestsStr, PullRequests) registerCheck(CheckPullRequests, PullRequests)
} }
func PullRequests(c *checker.CheckRequest) checker.CheckResult { func PullRequests(c *checker.CheckRequest) checker.CheckResult {
commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{}) commits, _, err := c.Client.Repositories.ListCommits(c.Ctx, c.Owner, c.Repo, &github.CommitsListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(pullRequestsStr, err) return checker.MakeRetryResult(CheckPullRequests, err)
} }
total := 0 total := 0
@ -64,7 +65,7 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult {
prs, _, err := c.Client.PullRequests.ListPullRequestsWithCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA(), prs, _, err := c.Client.PullRequests.ListPullRequestsWithCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA(),
&github.PullRequestListOptions{}) &github.PullRequestListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(pullRequestsStr, err) return checker.MakeRetryResult(CheckPullRequests, err)
} }
if len(prs) > 0 { if len(prs) > 0 {
totalWithPrs++ totalWithPrs++
@ -74,5 +75,5 @@ func PullRequests(c *checker.CheckRequest) checker.CheckResult {
} }
} }
c.Logf("found PRs for %d out of %d commits", totalWithPrs, total) c.Logf("found PRs for %d out of %d commits", totalWithPrs, total)
return checker.MakeProportionalResult(pullRequestsStr, totalWithPrs, total, .75) return checker.MakeProportionalResult(CheckPullRequests, totalWithPrs, total, .75)
} }

19
checks/sast.go
View File

@ -22,7 +22,8 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const sastStr = "SAST" // CheckSAST is the registered name for SAST.
const CheckSAST = "SAST"
var ( var (
sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true} sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true}
@ -34,7 +35,7 @@ var (
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(sastStr, SAST) registerCheck(CheckSAST, SAST)
} }
func SAST(c *checker.CheckRequest) checker.CheckResult { func SAST(c *checker.CheckRequest) checker.CheckResult {
@ -49,7 +50,7 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
State: "closed", State: "closed",
}) })
if err != nil { if err != nil {
return checker.MakeRetryResult(sastStr, err) return checker.MakeRetryResult(CheckSAST, err)
} }
totalMerged := 0 totalMerged := 0
@ -62,10 +63,10 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
crs, _, err := c.Client.Checks.ListCheckRunsForRef(c.Ctx, c.Owner, c.Repo, pr.GetHead().GetSHA(), crs, _, err := c.Client.Checks.ListCheckRunsForRef(c.Ctx, c.Owner, c.Repo, pr.GetHead().GetSHA(),
&github.ListCheckRunsOptions{}) &github.ListCheckRunsOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(sastStr, err) return checker.MakeRetryResult(CheckSAST, err)
} }
if crs == nil { if crs == nil {
return checker.MakeInconclusiveResult(sastStr, ErrorNoChecks) return checker.MakeInconclusiveResult(CheckSAST, ErrorNoChecks)
} }
for _, cr := range crs.CheckRuns { for _, cr := range crs.CheckRuns {
if cr.GetStatus() != "completed" { if cr.GetStatus() != "completed" {
@ -82,16 +83,16 @@ func SASTToolInCheckRuns(c *checker.CheckRequest) checker.CheckResult {
} }
} }
if totalTested == 0 { if totalTested == 0 {
return checker.MakeInconclusiveResult(sastStr, ErrorNoMerges) return checker.MakeInconclusiveResult(CheckSAST, ErrorNoMerges)
} }
return checker.MakeProportionalResult(sastStr, totalTested, totalMerged, .75) return checker.MakeProportionalResult(CheckSAST, totalTested, totalMerged, .75)
} }
func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult { func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult {
searchQuery := ("github/codeql-action path:/.github/workflows repo:" + c.Owner + "/" + c.Repo) searchQuery := ("github/codeql-action path:/.github/workflows repo:" + c.Owner + "/" + c.Repo)
results, _, err := c.Client.Search.Code(c.Ctx, searchQuery, &github.SearchOptions{}) results, _, err := c.Client.Search.Code(c.Ctx, searchQuery, &github.SearchOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(sastStr, err) return checker.MakeRetryResult(CheckSAST, err)
} }
for _, result := range results.CodeResults { for _, result := range results.CodeResults {
@ -99,7 +100,7 @@ func CodeQLInCheckDefinitions(c *checker.CheckRequest) checker.CheckResult {
} }
return checker.CheckResult{ return checker.CheckResult{
Name: sastStr, Name: CheckSAST,
Pass: *results.Total > 0, Pass: *results.Total > 0,
Confidence: checker.MaxResultConfidence, Confidence: checker.MaxResultConfidence,
} }

