Skip to content

Commit

Permalink
Only run allowed checks in different modes
Browse files Browse the repository at this point in the history
  • Loading branch information
azeemsgoogle committed Feb 3, 2022
1 parent 4581c36 commit 88d840a
Show file tree
Hide file tree
Showing 25 changed files with 116 additions and 305 deletions.
31 changes: 30 additions & 1 deletion checker/check_request.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,34 @@ type CheckRequest struct {
Repo clients.Repo
VulnerabilitiesClient clients.VulnerabilitiesClient
// UPGRADEv6: return raw results instead of scores.
RawResults *RawResults
RawResults *RawResults
RequiredTypes []RequestType
}

// RequestType identifies special requirements/attributes that need to be supported by checks.
type RequestType int

const (
// FileBased request types require checks to run solely on file-content.
FileBased RequestType = iota
)

// ListUnsupported returns []RequestType not in `supported` and are `required`.
func ListUnsupported(required, supported []RequestType) []RequestType {
var ret []RequestType
for _, t := range required {
if !contains(supported, t) {
ret = append(ret, t)
}
}
return ret
}

func contains(in []RequestType, exists RequestType) bool {
for _, r := range in {
if r == exists {
return true
}
}
return false
}
22 changes: 18 additions & 4 deletions checker/check_runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,22 @@ const checkRetries = 3

// Runner runs a check with retries.
type Runner struct {
CheckRequest CheckRequest
CheckName string
Repo string
CheckRequest CheckRequest
}

// CheckFn defined for convenience.
type CheckFn func(*CheckRequest) CheckResult

// Check defines a Scorecard check fn and its supported request types.
type Check struct {
Fn CheckFn
SupportedRequestTypes []RequestType
}

// CheckNameToFnMap defined here for convenience.
type CheckNameToFnMap map[string]CheckFn
type CheckNameToFnMap map[string]Check

func logStats(ctx context.Context, startTime time.Time, result *CheckResult) error {
runTimeInSecs := time.Now().Unix() - startTime.Unix()
Expand All @@ -57,7 +63,15 @@ func logStats(ctx context.Context, startTime time.Time, result *CheckResult) err
}

// Run runs a given check.
func (r *Runner) Run(ctx context.Context, f CheckFn) CheckResult {
func (r *Runner) Run(ctx context.Context, c Check) CheckResult {
// Sanity check.
unsupported := ListUnsupported(r.CheckRequest.RequiredTypes, c.SupportedRequestTypes)
if len(unsupported) != 0 {
return CreateRuntimeErrorResult(r.CheckName,
sce.WithMessage(sce.ErrorUnsupportedCheck,
fmt.Sprintf("requiredType: %s not supported by check %s", fmt.Sprint(unsupported), r.CheckName)))
}

ctx, err := tag.New(ctx, tag.Upsert(stats.CheckName, r.CheckName))
if err != nil {
panic(err)
Expand All @@ -71,7 +85,7 @@ func (r *Runner) Run(ctx context.Context, f CheckFn) CheckResult {
checkRequest.Ctx = ctx
l = logger{}
checkRequest.Dlogger = &l
res = f(&checkRequest)
res = c.Fn(&checkRequest)
if res.Error2 != nil && errors.Is(res.Error2, sce.ErrRepoUnreachable) {
checkRequest.Dlogger.Warn("%v", res.Error2)
continue
Expand Down
7 changes: 5 additions & 2 deletions checks/all_checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,16 @@ import (
// AllChecks is the list of all security checks that will be run.
var AllChecks = checker.CheckNameToFnMap{}

func registerCheck(name string, fn checker.CheckFn) error {
func registerCheck(name string, fn checker.CheckFn, supportedRequestTypes []checker.RequestType) error {
if name == "" {
return errInternalNameCannotBeEmpty
}
if fn == nil {
return errInternalCheckFuncCannotBeNil
}
AllChecks[name] = fn
AllChecks[name] = checker.Check{
Fn: fn,
SupportedRequestTypes: supportedRequestTypes,
}
return nil
}
2 changes: 1 addition & 1 deletion checks/all_checks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func Test_registerCheck(t *testing.T) {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
if err := registerCheck(tt.args.name, tt.args.fn); (err != nil) != tt.wanterr {
if err := registerCheck(tt.args.name, tt.args.fn, nil /*supportedRequestTypes*/); (err != nil) != tt.wanterr {
t.Errorf("registerCheck() error = %v, wantErr %v", err, tt.wanterr)
}
})
Expand Down
5 changes: 4 additions & 1 deletion checks/binary_artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ const CheckBinaryArtifacts string = "Binary-Artifacts"

