* Added check for permissive licenses
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Regenerated docs and added more permissive licenses to check
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Added e2e tests
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Corrected copyright dates and missing newlines
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Corrected copyright dates
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Adjustments after review
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Added file location in case a permissive license was found and adjusted tests
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Removed code for check, adjusted probe code to be invocated independently
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* add remediate on outcome detail
Signed-off-by: Spencer Schrock <sschrock@google.com>
* avoid memory aliasing
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
Signed-off-by: Felix Hoeborn <98820380+fhoeborn@users.noreply.github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
* polish some probe yaml definitions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update references to probe naming and outcomes
now that #3654 is addressed, the naming restrictions can be relaxed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* merge probe and finding packages
No one interacts with the probes directly,
and having them in the same package helps with follow up commits
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add extra field to indicate the outcome a probe should show remediation for
Signed-off-by: Spencer Schrock <sschrock@google.com>
* start all probes with remediate on 'False'
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make OutcomeTrue bad for hasOSVVulnerabilities
Signed-off-by: Spencer Schrock <sschrock@google.com>
* nest outcome trigger under remediation in yaml
Signed-off-by: Spencer Schrock <sschrock@google.com>
* invert outcomes for dangerous workflow probes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename notArchived probe to archived
with the swap, the true outcome is now the bad outcome.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename notCreatedRecently probe to createRecently
with the rename, the true outcome is now bad
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch binary artifact probes so detecting binaries is a true outcome
Signed-off-by: Spencer Schrock <sschrock@google.com>
* appease the linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont export probe type
we can always make it public again later
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add func to log single finding at caller specified level.
This may not be the final form, we may support want to support
passing a map of probe+outcome to level mappings.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch dependency update tool check off LogFindings
For now, we only use one probe so logging is simple.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch fuzzing check off LogFindings
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch packaging check off LogFindings
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch security policy check off LogFindings
This changes the logging of an error state, but it's not one we expect to see.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch signed releases off LogFindings
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch license check off LogFindings
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch vuln check off LogFindings
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch maintained check off logfindings and delete it
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont log lack of commit or issue activity
scdiff caught a lot of new details being generated.
So going to try removing them
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* convert outcome constants to strings
Originally, these were introduced as ints to enable ordering between them.
Today, I don't see the value in doing that, and it makes the output less readable.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* explicitly mention negative outcome for some tests
previously, OutcomeNegative had the integer value of 0. So some tests
didnt specify the outcome and happened to pass due to the zero value.
This also fixes the tests names while I was here.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* match expected probe output with new string values
this change demonstrates the reason for this PR.
Human readable outcomes are good!
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* undo pat scope doc change
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add Go resources
some contributors may be unfamiliar with the language
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add findings to check results struct
these dont make it to the JSON output format as theyre
not copied to the jsonCheckResultV2 struct in AsJSON2()
Signed-off-by: Spencer Schrock <sschrock@google.com>
* populate CheckResult findings
It would be nice if the evaluation functions did this for us,
but would require changes to theCreate*ScoreResult functions.
It was simpler just to set it in one place at the check level.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* feature dco requirement more prominently
Signed-off-by: Spencer Schrock <sschrock@google.com>
* recommend merge commits to sync PR
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix make target table
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove references to old Go environment variables
GO111MODULE is no longer used as of Go 1.17.
GOPATH is still used for other purposes, but not in 'development mode'.
https://go.dev/wiki/GOPATH
Signed-off-by: Spencer Schrock <sschrock@google.com>
* misc minor clarifications
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove reference to errors from CONTRIBUTORS.md
I don't think this is one of the top things we should be displaying to someone
Signed-off-by: Spencer Schrock <sschrock@google.com>
* mention make in environment
Signed-off-by: Spencer Schrock <sschrock@google.com>
* no scopes needed for PATs
Signed-off-by: Spencer Schrock <sschrock@google.com>
* highlight other scorecard options
Signed-off-by: Spencer Schrock <sschrock@google.com>
* allow shell codeblocks to be pasted into a shell
the comment style was wrong and the $ was interpretted as a command.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch no dependencies to OutcomeNotApplicable
OutcomeNotApplicable is what we've been using for cases where there are no occurences of X.
Previously this outcome was used for this probe to handle some error cases, but
OutcomeError is currently being used. Existing callers were moved to OutcomeNotSupported.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* deduplicate location setting
checker.File.Location() is nil safe, so this should work when we have a location or not
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update outcome descriptions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* simplify OutcomeNotSupported logging path
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add tests for no deps and processing errors
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add single probe for dependencyUpdateToolConfigured probe
Signed-off-by: Spencer Schrock <sschrock@google.com>
* delete individual update tool probes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use new update tool probe in evaluation
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix dependency update tool tests
The old test names were unclear, and didn't cover all supported tools.
Additionally the warn count changed since there's only one probe now,
instead of 3.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* clarify test name
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* delete hasLicenseFileAtTopDir probe
Signed-off-by: Spencer Schrock <sschrock@google.com>
* increase value of having a license
the old split was 6 for having a license and 3 for having it in the expected location
but 1.5 years later, and there is still no other way we detect it. So it was effectively
worth 9 points. This change makes it actually worth 9 points.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* simplify logging and scoring
Signed-off-by: Spencer Schrock <sschrock@google.com>
* ensure license findings have locations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update tests to reflect new logging
Signed-off-by: Spencer Schrock <sschrock@google.com>
* match existing detail better
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
This updates the version comments, adds some explanatory comments,
and generally makes it better. The intent is to use this file as an example
for the Scorecard Action repo so it remains up-to-date.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* 🌱 migrate token permission check to probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* combine seperate write-probes into two that combine them all
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change write probes to read and write
Signed-off-by: AdamKorcz <adam@adalogics.com>
* minor nit
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove WritaAll probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Merge read-perm probe with job/top probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* minor refactoring
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix copy paste error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues and restructure code
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove hasGitHubWorkflowPermissionNone probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Remove 'hasGitHubWorkflowPermissionUndeclared' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bit of clean up
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce code complexity and remove comment
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* simplify file location
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change probe text
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* invert name of probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotApplicable -> OutcomeError
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* more OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change name of 'notAvailableOrNotApplicable'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comments to remediation fields
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add check for nil-dereference
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the permissionLocation finding value
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use raw metadata for remediation output
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'branch' to 'defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused fields in rule Remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
* switch to helper func
done using a find/replace regex
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use constants for branch names
Signed-off-by: Spencer Schrock <sschrock@google.com>
* replace branch name with constants
Signed-off-by: Spencer Schrock <sschrock@google.com>
* handle findings with values needed
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use requiresApproversForPullRequests constants
Signed-off-by: Spencer Schrock <sschrock@google.com>
* shorter to just use main instead of a const
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use reader instead of contents
if the filename doesn't match we don't use the file content.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* compare bytes to avoid allocations
we don't save the line, just the offset.
using the bytes versions avoids allocating new strings
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