9
checks/security_policy.go
View File

@ -20,11 +20,12 @@ import (
"github.com/ossf/scorecard/checker" "github.com/ossf/scorecard/checker"
) )
const securityPolicyStr = "Security-Policy" // CheckSecurityPolicy is the registred name for SecurityPolicy.
const CheckSecurityPolicy = "Security-Policy"
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(securityPolicyStr, SecurityPolicy) registerCheck(CheckSecurityPolicy, SecurityPolicy)
} }
func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult { func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
@ -36,7 +37,7 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
} }
return false, nil return false, nil
} }
result := CheckIfFileExists(securityPolicyStr, c, onFile) result := CheckIfFileExists(CheckSecurityPolicy, c, onFile)
if result.Pass { if result.Pass {
return result return result
@ -54,5 +55,5 @@ func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult {
} }
return false, nil return false, nil
} }
return CheckIfFileExists(securityPolicyStr, dotGitHub, onFile) return CheckIfFileExists(CheckSecurityPolicy, dotGitHub, onFile)
} }

13
checks/signed_releases.go
View File

@ -24,7 +24,8 @@ import (
) )
const ( const (
signedReleasesStr = "Signed-Releases" // CheckSignedReleases is the registered name for SignedReleases.
CheckSignedReleases = "Signed-Releases"
releaseLookBackDays = 5 releaseLookBackDays = 5
) )
@ -33,13 +34,13 @@ var ErrorNoReleases = errors.New("no releases found")
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(signedReleasesStr, SignedReleases) registerCheck(CheckSignedReleases, SignedReleases)
} }
func SignedReleases(c *checker.CheckRequest) checker.CheckResult { func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
releases, _, err := c.Client.Repositories.ListReleases(c.Ctx, c.Owner, c.Repo, &github.ListOptions{}) releases, _, err := c.Client.Repositories.ListReleases(c.Ctx, c.Owner, c.Repo, &github.ListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(signedReleasesStr, err) return checker.MakeRetryResult(CheckSignedReleases, err)
} }
artifactExtensions := []string{".asc", ".minisig", ".sig"} artifactExtensions := []string{".asc", ".minisig", ".sig"}
@ -49,7 +50,7 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
for _, r := range releases { for _, r := range releases {
assets, _, err := c.Client.Repositories.ListReleaseAssets(c.Ctx, c.Owner, c.Repo, r.GetID(), &github.ListOptions{}) assets, _, err := c.Client.Repositories.ListReleaseAssets(c.Ctx, c.Owner, c.Repo, r.GetID(), &github.ListOptions{})
if err != nil { if err != nil {
return checker.MakeRetryResult(signedReleasesStr, err) return checker.MakeRetryResult(CheckSignedReleases, err)
} }
if len(assets) == 0 { if len(assets) == 0 {
continue continue
@ -80,9 +81,9 @@ func SignedReleases(c *checker.CheckRequest) checker.CheckResult {
if totalReleases == 0 { if totalReleases == 0 {
c.Logf("no releases found") c.Logf("no releases found")
return checker.MakeInconclusiveResult(signedReleasesStr, ErrorNoReleases) return checker.MakeInconclusiveResult(CheckSignedReleases, ErrorNoReleases)
} }
c.Logf("found signed artifacts for %d out of %d releases", totalSigned, totalReleases) c.Logf("found signed artifacts for %d out of %d releases", totalSigned, totalReleases)
return checker.MakeProportionalResult(signedReleasesStr, totalSigned, totalReleases, 0.8) return checker.MakeProportionalResult(CheckSignedReleases, totalSigned, totalReleases, 0.8)
} }

13
checks/signed_tags.go
View File

@ -23,8 +23,9 @@ import (
) )
const ( const (
signedTagsStr = "Signed-Tags" // CheckSignedTags is the registered name for SignedTags.
tagLookBack = 5 CheckSignedTags = "Signed-Tags"
tagLookBack = 5
) )
// ErrorNoTags indicates no tags were found for this repo. // ErrorNoTags indicates no tags were found for this repo.
@ -32,7 +33,7 @@ var ErrorNoTags = errors.New("no tags found")
//nolint:gochecknoinits //nolint:gochecknoinits
func init() { func init() {
registerCheck(signedTagsStr, SignedTags) registerCheck(CheckSignedTags, SignedTags)
} }
func SignedTags(c *checker.CheckRequest) checker.CheckResult { func SignedTags(c *checker.CheckRequest) checker.CheckResult {
@ -57,7 +58,7 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult {
} }
if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil { if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil {
return checker.MakeRetryResult(signedTagsStr, err) return checker.MakeRetryResult(CheckSignedTags, err)
} }
totalTags := 0 totalTags := 0
totalSigned := 0 totalSigned := 0
@ -79,9 +80,9 @@ func SignedTags(c *checker.CheckRequest) checker.CheckResult {
if totalTags == 0 { if totalTags == 0 {
c.Logf("no tags found") c.Logf("no tags found")
return checker.MakeInconclusiveResult(signedTagsStr, ErrorNoTags) return checker.MakeInconclusiveResult(CheckSignedTags, ErrorNoTags)
} }
c.Logf("found %d out of %d verified tags", totalSigned, totalTags) c.Logf("found %d out of %d verified tags", totalSigned, totalTags)
return checker.MakeProportionalResult(signedTagsStr, totalSigned, totalTags, 0.8) return checker.MakeProportionalResult(CheckSignedTags, totalSigned, totalTags, 0.8)
} }

