remove sonatype lift (#3605)

Signed-off-by: Spencer Schrock <sschrock@google.com>

checks/dependency_update_tool_test.go

@@ -77,7 +77,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: 111111111}}},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 		{
@@ -89,7 +89,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			SearchCommits:     []clients.Commit{},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 

checks/evaluation/dependency_update_tool.go

@@ -21,7 +21,6 @@ import (
 	"github.com/ossf/scorecard/v4/probes/toolDependabotInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolPyUpInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolRenovateInstalled"
-	"github.com/ossf/scorecard/v4/probes/toolSonatypeLiftInstalled"
 )
 
 // DependencyUpdateTool applies the score policy and logs the details
@@ -33,7 +32,6 @@ func DependencyUpdateTool(name string,
 		toolDependabotInstalled.Probe,
 		toolPyUpInstalled.Probe,
 		toolRenovateInstalled.Probe,
-		toolSonatypeLiftInstalled.Probe,
 	}
 	if !finding.UniqueProbesEqual(findings, expectedProbes) {
 		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")

checks/evaluation/dependency_update_tool_test.go

@@ -46,10 +46,6 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolRenovateInstalled",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "toolSonatypeLiftInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 			},
 			result: scut.TestReturn{
 				Score:        checker.MaxResultScore,
@@ -71,10 +67,6 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolRenovateInstalled",
 					Outcome: finding.OutcomePositive,
 				},
-				{
-					Probe:   "toolSonatypeLiftInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 			},
 			result: scut.TestReturn{
 				Score:        checker.MaxResultScore,
@@ -96,39 +88,6 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolRenovateInstalled",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "toolSonatypeLiftInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
-			},
-			result: scut.TestReturn{
-				Score:        checker.MaxResultScore,
-				NumberOfInfo: 1,
-			},
-		},
-		{
-			name: "sonatype",
-			findings: []finding.Finding{
-				{
-					Probe:   "toolDependabotInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "toolPyUpInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "toolRenovateInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "toolSonatypeLiftInstalled",
-					Outcome: finding.OutcomePositive,
-				},
-				{
-					Probe:   "toolRenovateInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 			},
 			result: scut.TestReturn{
 				Score:        checker.MaxResultScore,
@@ -150,14 +109,10 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolPyUpInstalled",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "toolSonatypeLiftInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 			},
 			result: scut.TestReturn{
 				Score:        checker.MinResultScore,
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 		{
@@ -171,10 +126,6 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolPyUpInstalled",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "toolSonatypeInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 			},
 			result: scut.TestReturn{
 				Score: checker.InconclusiveResultScore,
@@ -196,10 +147,6 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Probe:   "toolPyUpInstalled",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "toolSonatypeInstalled",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "toolInvalidProbeName",
 					Outcome: finding.OutcomeNegative,

checks/raw/dependency_update_tool.go

@@ -113,19 +113,6 @@ var checkDependencyFileExists fileparser.DoWhileTrueOnFilename = func(name strin
 				},
 			},
 		})
-	case ".lift.toml", ".lift/config.toml":
-		*ptools = append(*ptools, checker.Tool{
-			Name: "Sonatype Lift",
-			URL:  asPointer("https://lift.sonatype.com"),
-			Desc: asPointer("Automated dependency updates. Multi-platform and multi-language."),
-			Files: []checker.File{
-				{
-					Path:   name,
-					Type:   finding.FileTypeSource,
-					Offset: checker.OffsetDefault,
-				},
-			},
-		})
 	}
 
 	// Continue iterating, even if we have found a tool.

checks/raw/dependency_update_tool_test.go

@@ -27,7 +27,6 @@ import (
 func Test_checkDependencyFileExists(t *testing.T) {
 	t.Parallel()
 
-	//nolint
 	tests := []struct {
 		name    string
 		path    string
@@ -97,13 +96,13 @@ func Test_checkDependencyFileExists(t *testing.T) {
 		{
 			name:    ".lift.toml",
 			path:    ".lift.toml",
-			want:    true,
+			want:    false, // support removed
 			wantErr: false,
 		},
 		{
 			name:    ".lift/config.toml",
 			path:    ".lift/config.toml",
-			want:    true,
+			want:    false, // support removed
 			wantErr: false,
 		},
 	}

docs/checks.md

@@ -310,7 +310,6 @@ This check tries to determine if the project uses a dependency update tool,
 specifically one of:
 - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates)
 - [Renovate bot](https://docs.renovatebot.com/configuration-options/)
-- [Sonatype Lift](https://help.sonatype.com/lift/getting-started)
 - [PyUp](https://docs.pyup.io/docs) (Python)
 Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.
 These tools automate the process of updating dependencies by scanning for

docs/checks/internal/checks.yaml

@@ -60,7 +60,6 @@ checks:
       specifically one of:
       - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates)
       - [Renovate bot](https://docs.renovatebot.com/configuration-options/)
-      - [Sonatype Lift](https://help.sonatype.com/lift/getting-started)
       - [PyUp](https://docs.pyup.io/docs) (Python)
       Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.
       These tools automate the process of updating dependencies by scanning for

probes/entries.go

@@ -42,7 +42,6 @@ import (
 	"github.com/ossf/scorecard/v4/probes/toolDependabotInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolPyUpInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolRenovateInstalled"
-	"github.com/ossf/scorecard/v4/probes/toolSonatypeLiftInstalled"
 )
 
