mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-05 13:17:08 +03:00
8de90207bc
* Sbom check MVP Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * PR suggestion fixes Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix line length Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update gitlab client to check 20 latest pipelines in default branch Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * correct issues Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add unit tests for sbom client code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * probe name alignment, updated evaluation tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * consolidate probes, reuse available data sources Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add autogen doc update Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments, remove CI/CD check code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update unit tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix linting errors Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * revert unnecessary changes, correct check documentation Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * move release lookback to data collection side Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> --------- Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
72 lines
2.1 KiB
Go
72 lines
2.1 KiB
Go
// Copyright 2024 OpenSSF Scorecard Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package checks
|
|
|
|
import (
|
|
"os"
|
|
|
|
"github.com/ossf/scorecard/v5/checker"
|
|
"github.com/ossf/scorecard/v5/checks/evaluation"
|
|
"github.com/ossf/scorecard/v5/checks/raw"
|
|
sce "github.com/ossf/scorecard/v5/errors"
|
|
"github.com/ossf/scorecard/v5/probes"
|
|
"github.com/ossf/scorecard/v5/probes/zrunner"
|
|
)
|
|
|
|
// SBOM is the registered name for SBOM.
|
|
const CheckSBOM = "SBOM"
|
|
|
|
//nolint:gochecknoinits
|
|
func init() {
|
|
if err := registerCheck(CheckSBOM, SBOM, nil); err != nil {
|
|
// this should never happen
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
// SBOM runs SBOM check.
|
|
func SBOM(c *checker.CheckRequest) checker.CheckResult {
|
|
_, enabled := os.LookupEnv("SCORECARD_EXPERIMENTAL")
|
|
if !enabled {
|
|
c.Dlogger.Warn(&checker.LogMessage{
|
|
Text: "SCORECARD_EXPERIMENTAL is not set, not running the SBOM check",
|
|
})
|
|
|
|
e := sce.WithMessage(sce.ErrUnsupportedCheck, "SCORECARD_EXPERIMENTAL is not set, not running the SBOM check")
|
|
return checker.CreateRuntimeErrorResult(CheckSBOM, e)
|
|
}
|
|
|
|
rawData, err := raw.SBOM(c)
|
|
if err != nil {
|
|
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
|
return checker.CreateRuntimeErrorResult(CheckSBOM, e)
|
|
}
|
|
|
|
// Set the raw results.
|
|
pRawResults := getRawResults(c)
|
|
pRawResults.SBOMResults = rawData
|
|
|
|
// Evaluate the probes.
|
|
findings, err := zrunner.Run(pRawResults, probes.SBOM)
|
|
if err != nil {
|
|
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
|
return checker.CreateRuntimeErrorResult(CheckSBOM, e)
|
|
}
|
|
|
|
ret := evaluation.SBOM(CheckSBOM, findings, c.Dlogger)
|
|
ret.Findings = findings
|
|
return ret
|
|
}
|