17
cron/main.go
View File

@ -106,6 +106,14 @@ func main() {
githubClient := github.NewClient(httpClient) githubClient := github.NewClient(httpClient)
graphClient := githubv4.NewClient(httpClient) graphClient := githubv4.NewClient(httpClient)
checksToRun := checks.AllChecks
//nolint
// FIXME :- deleting branch-protection
// The branch protection check needs an admin access to the repository.
// All of the checks from cron would fail and uses another call to the API.
// This will reduce usage of the API.
delete(checksToRun, checks.CheckBranchProtection)
exporter, err := startMetricsExporter() exporter, err := startMetricsExporter()
if err != nil { if err != nil {
panic(err) panic(err)
@ -124,14 +132,7 @@ func main() {
panic(err) panic(err)
} }
//nolint repoResult := pkg.RunScorecards(ctx, repoURL, checksToRun, httpClient, githubClient, graphClient)
// FIXME :- deleting branch-protection
// The branch protection check needs an admin access to the repository.
// All of the checks from cron would fail and uses another call to the API.
// This will reduce usage of the API.
delete(checks.AllChecks, "Branch-Protection")
repoResult := pkg.RunScorecards(ctx, repoURL, checks.AllChecks, httpClient, githubClient, graphClient)
repoResult.Date = currTime.Format("2006-01-02") repoResult.Date = currTime.Format("2006-01-02")
if err := repoResult.AsJSON( /*showDetails=*/ true, result); err != nil { if err := repoResult.AsJSON( /*showDetails=*/ true, result); err != nil {
panic(err) panic(err)

21
cron/worker/main.go
View File

@ -26,6 +26,7 @@ import (
"github.com/shurcooL/githubv4" "github.com/shurcooL/githubv4"
"go.uber.org/zap" "go.uber.org/zap"
"github.com/ossf/scorecard/checker"
"github.com/ossf/scorecard/checks" "github.com/ossf/scorecard/checks"
"github.com/ossf/scorecard/cron/config" "github.com/ossf/scorecard/cron/config"
"github.com/ossf/scorecard/cron/data" "github.com/ossf/scorecard/cron/data"
@ -36,16 +37,8 @@ import (
) )
func processRequest(ctx context.Context, func processRequest(ctx context.Context,
batchRequest *data.ScorecardBatchRequest, bucketURL string, batchRequest *data.ScorecardBatchRequest, checksToRun checker.CheckNameToFnMap, bucketURL string,
httpClient *http.Client, githubClient *github.Client, graphClient *githubv4.Client) error { httpClient *http.Client, githubClient *github.Client, graphClient *githubv4.Client) error {
checksToRun := checks.AllChecks
// nolint
// FIXME :- deleting branch-protection
// The branch protection check needs an admin access to the repository.
// All of the checks from cron would fail and uses another call to the API.
// This will reduce usage of the API.
delete(checksToRun, "Branch-Protection")
repoURLs := make([]repos.RepoURL, 0, len(batchRequest.GetRepos())) repoURLs := make([]repos.RepoURL, 0, len(batchRequest.GetRepos()))
for _, repo := range batchRequest.GetRepos() { for _, repo := range batchRequest.GetRepos() {
repoURL := repos.RepoURL{} repoURL := repos.RepoURL{}
@ -129,6 +122,14 @@ func main() {
httpClient, githubClient, graphClient, logger := createNetClients(ctx) httpClient, githubClient, graphClient, logger := createNetClients(ctx)
checksToRun := checks.AllChecks
// nolint
// FIXME :- deleting branch-protection
// The branch protection check needs an admin access to the repository.
// All of the checks from cron would fail and uses another call to the API.
// This will reduce usage of the API.
delete(checksToRun, checks.CheckBranchProtection)
for { for {
req, err := subscriber.SynchronousPull() req, err := subscriber.SynchronousPull()
if err != nil { if err != nil {
@ -139,7 +140,7 @@ func main() {
log.Print("subscription returned nil message during Receive, exiting") log.Print("subscription returned nil message during Receive, exiting")
break break
} }
if err := processRequest(ctx, req, bucketURL, httpClient, githubClient, graphClient); err != nil { if err := processRequest(ctx, req, checksToRun, bucketURL, httpClient, githubClient, graphClient); err != nil {
panic(err) panic(err)
} }
// nolint: errcheck // flushes buffer // nolint: errcheck // flushes buffer