 // ProbeImpl is the implementation of a probe.
@@ -65,7 +64,6 @@ var (
 		toolRenovateInstalled.Run,
 		toolDependabotInstalled.Run,
 		toolPyUpInstalled.Run,
-		toolSonatypeLiftInstalled.Run,
 	}
 	Fuzzing = []ProbeImpl{
 		fuzzedWithOSSFuzz.Run,

probes/toolSonatypeLiftInstalled/def.yml

@@ -1,32 +0,0 @@
-# Copyright 2023 OpenSSF Scorecard Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-id: toolSonatypeLiftInstalled
-short: Check that Sonatype Lyft is installed.
-motivation: >
-  Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.
-  Sonatype Lyft automates the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found.
-implementation: >
-  The implementation looks for the presence of files named ".lift.toml" or ".lift/config.toml".
-  If none of these files are found, Sonatype Lyft is not installed.
-  NOTE: the implementation does not ensure that Sonatype Lyft is run or that Sonatype Lyft's pull requests are merged.
-outcome:
-  - If Sonatype Lyft is installed, the probe returns OutcomePositive (1) for each configuration.
-  - If Sonatype Lyft is not installed, the probe returns OutcomeNegative (0).
-remediation:
-  effort: Low
-  text:
-    - Follow the instructions from https://help.sonatype.com/lift/getting-started.
-  markdown:
-    - Follow the instructions from [the official documentation](https://help.sonatype.com/lift/getting-started).

probes/toolSonatypeLiftInstalled/impl.go

@@ -1,58 +0,0 @@
-// Copyright 2023 OpenSSF Scorecard Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// nolint:stylecheck
-package toolSonatypeLiftInstalled
-
-import (
-	"embed"
-	"fmt"
-
-	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/finding"
-	tls "github.com/ossf/scorecard/v4/probes/internal/utils/tools"
-	"github.com/ossf/scorecard/v4/probes/internal/utils/uerror"
-)
-
-//go:embed *.yml
-var fs embed.FS
-
-const Probe = "toolSonatypeLiftInstalled"
-
-type sonatypeLyft struct{}
-
-func (t sonatypeLyft) Name() string {
-	return "Sonatype Lift"
-}
-
-func (t sonatypeLyft) Matches(tool *checker.Tool) bool {
-	return t.Name() == tool.Name
-}
-
-func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
-	if raw == nil {
-		return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil)
-	}
-	tools := raw.DependencyUpdateToolResults.Tools
-	var matcher sonatypeLyft
-	// Check whether Sona Lyft tool is installed on the repo,
-	// and create the corresponding findings.
-	//nolint:wrapcheck
-	return tls.Run(tools, fs, Probe,
-		// Tool found will generate a positive result.
-		finding.OutcomePositive,
-		// Tool not found will generate a negative result.
-		finding.OutcomeNegative,
-		matcher)
-}

probes/toolSonatypeLiftInstalled/impl_test.go

@@ -1,126 +0,0 @@
-// Copyright 2023 OpenSSF Scorecard Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// nolint:stylecheck
-package toolSonatypeLiftInstalled
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
-
-	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/finding"
-	"github.com/ossf/scorecard/v4/probes/internal/utils/uerror"
-)
-
-func Test_Run(t *testing.T) {
-	t.Parallel()
-	// nolint:govet
-	tests := []struct {
-		name     string
-		raw      *checker.RawResults
-		outcomes []finding.Outcome
-		err      error
-	}{
-		{
-			name: "tool present",
-			raw: &checker.RawResults{
-				DependencyUpdateToolResults: checker.DependencyUpdateToolData{
-					Tools: []checker.Tool{
-						{
-							Name: "Sonatype Lift",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomePositive,
-			},
-		},
-		{
-			name: "multiple correct tools",
-			raw: &checker.RawResults{
-				DependencyUpdateToolResults: checker.DependencyUpdateToolData{
-					Tools: []checker.Tool{
-						{
-							Name: "Sonatype Lift",
-						},
-						{
-							Name: "Sonatype Lift",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomePositive,
-				finding.OutcomePositive,
-			},
-		},
-		{
-			name: "different tool name",
-			raw: &checker.RawResults{
-				DependencyUpdateToolResults: checker.DependencyUpdateToolData{
-					Tools: []checker.Tool{
-						{
-							Name: "not-Sonatype Lift",
-						},
-					},
-				},
-			},
-			outcomes: []finding.Outcome{
-				finding.OutcomeNegative,
-			},
-		},
-		{
-			name: "empty results",
-			raw:  &checker.RawResults{},
-			outcomes: []finding.Outcome{
-				finding.OutcomeNegative,
-			},
-		},
-		{
-			name: "nil raw",
-			err:  uerror.ErrNil,
-		},
-	}
-	for _, tt := range tests {
-		tt := tt // Re-initializing variable so it is not changed while executing the closure below
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			findings, s, err := Run(tt.raw)
-			if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) {
-				t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors()))
-			}
-			if err != nil {
-				return
-			}
-			if diff := cmp.Diff(Probe, s); diff != "" {
-				t.Errorf("mismatch (-want +got):\n%s", diff)
-			}
-			if diff := cmp.Diff(len(tt.outcomes), len(findings)); diff != "" {
-				t.Errorf("mismatch (-want +got):\n%s", diff)
-			}
-			for i := range tt.outcomes {
-				outcome := &tt.outcomes[i]
-				f := &findings[i]
-				if diff := cmp.Diff(*outcome, f.Outcome); diff != "" {
-					t.Errorf("mismatch (-want +got):\n%s", diff)
-				}
-			}
-		})
-	}
-}