scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00

Author	SHA1	Message	Date
AdamKorcz	ec36916c10	🌱 convert Webhook check to probes (#3522 ) * 🌱 convert Webhook check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Add test + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * replace probe with OutcomeNotApplicable Signed-off-by: AdamKorcz <adam@adalogics.com> * return one finding per webhook Signed-off-by: Adam Korczynski <adam@adalogics.com> * change wording in def.yml Signed-off-by: Adam Korczynski <adam@adalogics.com> * change wording in def.yml and checks.md Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused struct in test Signed-off-by: Adam Korczynski <adam@adalogics.com> * align checks.md with checks.yaml Signed-off-by: Adam Korczynski <adam@adalogics.com> * bring back experimental for webhooks Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'token' to 'secret' in probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change test name Signed-off-by: Adam Korczynski <adam@adalogics.com> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * Use checker.MaxResultScore instead of 10 Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove the 'totalWebhooks' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-05 18:59:42 +00:00
AdamKorcz	cb721a8526	🌱 convert binary artifact check to probe (#3508 ) * 🌱 convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-05 00:24:16 -08:00
AdamKorcz	9b5d762a7d	🌱 convert CII Best Practices check to probes (#3520 ) * 🌱 convert CII Best Practices check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'NOT' to 'not' Signed-off-by: AdamKorcz <adam@adalogics.com> * Change wording in probes Signed-off-by: AdamKorcz <adam@adalogics.com> * add links to text Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Edit text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasBadgeNotFound probe Signed-off-by: AdamKorcz <adam@adalogics.com> * remove 'that' from text Signed-off-by: AdamKorcz <adam@adalogics.com> * use CreateMinScoreResult instead of CreateResultWithScore Signed-off-by: AdamKorcz <adam@adalogics.com> * use MaxResultScore instead of maxScore Signed-off-by: AdamKorcz <adam@adalogics.com> * return CreateRuntimeErrorResult sooner rather than later Signed-off-by: AdamKorcz <adam@adalogics.com> * Combine probes into one Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove minScore variable Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'hasInProgressBadge' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * make badge levels global variables Signed-off-by: Adam Korczynski <adam@adalogics.com> * return -1 for unsupported badge Signed-off-by: Adam Korczynski <adam@adalogics.com> * change text for unknown and unsupported badges Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-11-28 12:02:26 -08:00
AdamKorcz	1c3d9eb6e7	🌱 Migrate Maintained check to probes (#3507 ) * 🌱 Migrate Maintained check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typos Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'archived' probe to 'notArchvied Signed-off-by: AdamKorcz <adam@adalogics.com> * remove part of comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * log negative findings Signed-off-by: AdamKorcz <adam@adalogics.com> * log non positive findings if repo was created less than 90 days ago Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe from 'activityOnIssuesByCollaboratorsMembersOrOwnersInLast90Days' to 'issueActivityByProjectMember' Signed-off-by: AdamKorcz <adam@adalogics.com> * change probe descriptions Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'wasCreatedInLast90Days' probe to 'notCreatedInLast90Days' Signed-off-by: AdamKorcz <adam@adalogics.com> * Add tests with zero issues Signed-off-by: AdamKorcz <adam@adalogics.com> * use values instead of returning multiple findings Signed-off-by: AdamKorcz <adam@adalogics.com> * return negative findings instead of non-positive Signed-off-by: AdamKorcz <adam@adalogics.com> * correct 'notCreatedInLast90Days' probe definition Signed-off-by: AdamKorcz <adam@adalogics.com> * make nested conditionals a single line Signed-off-by: AdamKorcz <adam@adalogics.com> * make nested conditionals a single line Signed-off-by: AdamKorcz <adam@adalogics.com> * change var name 'issuesUpdatedWithinThreshold' to 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'notCreatedInLast90Days' to 'notCreatedRecently' Signed-off-by: AdamKorcz <adam@adalogics.com> * explain 'commitsWithinThreshold' in probe definition Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'commitsInLast90Days' to 'hasRecentCommits'" -s Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * define 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-11-17 09:57:10 -08:00
DavidKorczynski	87c2d3c1da	⚠️ Remove OneFuzz from fuzzing checks (#3666 ) This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski <david@adalogics.com>	2023-11-13 10:35:29 -08:00
AdamKorcz	47e04c102a	🌱 Convert SAST check to probes (#3571 ) * Convert SAST checks to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove warning logging Signed-off-by: AdamKorcz <adam@adalogics.com> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <adam@adalogics.com> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <adam@adalogics.com> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Change how probe creates location Signed-off-by: AdamKorcz <adam@adalogics.com> * Change names of values Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <adam@adalogics.com> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <adam@adalogics.com> * Change 'to' to 'two' Signed-off-by: AdamKorcz <adam@adalogics.com> * Minor change Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>	2023-11-07 08:41:44 -05:00
AdamKorcz	f422f692fe	🌱 Convert Dangerous Workflow check to probes (#3521 ) * 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <adam@adalogics.com> * combine two conditionals into one Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-11-06 21:43:03 +00:00
AdamKorcz	de022dacc4	🌱 convert vulnerabilities check to probe (#3487 ) * 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * edit def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve number of vulns found in output Signed-off-by: AdamKorcz <adam@adalogics.com> * Preserve grouping of vulns Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Add remediation data Signed-off-by: AdamKorcz <adam@adalogics.com> * use checker.LogFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-10-25 10:02:24 -07:00
Spencer Schrock	f2bbd0af62	remove sonatype lift (#3605 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-10-24 20:46:57 -04:00