//nolint
func init() {
if err := registerCheck(CheckBinaryArtifacts, BinaryArtifacts); err != nil {
var supportedRequestTypes = []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckBinaryArtifacts, BinaryArtifacts, supportedRequestTypes); err != nil {
// this should never happen
panic(err)
}
Expand Down
8 changes: 3 additions & 5 deletions checks/branch_protection.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,12 @@ import (
sce "github.com/ossf/scorecard/v4/errors"
)

const (
// CheckBranchProtection is the exported name for Branch-Protected check.
CheckBranchProtection = "Branch-Protection"
)
// CheckBranchProtection is the exported name for Branch-Protected check.
const CheckBranchProtection = "Branch-Protection"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckBranchProtection, BranchProtection); err != nil {
if err := registerCheck(CheckBranchProtection, BranchProtection, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/ci_tests.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ const (

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckCITests, CITests); err != nil {
if err := registerCheck(CheckCITests, CITests, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/cii_best_practices.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ const (

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckCIIBestPractices, CIIBestPractices); err != nil {
if err := registerCheck(CheckCIIBestPractices, CIIBestPractices, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/code_review.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const CheckCodeReview = "Code-Review"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckCodeReview, CodeReview); err != nil {
if err := registerCheck(CheckCodeReview, CodeReview, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/contributors.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ const (

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckContributors, Contributors); err != nil {
if err := registerCheck(CheckContributors, Contributors, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/dangerous_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,10 @@ func containsUntrustedContextPattern(variable string) bool {

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckDangerousWorkflow, DangerousWorkflow); err != nil {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckDangerousWorkflow, DangerousWorkflow, supportedRequestTypes); err != nil {
// this should never happen
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/dependency_update_tool.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ const CheckDependencyUpdateTool = "Dependency-Update-Tool"

//nolint
func init() {
if err := registerCheck(CheckDependencyUpdateTool, DependencyUpdateTool); err != nil {
var supportedRequestTypes = []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckDependencyUpdateTool, DependencyUpdateTool, supportedRequestTypes); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/fuzzing.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ const CheckFuzzing = "Fuzzing"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckFuzzing, Fuzzing); err != nil {
if err := registerCheck(CheckFuzzing, Fuzzing, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/license.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,10 @@ const CheckLicense = "License"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckLicense, LicenseCheck); err != nil {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckLicense, LicenseCheck, supportedRequestTypes); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/maintained.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ const (

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckMaintained, IsMaintained); err != nil {
if err := registerCheck(CheckMaintained, IsMaintained, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/packaging.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ const CheckPackaging = "Packaging"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckPackaging, Packaging); err != nil {
if err := registerCheck(CheckPackaging, Packaging, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,10 @@ var permissionsOfInterest = []permission{

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckTokenPermissions, TokenPermissions); err != nil {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckTokenPermissions, TokenPermissions, supportedRequestTypes); err != nil {
// This should never happen.
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/pinned_dependencies.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,10 @@ type worklowPinningResult struct {

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckPinnedDependencies, PinnedDependencies); err != nil {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckPinnedDependencies, PinnedDependencies, supportedRequestTypes); err != nil {
// This should never happen.
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/sast.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ var allowedConclusions = map[string]bool{"success": true, "neutral": true}

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckSAST, SAST); err != nil {
if err := registerCheck(CheckSAST, SAST, nil); err != nil {
// This should never happen.
panic(err)
}
Expand Down
5 changes: 4 additions & 1 deletion checks/security_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ const CheckSecurityPolicy = "Security-Policy"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckSecurityPolicy, SecurityPolicy); err != nil {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
}
if err := registerCheck(CheckSecurityPolicy, SecurityPolicy, supportedRequestTypes); err != nil {
// This should never happen.
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/signed_releases.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ var artifactExtensions = []string{".asc", ".minisig", ".sig", ".sign"}

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckSignedReleases, SignedReleases); err != nil {
if err := registerCheck(CheckSignedReleases, SignedReleases, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion checks/vulnerabilities.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const CheckVulnerabilities = "Vulnerabilities"

//nolint:gochecknoinits
func init() {
if err := registerCheck(CheckVulnerabilities, Vulnerabilities); err != nil {
if err := registerCheck(CheckVulnerabilities, Vulnerabilities, nil); err != nil {
// this should never happen
panic(err)
}
Expand Down
Loading

0 comments on commit 88d840a

Please sign in to comment.