mirror of
https://github.com/ossf/scorecard.git
synced 2024-11-05 05:17:00 +03:00
Abhishek Arya
GitHub
commit
f6fab3abcd
27
README.md
27
README.md
@ -16,6 +16,7 @@ The program only requires one argument to run, the name of the repo:
|
||||
```shell
|
||||
$ go build
|
||||
$ ./scorecard --repo=github.com/kubernetes/kubernetes
|
||||
Starting [Active]
|
||||
Starting [CI-Tests]
|
||||
Starting [CII-Best-Practices]
|
||||
Starting [Code-Review]
|
||||
@ -27,28 +28,30 @@ Starting [Security-Policy]
|
||||
Starting [Signed-Releases]
|
||||
Starting [Signed-Tags]
|
||||
Finished [Fuzzing]
|
||||
Finished [CII-Best-Practices]
|
||||
Finished [Frozen-Deps]
|
||||
Finished [CII-Best-Practices]
|
||||
Finished [Security-Policy]
|
||||
Finished [Contributors]
|
||||
Finished [Signed-Releases]
|
||||
Finished [Signed-Tags]
|
||||
Finished [CI-Tests]
|
||||
Finished [Code-Review]
|
||||
Finished [Active]
|
||||
Finished [Pull-Requests]
|
||||
|
||||
RESULTS
|
||||
-------
|
||||
CI-Tests pass 10
|
||||
CII-Best-Practices pass 10
|
||||
Code-Review pass 10
|
||||
Contributors pass 10
|
||||
Frozen-Deps pass 10
|
||||
Fuzzing pass 10
|
||||
Pull-Requests pass 9
|
||||
Security-Policy pass 10
|
||||
Signed-Releases fail 10
|
||||
Signed-Tags fail 5
|
||||
Active: Pass 10
|
||||
CI-Tests: Pass 10
|
||||
CII-Best-Practices: Pass 10
|
||||
Code-Review: Pass 10
|
||||
Contributors: Pass 10
|
||||
Frozen-Deps: Pass 10
|
||||
Fuzzing: Pass 10
|
||||
Pull-Requests: Pass 10
|
||||
Security-Policy: Pass 10
|
||||
Signed-Releases: Fail 10
|
||||
Signed-Tags: Fail 5
|
||||
```
|
||||
|
||||
It is recommended to use an OAuth token to avoid rate limits.
|
||||
@ -91,7 +94,7 @@ and then create a new GitHub Issue.
|
||||
|
||||
## Results
|
||||
|
||||
Each check returns a pass/fail decision, as well as a confidence score between 0 and 10.
|
||||
Each check returns a Pass/Fail decision, as well as a confidence score between 0 and 10.
|
||||
A confidence of 0 should indicate the check was unable to achieve any real signal, and the result
|
||||
should be ignored.
|
||||
A confidence of 10 indicates the check is completely sure of the result.
|
||||
|
||||
@ -27,7 +27,7 @@ func PeriodicCommits(c checker.Checker) checker.CheckResult {
|
||||
}
|
||||
|
||||
tz, _ := time.LoadLocation("UTC")
|
||||
threshold := time.Now().In(tz).AddDate(0, 0, -1 * lookbackDays)
|
||||
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays)
|
||||
totalCommits := 0
|
||||
for _, commit := range commits {
|
||||
commitFull, _, err := c.Client.Git.GetCommit(c.Ctx, c.Owner, c.Repo, commit.GetSHA())
|
||||
@ -52,7 +52,7 @@ func PeriodicReleases(c checker.Checker) checker.CheckResult {
|
||||
}
|
||||
|
||||
tz, _ := time.LoadLocation("UTC")
|
||||
threshold := time.Now().In(tz).AddDate(0, 0, -1 * lookbackDays)
|
||||
threshold := time.Now().In(tz).AddDate(0, 0, -1*lookbackDays)
|
||||
totalReleases := 0
|
||||
for _, r := range releases {
|
||||
if r.GetCreatedAt().After(threshold) {
|
||||
@ -65,6 +65,3 @@ func PeriodicReleases(c checker.Checker) checker.CheckResult {
|
||||
Confidence: 10,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ func FrozenDeps(c checker.Checker) checker.CheckResult {
|
||||
case "package-lock.json":
|
||||
c.Logf("nodejs packages found: %s", name)
|
||||
return passResult
|
||||
case "requirements.txt":
|
||||
case "requirements.txt", "pipfile.lock":
|
||||
c.Logf("python requirements found: %s", name)
|
||||
return passResult
|
||||
case "gemfile.lock":
|
||||
|
||||
@ -3,6 +3,7 @@ package cmd
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"regexp"
|
||||
"strings"
|
||||
)
|
||||
|
||||
@ -19,6 +20,8 @@ func (r *repoFlag) Type() string {
|
||||
}
|
||||
|
||||
func (r *repoFlag) Set(s string) error {
|
||||
rgx, _ := regexp.Compile("^https?://")
|
||||
s = rgx.ReplaceAllString(s, "")
|
||||
split := strings.SplitN(s, "/", 3)
|
||||
if len(split) != 3 {
|
||||
log.Fatalf("invalid repo flag: [%s], pass the full repository URL", s)
|
||||
|
||||
12
cmd/root.go
12
cmd/root.go
@ -27,9 +27,9 @@ var (
|
||||
)
|
||||
|
||||
var rootCmd = &cobra.Command{
|
||||
Use: "scorecard",
|
||||
Short: "Security scorecards!",
|
||||
Long: `A scorecard program!`,
|
||||
Use: "./scorecard --repo=<repo_url> [--checks=check1,...]",
|
||||
Short: "Open Source Scorecards",
|
||||
Long: "A program that shows scorecard for an open source software.",
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
cfg := zap.NewProductionConfig()
|
||||
cfg.Level.SetLevel(*logLevel)
|
||||
@ -99,7 +99,7 @@ var rootCmd = &cobra.Command{
|
||||
fmt.Println("RESULTS")
|
||||
fmt.Println("-------")
|
||||
for _, r := range results {
|
||||
fmt.Println(r.name, displayResult(r.cr.Pass), r.cr.Confidence)
|
||||
fmt.Println(r.name+":", displayResult(r.cr.Pass), r.cr.Confidence)
|
||||
}
|
||||
},
|
||||
}
|
||||
@ -130,9 +130,9 @@ func stringInListOrEmpty(s string, list []string) bool {
|
||||
|
||||
func displayResult(result bool) string {
|
||||
if result {
|
||||
return "pass"
|
||||
return "Pass"
|
||||
} else {
|
||||
return "fail"
|
||||
return "Fail"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user