AdamKorcz	ae75bbb70e	🌱 Add probe support for contributors metrics (#3460 ) * 🌱 Add probe support for contributors metrics Signed-off-by: AdamKorcz <adam@adalogics.com> * fix lint issues Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'contributorsWith' to 'contributorsFrom' Signed-off-by: AdamKorcz <adam@adalogics.com> * change remediation difficulty Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Updates to checks and checks/evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * fix tests like in #3409 Signed-off-by: AdamKorcz <adam@adalogics.com> * fix raw test Signed-off-by: AdamKorcz <adam@adalogics.com> * Update description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * move logic out of utils Signed-off-by: AdamKorcz <adam@adalogics.com> * add comment to consolidate unit test validation Signed-off-by: AdamKorcz <adam@adalogics.com> * change a couple of t.Fatal to t.Error Signed-off-by: AdamKorcz <adam@adalogics.com> * un-remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * remove map Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove lint comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect -1/0 scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * Do not specify 'Github' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * do not mention 'which companies' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Rename tests Signed-off-by: AdamKorcz <adam@adalogics.com> * Use getRawResults and uncomment logging statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Define return values of probe better Signed-off-by: AdamKorcz <adam@adalogics.com> * Use proportional score instead of min score Signed-off-by: AdamKorcz <adam@adalogics.com> * revert changed scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect function name Signed-off-by: AdamKorcz <adam@adalogics.com> * remove utility function that finds non-positive outcomes Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase with latest upstream main and fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Log findings in one statements except a logging statements per finding Signed-off-by: AdamKorcz <adam@adalogics.com> * redefine conditional logic Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-10-24 14:02:18 -07:00
AdamKorcz	1aca1d9445	🌱 convert packaging check to probe (#3486 ) * 🌱 convert packaging check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * amend text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Correct short description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * log negative findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements Signed-off-by: AdamKorcz <adam@adalogics.com> * change score text Signed-off-by: AdamKorcz <adam@adalogics.com> * include file details. process all packaging workflows Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-10-24 19:12:05 +00:00
AdamKorcz	0e3a5233ae	🌱 Add license probe (#3465 ) * 🌱 Add license probe Signed-off-by: AdamKorcz <adam@adalogics.com> * [WIP] add two remaining license checks as probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Use Errorf in test Signed-off-by: AdamKorcz <adam@adalogics.com> * use zrunner Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong return value Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues and remove empty default Signed-off-by: AdamKorcz <adam@adalogics.com> * fix double if statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove struct field from test Signed-off-by: AdamKorcz <adam@adalogics.com> * Add test for nil-case of license files slice Signed-off-by: AdamKorcz <adam@adalogics.com> * rewrite multiple def.ymls Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Add unit test with multiple unapproved license files Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to approved license formats Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting Signed-off-by: AdamKorcz <adam@adalogics.com> * remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove redundant map manipulation Signed-off-by: AdamKorcz <adam@adalogics.com> * rename hasApproveLicense probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license Signed-off-by: AdamKorcz <adam@adalogics.com> * Include license file locations in log Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues Signed-off-by: AdamKorcz <adam@adalogics.com> * replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix linter issue Signed-off-by: AdamKorcz <adam@adalogics.com> * Include location of found license files Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-10-24 11:48:41 -07:00
DavidKorczynski	bd640f72e9	✨ Add additional fuzzing probes (#3473 ) * Extend with additional fuzzing probes Signed-off-by: David Korczynski <david@adalogics.com> * fix formatting Signed-off-by: David Korczynski <david@adalogics.com> * cleanup formatting Signed-off-by: David Korczynski <david@adalogics.com> * make skip testing optional Signed-off-by: David Korczynski <david@adalogics.com> * address reviews Signed-off-by: David Korczynski <david@adalogics.com> * add todo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * add swift fuzzing probe Signed-off-by: David Korczynski <david@adalogics.com> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * undo matching file content extension Signed-off-by: David Korczynski <david@adalogics.com> * nit: fix constant Signed-off-by: David Korczynski <david@adalogics.com> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <david@adalogics.com> * fix test logging counts Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com>	2023-10-09 22:41:58 +00:00
laurentsimon	d177169ec2	✨ [experimental] Probe support for fuzzing check (#3230 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests and linter Signed-off-by: laurentsimon <laurentsimon@google.com> * remove raw from check request in e2e tests Signed-off-by: laurentsimon <laurentsimon@google.com> * remove redundant finding check Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * adress comments Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-21 17:50:20 +00:00
laurentsimon	a8b255a224	✨ [experimental] Probe support for security policy check (#3241 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * fix unit tests Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * compilation fix Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * update reason string Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * fix unit tests Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests and linnter Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests for probes Signed-off-by: laurentsimon <laurentsimon@google.com> * linter Signed-off-by: laurentsimon <laurentsimon@google.com> * revert FileSize change Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-04 04:52:15 +00:00
laurentsimon	1a336d8087	✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-22 18:13:24 -07:00

16 Commits